B mn Mng & Truyn thng, Khoa CNTT, HBK Nng

1

HNG DN THC HNH SNORT
1 Gii thiu v SNORT
Snort l mt sn phm m ngun m c pht trin nhm pht hin nhng
xm nhp tri php vo h thng bi nhng quy tc hay lut c thit lp sn,
nhng thit lp ny da vo nhng du hiu, giao thc v s d thng.
Snort s dng cc lut c lu tr trong cc file text, c th c chnh sa
bi ngi qun tr. Cc lut c nhm thnh cc kiu. Cc lut thuc v mi loi
c lu trong cc file khc nhau. File cu hnh chnh ca Snort l snort.conf.
Snort c nhng lut ny vo lc khi to v xy dng cu trc d liu cung
cp cc lut bt gi mu vi phm. Tm ra cc du hiu v s dng chng trong
cc lut l mt vn i hi s tinh t, v cng s dng nhiu lut th nng lc x
l cng c i hi thu thp d liu trong thc t. Snort c mt tp hp cc
lut c nh ngha trc pht hin cc hnh ng xm nhp v cc qun tr
vin cng c th thm vo cc lut ca chnh mnh. Qun tr vin cng c th xa
mt vi lut c to trc trnh vic bo ng sai. Snort bao gm mt hoc
nhiu sensor v mt server CSDL chnh.Cc Sensor c th c t trc hoc
sau firewall:
o Gim st cc cuc tn cng vo firewall v h thng mng
o C kh nng ghi nh cc cuc vt firewall thnh cng
2 Ci t Snort
Gi s a ch IP my Server l 192.168.1.9
Download Wincap: http://www.winpcap.org/install/default.htm
Download Snort: http://snort.org/snort-downloads
Ci t Winpcap
Ci t Snort ti th mc C:\Snort
2.1 Xem th mc ci t
C:\Snort\bin>dir


B mn Mng & Truyn thng, Khoa CNTT, HBK Nng

2



2.2 Xem tp tin snort.conf
C:\Snort\bin>type C:\Snort\etc\snort.conf



2.3 Xem s hiu card mng
tin hnh sniffer ta cn chn card mng snort t vo ch promicous,
Nu my tnh c nhiu card hy s lnh snort W xc nh card mng.

snort W

B mn Mng & Truyn thng, Khoa CNTT, HBK Nng

3



2.4 Xem kt qu bt gi tin
Hin th IP v TCP/UDP/ICMP header
C:\Snort\bin\snort v i4
Xem thng tin truyn ca cc ng dng
C:\Snort\bin\snort vd i4
Hin th thm cc header ca gi tin ti tng Data Link:
C:\Snort\bin\snort -dev -i 1

B mn Mng & Truyn thng, Khoa CNTT, HBK Nng

4




Nhn Ctrl+C dng
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng

5




2.5 Bt gi tin v lu vo tp tin log
C:\Snort\bin>snort -i 1 -s -l c:\Snort\log

Kt qu tp tin log c to
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng

6



C:\Snort\bin>snort -dev -i 1 -l c:\snort\log


2.6 Cu hnh h thng dch v snort
C:\Snort\bin>snort /SERVICE /INSTALL -c c:\snort\etc\snort.conf -l c:\snort\log
-K ascii -i1
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng

7



sc config snortsvc start= auto




B mn Mng & Truyn thng, Khoa CNTT, HBK Nng

8

3 Cu hnh dch v Snort
M tp tin C:\Snort\etc\snort.conf
3.1 Cu hnh a ch mng
Trin khai Snort trn lp mng C vi dy a ch 192.168.1.0/24
Thit lp bin HOME_NET nh sau:


3.2 Khai bo ng dn n cc lut
Khai bo ng dn n ni cha cc quy tc snort rules nh sau :
Ni dung gc:

Chnh sa nh sau:

Khai bo cc bin include classification.config v reference.config:
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng

9



3.3 Ti b lut
Ti b lut rules t https://www.snort.org/snort-rules/ v v gii nn,
Sao th mc rules vo C:\Snort\rules
Ch : cc rule ny phi ph hp vi phin bn Snort ang ci.


4 Thc hnh thit lp lut Snort cnh bo
4.1 V d lut cnh bo PING
Trong tp tin finger.rules ti th mc C:\Snort\rules ta thit lp lut nh sau:
alert icmp ip any any -> $HOME_NET any (msg: " Co may dang ping den "; sid: 1;)
Lut ny s a ra dng cnh bo Co may dang ping den nu pht hin gi
tin icmp bt k t mt mng no ping n my my c a ch ip l HOME_NET (
a ch 192.168.1.150 nh thit lp trn)
Ti ca s dng lnh ta thc hin cu lnh:
snort dve l c:\snort\log c :\snort\etc\snort.conf i 2
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng

10

pht hin gi tin n v ghi vo file log alert.ids
T bn ngoi thc hin lnh ping n my ci t Snort:

Kt qu ti my ci t Snort :

Kt qu file log alert.ids

B mn Mng & Truyn thng, Khoa CNTT, HBK Nng

11

4.2 V d lut cnh bo PING kch thc ln
Thm lnh vo file icmp-info.rules :

Thm lnh vo file icmp.rules

Khi ping tai my client vi size ping = 64kb n http://google.com :

Ti my t snort
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng

12


Kt qu ti file log alert .ids:


B mn Mng & Truyn thng, Khoa CNTT, HBK Nng

13

4.3 V d thit lp lut cnh bo truy cp Web
Trong th mc C:\Snort\rules ta to file youtube.rules bit mt my no
t bt k mng no truy cp vo a ch http://www.youtube.com vi ni dung
file :
alert tcp any any -> any any (content: "www.youtube.com"; ms:" ban moi ghe
tham trang web youtebe.com"; sid: 1000000;rev : 1;)
Tuy nhin, nu th th Snort khng th pht hin ra c rules ny, ta
phi thm rules vo trong tp tin Snort.config Snort nhn bit c lut ny.

Kt qu ti my Snort :
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng

14



M tp tin alert.isds ta thy dng cnh bo hin ra :



B mn Mng & Truyn thng, Khoa CNTT, HBK Nng

15

4.4 To mi mt lut v chy t dng lnh
To tp tin lut C:\Snort\rules\ ping.rules vi ni dung sau:
Alert icmp any any -> any any (msg:May dang bi ping!;SID: 1212121212;)

Khai bo trong C:\Snort\etc\snort.conf trong vi cu lnh: include
$RULE_PATH/ping.rules

v chnh sa thm cc dng sau:

thnh:
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng

16


Sa:

thnh:


Tip theo ta vo cmd v g lnh:
C:\snort\bin\snort dev l c:\snort\log c
c:\snort\rules\ping.rules

Kt qu:
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng

17



Dng my tnh khc ping ti my ci snort (c ip l 192.168.1.8).


Kt qu ni dung cnh bo trong tp tin alert.ids:
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng

18