TRUNG TM O TO AN NINH MNG ATHENA

----------------------oOo---------------------










H THNG PHT HIN
V
PHNG CHNG XM NHP




INTRUSION DETECTION
AND PREVENTION SYSTEM














Thc hin : Nguyn Thnh Danh
inh Cng Chinh
Lp Security +
1
I. Tng quan v IDS/IPS
1. Khi nim v IDS/IPS
a. nh ngha :
Intrusion Detection system ( IDS ) l mt h thng gim st hot ng trn h thng
mng v phn tch tm ra cc du hiu vi phm n cc quy nh bo mt my tnh,
chnh sch s dng v cc tiu chun an ton thng tin. Cc du hiu ny xut pht t rt
nhiu nguyn nhn khc nhau, nh ly nhim malwares, hackers xm nhp tri php,
ngi dung cui truy nhp vo cc ti nguyn khng c php truy cp..v.v
Intrusion Prevention system ( IPS ) l mt h thng bao gm c chc nng pht hin xm
nhp ( Intrusion Detection ID ) v kh nng ngn chn cc xm nhp tri php da trn
s kt hp vi cc thnh phn khc nh Antivirus, Firewall hoc s dng cc tnh nng
ngn chn tch hp.

2. Chc nng ca IDS/IPS
a. Cc ng dng c bn ca h IDS/IPS :
(1) Nhn din cc nguy c c th xy ra
(2) Ghi nhn thng tin, log phc v cho vic kim sot nguy c
(3) Nhn din cc hot ng thm d h thng
(4) Nhn din cc yu khuyt ca chnh sch bo mt
(5) Ngn chn vi phm chnh sch bo mt
b. Cc tnh nng chnh ca h IDS/IPS
(1) Lu gi thng tin lin quan n cc i tng quan st
(2) Cnh bo nhng s kin quan trng lin quan n i tng quan st
(3) Ngn chn cc tn cng ( IPS )
(4) Xut bo co

3. Kin trc ca h IDS/IPS
a. Cc phng php nhn din
Cc h thng IDS/IPS thng dng nhiu phng php nhn din khc nhau, ring r
hoc tch hp nhm m rng v tng cng chnh xc nhn din. C th chia lm cc
phng php nhn din chnh sau:

(1) Nhn din da vo du hiu ( Signature-base detection ):
s dng phng php so snh cc du hiu ca i tng quan st vi cc du hiu
ca cc mi nguy hi bit. Phng php ny c hiu qu vi cc mi nguy hi
bit nhng hu nh khng c hiu qu hoc hiu qu rt t i vi cc mi nguy hi
cha bit,cc mi nguy hi s dng k thut ln trnh ( evasion techniques ), hoc cc
bin th. Signature-based khng th theo vt v nhn din trng thi ca cc truyn
thng phc tp.
(2) Nhn din bt thng ( Abnormaly-base detection ):
so snh nh ngha ca nhng hot ng bnh thng v i tng quan st nhm xc
nh cc lch. Mt h IDS/IPS s dng phng php Anormaly-base detection c
cc profiles c trng cho cc hnh vi c coi l bnh thng, c pht trin bng
cch gim st cc c im ca hot ng tiu biu trong mt khong thi gian. Sau
khi xy dng c tp cc profile ny , h IDS/IPS s dng phng php thng k
so snh cc c im ca cc hot ng hin ti vi cc ngng nh bi profile
tng ng pht hin ra nhng bt thng.
Profile s dng bi phng php ny c 2 loi l static v dynamic. Static profile
2
khng thay i cho n khi c ti to, chnh v vy dn dn n s tr nn khng
chnh xc, v cn phi c ti to nh k. Dynamic profile c t ng iu chnh
mi khi c cc s kin b sung c quan st, nhng chnh iu ny cng lm cho n
tr nn d b nh hng bi cc php th dung k thut giu ( evasion techniques )
u im chnh ca phng php ny l n rt c hiu qu trong vic pht hin ra cc
mi nguy hi cha c bit n.


S khc bit gia phng php Abnormaly-base v Signature-base

(3) Phn tch trng thi giao thc ( Stateful protocol analysis ) :
Phn tch trng thi protocol l qu trnh so snh cc profile nh trc ca hot ng
ca mi giao thc c coi l bnh thng vi i tng quan st t xc nh
lch. Khc vi phng php Anomaly-base detection, phn tch trng thi protocol
da trn tp cc profile tng qut cung cp bi nh sn xut theo quy nh 1
protocol nn lm v khng nn lm g. "Stateful" trong phn tch trng thi protocol
c ngha l IDS/IPS c kh nng hiu v theo di tnh trng ca mng, vn chuyn, v
cc giao thc ng dng c trng thi.
Nhc im ca phng php ny l chim nhiu ti nguyn do s phc tp trong
vic phn tch v theo di nhiu phin ng thi. Mt vn nghim trng l phng
php phn tch trng thi protocol khng th pht hin cc cuc tn cng khi chng
khng vi phm cc c tnh ca tp cc hnh vi chp nhn ca giao thc.

b. C s h tng ca IDS/IPS
Nhim v chnh ca h thng IDS/IPS l phng th my tnh bng cch pht hin mt
cuc tn cng v c th y li n. Pht hin v tn cng th ch ph thuc vo s
lng v loi hnh ng thch hp.


Intrusion detection system activities

3
Cng tc phng chng xm nhp i hi mt s kt hp tt c la chn ca "mi
v by" nhm iu tra cc mi e da, nhim v chuyn hng s ch ca k xm
nhp t cc h thng cn bo v sang cc h thng gi lp l nhim v ca 1 dng
IDS ring bit ( Honeypot IDS ),c hai h thng thc v gi lp c lin tc gim st
v d liu thu c c kim tra cn thn (y l cng vic chnh ca mi h
IDS/IPS ) pht hin cc cuc tn cng c th (xm nhp).
Mt khi xm nhp mt c pht hin, h thng IDS/IPS pht cc cnh bo n
ngi qun tr v s kin ny. Bc tip theo c thc hin, hoc bi cc qun tr
vin hoc bi chnh h thng IDS/IPS , bng cch p dng cc bin php i ph
(chm dt phin lm vic, sao lu h thng, nh tuyn cc kt ni n Honeypot IDS
hoc s dng cc c s h tng php l v.v) ty thuc vo chnh sch an ninh ca
mi t chc


Intrusion detection system infrastructure

H thng IDS/IPS l mt thnh phn ca chnh sch bo mt. Trong s cc nhim v IDS
khc nhau, nhn dng k xm nhp l mt trong nhng nhim v c bn. N c th hu ch
trong cc nghin cu gim nh s c v tin hnh ci t cc bn patches thch hp cho
php pht hin cc cuc tn cng trong tng lai nhm vo mc tiu c th

c. Cu trc & kin trc ca h IDS/IPS
(1) Cc thnh phn c bn
(a) Sensor / Agent :
gim st v phn tch cc hot ng. Sensor thng c dng cho dng
Network-base IDS/IPS trong khi Agent thng c dng cho dng
Host-base IDS/IPS
(b) Management Server :
l 1 thit b trung tm dng thu nhn cc thng tin t Sensor / Agent v qun l
chng. 1 s Management Server c th thc hin vic phn tch cc thng tin s
vic c cung cp bi Sensor / Agent v c th nhn dng c cc s kin ny
d cc Sensor / Agent n l khng th nhn din.
(c) Database server :
dng lu tr cc thng tin t Sensor / Agent hay Management Server
(d) Console :
l 1 chng trnh cung cp giao din cho IDS/IPS users / Admins. C th ci t
trn mt my tnh bnh thng dng phc v cho tc v qun tr, hoc gim
st, phn tch.
4
(2) Kin trc ca h IDS/IPS
Sensor l yu t ct li trong mt h thng IDS/IPS , n m c trch nhim pht hin
cc xm nhp nh cha nhng c cu ra quyt nh i vi s xm nhp. Sensor nhn
d liu th t ba ngun thng tin chnh : kin thc c bn ( knowledge base ) ca
IDS, syslog v audit trail .Cc thng tin ny to c s cho qu trnh ra quyt nh sau
ny



Mt v d v h IDS. Chiu rng mi tn l t l thun vi s lng thng tin di
chuyn gia cc thnh phn ca h thng

Sensor c tch hp vi cc thnh phn chu trch nhim thu thp d liu - mt
event generator. Da vo cc chnh sch to s kin n xc nh ch lc thng tin
thng bo s kin. Cc event generator (h iu hnh, mng, ng dng) to ra mt
chnh sch nht qun tp cc s kin c th l log hoc audit ca cc s kin ca h
thng, hoc cc gi tin. iu ny, thit lp cng vi cc thng tin chnh sch c th
c lu tr hoc l trong h thng bo v hoc bn ngoi. Trong nhng trng hp
nht nh, d liu khng c lu tr m c chuyn trc tip n cc phn tch (
thng thng p dng vi cc gi packet ).



Cc thnh phn chnh ca 1 h IDS/IPS
31
(2) Mt v d c bn trong vic vit v chnh sa Snort rule

c th vit hoc sa 1 Snort rule c hiu qu v ch kch hot ng vi lu thng
mng m ta mun, vic nghin cu v pht hin ra cc thuc tnh ring ca lu thng
l cc k quan trng. Mt thuc tnh c th cha c t c lu thng nhng
tp cc thuc tnh phi l mt c t y c th phn bit.
Ta ly 1 v d vi lu thng mng ca tn cng Cross-site scripting ( XSS )

Cross-site Scripting l mt kiu tn cng n cc Website cho php cc m c c
nhng vo cc trang Web c to ng. Nu Website khng kim tra cc tc v
nhp t ngi dng, k tn cng c th chn nhng on m lm cho ng dng Web
hot ng 1 cc bt thng. XSS thng dng nh cp cookies ( dng xc
thc ), truy cp cc phn khng c php truy cp, hay tn cng ng dng Web.
im chnh ca tn cng XSS l 1 scripting tag c chn vo 1 trang c th. y
chnh l im mu cht m ta c th dng vit 1 rule.
Cc tag thng c chn vo l <SCRIPT> , <OBJECT>, <APPLET>, <EMBED>
Gi s ta chn lc tag <SCRIPT>

Trc tin ta to 1 rule kch hot khi lu thng mng c cha <SCRIPT> trong ni
dung :

alert tcp any any -> any any (content:<SCRIPT>; msg:WEB-MISC XSS
attempt;)

Khi xy ra tn cng XSS, rule s c kch hot. Tuy nhin n cng s kch hot vi
cc lu thng mng bnh thng nh khi 1 ngi dng gi 1 email vi JavaScript to
ra 1 sai tch cc ( false positive ). trnh vic ny, ta phi sa rule ch kch hot vi
cc lu thng Web

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(content:<SCRIPT>; msg:WEB-MISC XSS attempt;)

Thay i nh trn c th pht hin ra cc lu thng c cha <SCRIPT> trong ni
dung lin quan n cc phin HTTP. N c kch hot khi lu thng t mng ngoi
( $EXTERNAL_NET ) gi ti my ch Web ( $HTTP_SERVERS ) trn port m
dch v HTTP chy ( $HTTP_PORTS ).
Tuy nhin, khi np rule ny, ta vn s thy cc cnh bo sai tch cc c to ra mi
khi 1 trang c yu cu c cha JavaScript. Nh vy ta phi tinh chnh li rule v
tm kim nhng thuc tnh ring bit ca lu thng XSS

Tn cng XSS xy ra khi ngi dng chn tag <SCRIPT> trong 1 yu cu gi n
Server, nu Server gi tag <SCRIPT> trong 1 phn hi th n thng l 1 lu thng
bnh thng. Nh vy ta c th tinh chnh rule nh sau :

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:WEB-
MISC XSS attempt; flow:to_server,established; content:<SCRIPT>;)


32
y ta s dng t kha la chn flow trong mc TCP-related, dng kh nng ti
to lung TCP ca Snort nhn din hng ca lung lu thng. 2 option to_server
v established ch nh rule p dng cho cc phin kt ni t ngi dng ti Server.
y chnh l c trng ca tn cng XSS.

Nh vy ta c 1 rule nhn din c c trng ca lung lu thng trong tn cng
XSS, trnh vic k tn cng c th trnh c bng k thut ln trnh ( Evasion
techniques ) nh thay <SCRIPT> bng cc kiu case-sensitive nh <ScRiPT>,
<script>, .v.v ta c th dng thm t kha la chn nocase ( not case-sensitive ) ca
mc Content-related, v quy nh mc u tin :

alert $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:WEB-
MISC XSS attempt; flow:to_server,established; content:<SCRIPT>; nocase; )

n y th vic to 1 rule pht hin tn cng XSS hon tt.




----------------------o00-----------------------





V. References:

1. Intrusion Detection Systems (IDS) WindowsSecurity.com
2. Guide to Intrusion Detection and Prevention Systems (IDPS) US National Institute of Standard and
Technology
3. Intrusion Detection with Snort - Jack Koziol. Sams Publishing 2003
4. Managing Security with Snort and IDS Tools Kerry J. Cox & Christopher Gerg . OReilly 2004
5. Snort, Snort Inline, SnortSam, SnortCenter, Cerebus, B.A.S.E, Oinkmaster official documents
6. Snort 2.8.4.1 Ubuntu 9 Installation guide Nick Moore , Jun 2009 , nmoore@sourcefire.com
7. Snort GUIs: A.C.I.D, Snort Center,and Beyond - Mike Poor, mike@digitalguardian.net
8. Various sources over Internet