Bao Cao de Tai Phat Hien Xam Nhap IDS IPS

Nghin cu phng chng thm nhp tri php IDS,IDP, Snort trn Linux
Trang 1

MN AN TON MNG
BO CO TI 1:
NGHIN CU PHNG CHNG
THM NHP TRI PHP IDS, IPS
(TRN LINUX)

Gio Vin Hng Dn:
THY V THNG
Sinh Vin Thc Hin:
0512176 - NGUYN NG KHOA
0512207 - PHAN HUNH LUN
0512231 - L BO NGHI
0512281 - NGUYN THANH QUN
0512300 - L GIANG THANH

THNH PH H CH MINH
--2009--

Trang 2
Mc lc:
1 . IDS ........................................................................................................................................ 3
1.1 Gii thiu s ra i. ......................................................................................................... 3
1.2 Khi nim ......................................................................................................................... 3
1.3 Chc nng. ....................................................................................................................... 4
1.4 Phn bit IDS. .................................................................................................................. 4
1.5 Cc loi tn cng. ............................................................................................................. 4
1.6 Phn Loi IDS. ................................................................................................................. 5
1.6.1 H thng pht hin xm nhp Host-Based( Host-based IDS)................................... 5
1.6.2 H thng pht hin xm nhp Network-Based( Network-based IDS). ..................... 8
1.6.3 So snh HIDS v NIDS........................................................................................... 11
1.7 Nhim V Ca IDS. ....................................................................................................... 13
1.8 Kin trc IDS. ................................................................................................................ 15
1.9 K thut x l d liu ca IDS. ..................................................................................... 16
2 IPS. ....................................................................................................................................... 18
2.1 Khi nim. ...................................................................................................................... 18
2.2 Pht hin v ngn nga xm nhp. ................................................................................ 19
2.2.1 Pht hin xm nhp. ................................................................................................ 19
2.2.2 Ngn nga xm nhp. ............................................................................................. 19
2.3 Yu cu tng lai ca IPS. ............................................................................................. 20
3 So snh IDS v IPS. ............................................................................................................ 21
4 Snort. .................................................................................................................................... 22
4.1 Gii Thiu. ..................................................................................................................... 22
4.2 M hnh hot ng. ........................................................................................................ 22
4.2.1 Network Intrusion Detection Systems (NIDS). ...................................................... 22
4.2.2 Host Intrusion Detection Systems (HIDS) .............................................................. 23
4.3 Cu trc Snort. ............................................................................................................... 24
4.3.1 Decoder. .................................................................................................................. 24
4.3.2 Preprocessor (Input Plugin). ................................................................................... 24
4.3.3 Detection Engine. .................................................................................................... 24
4.3.4 Logging v Alert: .................................................................................................... 25
4.3.5 Output Plugin. ......................................................................................................... 25
4.4 Cu Trc Rule. ............................................................................................................... 25
4.4.1 Rule Header. ........................................................................................................... 25
4.4.2 Rule option. ............................................................................................................. 26
4.5 Ci t. .......................................................................................................................... 29
4.5.1 Ci t snort. ........................................................................................................... 29
4.5.2 Ci t Webmin. ..................................................................................................... 30
4.5.3 Ci t adodb, acid, gd, phplot. .............................................................................. 32
4.6 Cu Hnh Snort: ............................................................................................................. 35
4.7 Hng Dn S Dng Snort Trong Linux. ..................................................................... 36
4.7.1 Sniffer mode............................................................................................................ 36
4.7.2 Packet logger mode. ................................................................................................ 37
4.7.3 Network Intrusion Detection Mode (NIDS). .......................................................... 37
4.7.4 Inline mode. ............................................................................................................ 38

Trang 3

1 . IDS
1.1 Gii thiu s ra i.
- Cch y khong 25 nm, khi nim pht hin xm nhp xut hin qua mt bi bo
ca James Anderson. Khi ngi ta cn IDS vi mc ch l d tm v nghin cu
cc hnh vi bt thng v thi ca ngi s dng trong mng, pht hin ra cc vic
lm dng c quyn gim st ti sn h thng mng. Cc nghin cu v h thng
pht hin xm nhp c nghin cu chnh thc t nm 1983 n nm 1988 trc khi
c s dng ti mng my tnh ca khng lc Hoa K. Cho n tn nm 1996, cc
khi nim IDS vn cha c ph bin, mt s h thng IDS ch c xut hin trong
cc phng th nghim v vin nghin cu. Tuy nhin trong thi gian ny, mt s cng
ngh IDS bt u pht trin da trn s bng n ca cng ngh thng tin. n nm
1997 IDS mi c bit n rng ri v thc s em li li nhun vi s i u ca
cng ty ISS, mt nm sau , Cisco nhn ra tm quan trng ca IDS v mua li
mt cng ty cung cp gii php IDS tn l Wheel.
- Hin ti, cc thng k cho thy IDS/IPS ang l mt trong cc cng ngh an ninh
c s dng nhiu nht v vn cn pht trin.
- Ti sao Gartner ni: IDS is dead? Vo nm 2003, Gartner- mt cng ty hng u
trong lnh vc nghin cu v phn tch th trng cng ngh thng tin trn ton cu-
a ra mt d on gy chn ng trong lnh vc an ton thng tin : H thng
pht hin xm nhp (IDS) s khng cn na vo nm 2005. Pht biu ny ca xut
pht t mt s kt qu phn tch v nh gi cho thy h thng IDS khi ang i
mt vi cc vn sau:
IDS thng xuyn a ra rt nhiu bo ng gi ( False Positives).
L gnh nng cho qun tr an ninh h thng bi n cn c theo di lin tc
(24 gi trong sut c 365 ngy ca nm).
m theo cc cnh bo tn cng l mt quy trnh x l an ninh rt vt v.
Khng c kh nng theo di cc lung d liu c truyn vi tc ln hn
600 Megabit trn giy.Nhn chung Gartner a ra nhn xt ny da trn nhiu
phn nh ca nhng khch hng ang s dng IDS rng qun tr v vn hnh
h thng IDS l rt kh khn, tn km v khng em li hiu qu tng xng
so vi u t.
- Sau khi pht biu ny c a ra, mt s kin phn i cho rng, vic h thng
IDS khng em li hiu qu nh mong mun l do cc vn cn tn ti trong vic
qun l v vn hnh ch khng phi do bn cht cng ngh kim sot v phn tch gi
tin ca IDS. C th, cho mt h thng IDS hot ng hiu qu, vai tr ca cc cng
c, con ngi qun tr l rt quan trng, cn phi p ng c cc tiu ch sau:
Thu thp v nh gi tng quan tt c cc s kin an ninh c pht hin bi
cc IDS, tng la trnh cc bo ng gi.
Cc thnh phn qun tr phi t ng hot ng v phn tch.
Kt hp vi cc bin php ngn chn t ngKt qu l ti nm 2005, th h sau ca
IDS-h thng t ng pht hin v ngn chn xm nhp IPS- dn khc phc c cc mt
cn hn ch ca IDS v hot ng hiu qu hn nhiu so vi th h trc .
1.2 Khi nim
Intrusion detection system (IDS) - H thng pht hin xm phm: l mt h thng phng
chng, nhm pht hin cc hnh ng tn cng vo mt mng. Mc ch ca n l pht hin
v ngn nga cc hnh ng ph hoi i vi vn bo mt h thng, hoc nhng hnh

Trang 4
ng trong tin trnh tn cng nh su tp, qut cc cng. Mt tnh nng chnh ca h thng
ny l cung cp thng tin nhn bit v nhng hnh ng khng bnh thng v a ra cc bo
cnh thng bo cho qun tr vin mng kha cc kt ni ang tn cng ny. Thm vo
cng c IDS cng c th phn bit gia nhng tn cng bn trong t bn trong t chc (t
chnh nhn vin hoc khch hng) v tn cng bn ngoi (tn cng t hacker).
1.3 Chc nng.
- Chc nng quan trng nht : gim st - cnh bo - bo v
Gim st : lu lng mng + cc hot ng kh nghi.
Cnh bo : bo co v tnh trng mng cho h thng + nh qun tr.
Bo v : Dng nhng thit lp mc nh v s cu hnh t nh qun tr m c
nhng hnh ng thit thc chng li k xm nhp v ph hoi.
- Chc nng m rng :
Phn bit : "th trong gic ngoi"
Pht hin : nhng du hiu bt thng da trn nhng g bit hoc nh vo
s so snh thng lng mng hin ti vi baseline
1.4 Phn bit IDS.
Cc thit b bo mt di y khng phi l IDS:
- H thng ng nhp mng c s dng pht hin l hng i vi vn tn cng
t chi dch v (DoS) trn mt mng no . s c h thng kim tra lu lng
mng.
- Cc cng c nh gi l hng kim tra li v l hng trong h iu hnh, dch v
mng (cc b qut bo mt).
- Cc sn phm chng virus thit k pht hin phn mm m nguy him nh
virus, Trojan horse, worm... Mc d nhng tnh nng mc nh c th rt ging h
thng pht hin xm phm v thng cung cp mt cng c pht hin l hng bo
mt hiu qu.
- Tng la
- Cc h thng bo mt/mt m, v d nh VPN, SSL, S/MIME, Kerberos, Radius
1.5 Cc loi tn cng.
Cc loi tn cng c phn thnh hai loi nh sau:
- B ng (c trang b tng mc truy cp lm cho c th thm nhp vo h thng
m khng cn n s ng ca ti nguyn CNTT)
- Tch cc (cc kt qu gy ra thay i trng thi khng hp l ca ti nguyn CNTT)
Di dng mi quan h gia nn nhn v ngi xm phm, cc tn cng c chia thnh:
- Bn trong, nhng tn cng ny n t chnh cc nhn vin ca cng ty, i tc lm n
hoc khch hng
- Bn ngoi, nhng tn cng n t bn ngoi, thng thng qua Internet.
Cc loi tn cng c th b pht hin bi cng c IDS. Cc loi tn cng di y c th
c phn bit:
- Nhng tn cng ny lin quan n s truy cp tri php n ti nguyn.
Vic b kha v s vi phm truy cp
Trojan horses
nh chn; hu ht kt hp vi vic ly cp TCP/IP v s nh chn thng
s dng cc c ch b sung tha hip h thng
S gi mo
Qut cng v dch v, gm c qut ICMP (ping), UDP, TCP

Trang 5
Ly du OS t xa, v d nh vic kim tra phn ng i vi cc gi c th, cc
a ch cng, phn ng ca ng dng chun, cc tham s ngn xp IP,
Nghe gi tin mng (mt tn cng th ng rt kh khn pht hin nhng i
khi vn c th)
Ly cp thng tin, v d nh trng hp b l thng tin v quyn s hu.
Lm dng tnh xc thc; mt loi hnh tn cng bn trong, v d: nghi ng s
truy cp ca mt ngi dng xc thc c thuc tnh k l (n t mt a ch
khng mong mun)
Cc kt ni mng tri php
S dng ti nguyn CNTT cho cc mc ch ring, v d nh truy cp vo cc
trang c hot ng khng lnh mnh
Li dng im yu ca h thng truy cp vo ti nguyn hoc cc quyn
truy cp mc cao.
- S thay i ti nguyn tri php (sau khi chim c quyn truy cp)
Xuyn tc tnh ng nht, v d: ly c cc quyn qun tr vin h thng.
Thay i v xa thng tin
Truyn ti v to d liu tri php, v d: lp mt c s d liu v cc s th
tn dng b mt cp trn mt my tnh ca chnh ph.
Thay i cu hnh tri php i vi h thng v cc dch v mng (my ch)
- T chi dch v (DoS)
Lm lt (Flooding) tha hip mt h thng bng vic gi i mt s lng
ln cc thng tin khng gi tr lm tc nghn lu lng hn ch dch v.
Ping (Smurf) mt s lng ln cc gi ICMP c gi n mt a
ch qung b.
Gi mail lm lt vi hng trm hoc hng nghn cc message trong
mt thi im ngn.
SYN khi to mt s lng ln cc yu cu TCP v khng tin hnh
bt tay hon ton nh c yu cu i vi mt giao thc.
Hn ch dch v phn tn; n t nhiu ngun khc nhau
Gy tn hi h thng bng vic li dng cc l hng ca n
Trn b m (v d: Ping of Death gi mt s lng ln ICMP
(vt qu 64KB))
Tt h thng t xa
- Tn cng ng dng web; cc tn cng li dng li ng dng c th gy ra nh ni
phn trn.
1.6 Phn Loi I DS.
C 2 loi IDS l Network Based IDS(NIDS) v Host Based IDS (HIDS):
1.6.1 H thng pht hin xm nhp Host-Based( Host-based IDS).
- Host-based IDS kim tra s xm nhp bng cch kim tra thng tin host hay mc h
iu hnh. H thng IDS ny kim tra nhiu din mo host ca bn, nh h thng
nhng cuc gi(system call), bn ghi kim ton( audit log), thng ip li(error
message),Hnh di y minh ha cho mt s miu t host-based IDS tiu biu.

Trang 6

- Mc ny miu t nhng c im ca h thng pht hin Host-Based bao gm mt
hnh nh ca s trin khai k thng pht hin xm nhp host-based c bn.

- Mt h thng pht hin xm nhp host-based ( HIDS) kim tra nhng file log vo
host,nhng h thng v ti nguyn host file. Mt s tin li ca h thng HIDS l
nhng g m n c th xem xt tin trnh ca h iu hnh v bo v nhng ti nguyn
h thng c bit bao gm nhng tp tin m c th ch tn ti trn nhng host c
bit.
- Mt hnh thc n gin ca HIPS l c kh nng ang nhp vo mt host. Tuy nhin
n c th tr thnh nhn s c lc chuyn i v phn tch nhng log ny. Phn
mm HIPS ngy nay yu cu phn mm Agent phi c ci t trn mi host xem
xt nhng hoat ng thc thi trn n v chng li nhng host. Phn mm Agent thc
thi nhng phn tch v bo v pht hin xm nhp vo host.
- Nhng thun li:

Trang 7
Bi v mt host-based IDS kim tra ng i sau khi n tin ti ch(target)
ca cuc tn cng( vic tha nhn host l mt ch), n c thng tin trc tip
trn s thnh cng ca nhng tn cng. Vi mt networ-based IDS, chung
bo c to ra trn nhng hot ng xm nhp bit trc, nhng ch mt
host-based IDS c th xc nh s thnh cng hay tht bi tht s ca nhng
cuc tn cng.
Vn khc nh nhng mnh v rp li v nhng cuc tn cng Time-To-
Live c th thay i(TTL) th kh nhn bit vic dng network-based
IDS. Tuy nhin, mt host-based IDS c th s dng cm IP ring ca host
d tha thun vi nhng vn ny.
- Nhng kh khn:\
Host-based IDS c mt vi tr ngi hay kh khn: Gii hn tm nhn mng,
Phi x l mi h iu hnh trn mng.
Kh khn u tin i vi host-based IDS l gii hn tm nhn mng vi s
lin quan ti s tn cng. V d,hu ht h thng IDS ny khng pht hin
nhng c qut port chng li nhng host. V vy, n th cng khng th lm
c vi host-based IDS pht hin nhng c qut d thm chng li mng
ca bn. Nhng c qut ny cho thy mt ng h ch th cho nhiu tn cng
khc chng li mng ca bn.
Kh khn khc ca host-based IDS l phn mm phi chy trn mi host
ca mng. iu ny miu t vn pht trin mi cho nhng mng hn tp
c soan vi mt s h iu hnh. i khi, i l host-based IDS c th chn
h tr nhiu h iu hnh bi v nhng vn h tr ny. Nu phn mm
host-based IDS ca bn khng h tr tt c h iu hnh trn mng, mng ca
bn khng bo v ton vn chng li nhng xm nhp.

S kh khn cui cng l khi host-based IDS pht hin mt s tn cng, n
phi truyn thng tin ny ti mt vi loi phng tin qun l trung tm. Mt
s tn cng c th ly nhng truyn thng ngoi tuyn ca host. Khi host
ny khng th truyn thng bt k thng tin no n phng tin truyn thng

Trang 8
trung tm. Hn na, ng i mng ti s qun l trung tm c th thc hin
cho n mt im trung tm ca mt s tn cng.

Hnh ny minh ha cho s trnh by HIPS c bn. Agent c ci t khng ch
trn nhng server truy cp cng cng, nhng tp on mail server, nhng server
ng dng, m cn my tnh c nhn ca ngi s dng. Agent bo co nhng s
kin ti mt server iu khin trung tm t bn cnh tp on firewall.
1.6.2 H thng pht hin xm nhp Network-Based( Network-based IDS).
- Mt network-based IDS kim tra nhng gi d liu ti nhng s tn cng nh v
chng li mng. IDS nh hi(sniff) nhng gi mng v so snh ng i chng li
nhng signature cho nhng hot ng xm nhp.

- H thng pht hin xm nhp bo mt ca Cisco( CSIDS) l mt network-based IDS.
Bng vic s dng signature, CSIDS quan tm n mi gi i vo mng v to ra
chung bo khi nhng s xm nhp c pht hin. Bn c th cu hnh CSIDS

Trang 9
khng cho nhng signature v nhng chnh sa thng s signature vo lm vic mt
cch tt nht trong mi trng mng ca bn. Hnh trn cho thy s pht trin ca
CSIDS.
- Mc ny miu t c im ca h thng pht hin xm nhp Network-Based (NIDSs),
bao gm mt hnh nh ca mt s trnh NIDS c bn.

- Nhng cm bin c kt ni ti nhng phn on mng. Mt sensor n l c th
kim xt nhiu host.
- S pht trin ca mt mng c bo v mt cch d dng. Nhng host v dch v
mi c th c thm vo mng m khng c nhng sensor thm vo.
- Nhng sensor l nhng ng dng mng c ha hp vo nhng s phn tch
H iu hnh th c lm cng
Phn cng c thit k chuyn dng cho s phn tch pht hin xm nhp.
- Mt NIDS bao gm s trnh by ca nhng thit b kim duyt hay nhng sensor
thng qua mng, m bt li v phn tch lu lng khi n i ngang qua mng. Nhng
sensor pht hin nhng hot ng khng cho php v nguy him trong thi gian thc
v c th tham gia hot ng khi c yu cu.
- Nhng Sensor c th c trnh by mt thi im mng c qui nh r m c
th l nhng ngi qun tr bo mt kim duyt nhng hot ng mng trong khi
n ang xy ra, bt chp v tr ch ca s tn cng.
- NIDS cho nhng nh qun tr bo mt nhn thy bn trong vic bo mt thi gian tht
ca mng bt chp s pht trin ca n. S pht trin mng c th xy ra bng vic
thm vo nhng host truyn thng hay nhng mng mi.Nhng mng truyn thng
thm vo s tn ti nhng mng c bo v s c bao bc m khng c bt k
sensor mi no. Nhng sensor truyn thng c th d dng c trin khai bo v
nhng mng mi. Mt vi nhn t m bao gm s thm vo nhng sensor nh sau :
Ngoi tr nhng cng sut lu lng v d , vic thm vo nhng phn on
gigabit mi i hi mt sensor cng sut cao.
Kh nng thc thi ca Sensor nhng sensor hin ti c th khng c thi
hnh vic cho mt traffic capacity mi.
S b sung mng Chnh sch bo mt hay thit k mng c th yu cu
nhng sensor truyn thng gip vic thc p ranh gii bo mt.
- Nhng sensor NIDS c chnh mt cch tiu biu cho s phn tch pht hin xm
nhp. H iu hnh c bn l trn tri v nhng dch v mng khng cn thit v
nhng dch v ch yu c bo mt.

Trang 10
- Phn cng c chn cung cp s phn tch pht hin xm nhp cc i c kh nng
cho nhng mng a dng khc nhau. Phn cng bao gm nhng phn sau y :
Card giao tip mng (NIC) NIDS phi c kh nng kt ni vo bt k mng
no. Card giao tip mng NIDS chungbao gm Ethernet, Fast Ethernet,
GigEthernet, Token Ring v FDDI.
B x l Thit b pht hin xm nhp i hi kh nng ca CPU thc thi
s phn tch giao thc pht hin xm nhp v lm khp mu.
B nh -- S phn tch pht hin xm nhp l mt b nh chuyn su. B nh
va chm vi kh nng ca mt NIDS mt cch trc tip pht hin tn cng
mt cch c hiu qu v chnh xc.

- S thun li: Mt network-based IDS c mt vi s thun li nh sau
Hnh phi cnh ton mng: Bng vic thy ng i n ch vi nhiu host,
mt b phn cm bin nhn mt mng m cn nhc trong mi lin h vi
nhng s tn cng chng li mng ca bn.Nu mt ai ang qut nhiu
host trn mng ca bn, nhng thng tin ny th hin nhin sn sng vo b
cm bin.
Khng phi chy trn mi h iu hnh mng: S thun li khc vi network-
based IDS l khng cn chy trn mi h iu hnh ca mng. Mt
network-based IDS chy trn mt s b cm bn gii hn v nhng nn tng
ca ngi qun l. Nhng nn tng ny c th c chn tip xc vi
nhng yu cu thc thi c bit. Bn cnh vic n trn mng ang b gim st,
nhng dch v ny c th d dng c lm cng bo v chng t nhng
tn cng bi v chng phc v mt mc ch c bit trn mng. Ngay c
CSIDS h tr mt b cm bin m l mt l trong gia nh 6000 cht xc tc(
xem chng 14.catalyst 6000 IDS Module Configuration).
- Nhng kh khn: Mt network-based IDS i din mt vi kh khn sau
Bng thng-Bandwidth: Kh khn ln nht i vi network-based IDS l bng
thng.Nh nhng ng dn mng pht trin ngy cng ln, n th kh gim
st thnh cng tt c ng i thng qua mng mt thi im n l trong
thi gian thc, m khng b st nhng packet. Thay v bn cn ci t nhiu
sensor mt cch thng thng thng qua mng nhng v tr m nhng sensor
c th gi bng thng ng i.
Nhng mnh v rp- Fragment reassembly: Nhng gi mng c kch thc
cc i. Nu mt kt ni cn gi d liu m vt qu gii hn cc i ny, d

Trang 11
liu phi c gi trong nhiu gi. iu ny xem nh l fragmentation.
Khi vic nhn host ly nhng gi fragmantation, n phi tp hp li d liu
li. Khng phi tt c host thi hnh nhng tin trnh mt cch tp hp trong
bc(order) ging nhau. Mt vi h iu hnh bt u vi fragment cui cng
v lm vic thng qua ci u tin. Nhng ci khc bt u ci u tin v
lm vic thng qua ci cui cng. Order khng lm s kin nu nhng
fragment khng chng ln nhau. Nu chng ln nhau, nhng kt qu khc
nhau cho mi tin trnh khng tp hp vi nhau. kim tra nhng gi
fragmentation, mt sensor mng cng phi tp hp nhng fragment li. Vn
bao gm vic chn nhng order ng mt cch tp hp. Nhng k tn cng
tn cng trn nhng fragment lapping th ph hng h thng network-
based IDS.
S m ha- Encryption: c gng bo v s tch bit ca nhng kt ni d liu
ca h. Khi nhiu mng v ngi s dng cung cp s m ho cho nhng
sessor ngi dng, nhng thng tin n c sn vo gim bt mt sensor
network-based IDS.Khi ng mng c m ho, sensor mng khng th i
chi vi d liu c m ho nhm chng li c s d liu signature ca n
1.6.3 So snh HIDS v NIDS.

S trn biu din kch bn NIDS in hnh, trn c mt tn cng ang c gng to
ng lu lng thng qua thit b NIDS trn mng. Thit b mu biu th ni NIDS c
ci t.

Trang 12

HIDS l mt gii php ton din hn v cho thy s mnh m hn trong cc mi trng
mng. N khng quan tm n v tr cc my tnh t u v c bo v mi lc. Cc my
mu vng th hin ni HIDS c ci t.
- Phn tch so snh gia HIDS v NIDS
Chc nng HIDS NIDS Cc nh gi
Bo v trong mng
LAN
**** ****
C hai u bo v bn khi trong mng
LAN
Bo v ngoi
mng LAN
**** - Ch c HIDS
D dng cho vic
qun tr
**** ****
Tng ng nh nhau xt v bi
cnh qun tr chung
Tnh linh hot **** ** HIDS l h thng linh hot hn
Gi thnh *** *
HIDS l h thng u tit kim hn nu
chn ng sn phm
D dng trong vic
b sung
**** **** C hai tng ng nhau
o to ngn hn
cn thit
**** **
HIDS yu cu vic o to t hn
NIDS
Tng gi thnh *** ** HIDS tiu tn ca bn t hn
Bng tn cn yu
cu trong LAN
0 2
NIDS s dng bng tn LAN rng,
cn HIDS th khng
Network overhead 1 2
NIDS cn 2 yu cu bng tn mng
i vi bt k mng LAN no
Bng tn cn yu
cu (Internet)
** **
C hai u cn bng tn Internet
cp nht kp thi cc file mu
Cc yu cu v
cng m rng
- ****
NIDS yu cu phi kch hot m rng
cng m bo lu lng LAN ca

Trang 13
bn c qut
Chu k nng cp
cho cc client
**** -
HIDS nng cp tt c cc client vi
mt file mu trung tm
Kh nng thch
nghi trong cc nn
ng dng
** ****
NIDS c kh nng thch nghi trong
cc nn ng dng hn
Ch qut thanh
ghi cc b
**** -
Ch HIDS mi c th thc hin cc
kiu qut ny
Bn ghi *** ***
C hai h thng c chc nng bn
ghi
Chc nng cnh
bo
*** ***
C hai h thng u c chc nng
cnh bo cho tng c nhn v qun tr
vin
Qut PAN **** -
Ch c HIDS qut cc vng mng c
nhn ca bn
Loi b gi tin - ****
Ch cc tnh nng NIDS mi c
phng thc ny
Kin thc chuyn
mn
*** ****
Cn nhiu kin thc chuyn mn khi
ci t v s dng NIDS i vi ton
b vn bo mt mng ca bn
Qun l tp trung ** *** NIDS c chim u th hn
Kh nng v hiu
ha cc h s ri
ro
* ****
NIDS c h s ri ro nhiu hn so vi
HIDS
Kh nng cp nht *** ***
R rng kh nng nng cp phn mm
l d hn phn cng. HIDS c th
c nng cp thng qua script c
tp trung
Cc nt pht hin
nhiu on mng
LAN
**** **
HIDS c kh nng pht hin theo
nhiu on mng ton din hn
1.7 Nhim V Ca I DS.
- Nhim v chnh ca cc h thng pht hin xm phm l phng chng cho mt h
thng my tnh bng cch pht hin cc du hiu tn cng v c th y li n. Vic
pht hin cc tn cng ph thuc vo s lng v kiu hnh ng thch hp. ngn
chn xm phm tt cn phi kt hp tt gia b v by c trang b cho vic
nghin cu cc mi e da. Vic lm lnh hng s tp trung ca k xm nhp vo ti
nguyn c bo v l mt nhim v quan trng khc. C h thng thc v h thng
by cn phi c kim tra mt cch lin tc. D liu c to ra bng cc h thng
pht hin xm nhp c kim tra mt cch cn thn (y l nhim v chnh cho mi
IDS) pht hin cc du hiu tn cng (s xm phm).

Trang 14

Qu trnh ca IDS

C s h tng IDS
- Khi mt s xm nhp c pht hin, IDS a ra cc cnh bo n cc qun tr vin
h thng v s vic ny. Bc tip theo c thc hin bi cc qun tr vin hoc c
th l bn thn IDS bng cch li dng cc tham s o b sung (cc chc nng kha
gii hn cc session, backup h thng, nh tuyn cc kt ni n by h thng, c
s h tng hp l,) theo cc chnh sch bo mt ca cc t chc. Mt IDS l mt
thnh phn nm trong chnh sch bo mt.
- Gia cc nhim v IDS khc nhau, vic nhn ra k xm nhp l mt trong nhng
nhim v c bn. N cng hu dng trong vic nghin cu mang tnh php l cc tnh
tit v vic ci t cc bn v thch hp cho php pht hin cc tn cng trong
tng lai nhm vo cc c nhn c th hoc ti nguyn h thng.
- Pht hin xm nhp i khi c th a ra cc bo cnh sai, v d nhng vn xy ra
do trc trc v giao din mng hoc vic gi phn m t cc tn cng hoc cc ch k
thng qua email.

Trang 15
1.8 Kin trc I DS.
- Kin trc ca h thng pht hin xm phm

Mt IDS mu.Thu hp b rng tng ng vi s lng
lung thng tin gia cc thnh phn h thng
- B cm bin c tch hp vi thnh phn su tp d liu mt b to s kin. Cch
su tp ny c xc nh bi chnh sch to s kin nh ngha ch lc thng
tin s kin. B to s kin (h iu hnh, mng, ng dng) cung cp mt s chnh
sch thch hp cho cc s kin, c th l mt bn ghi cc s kin ca h thng hoc
cc gi mng. S chnh sch ny cng vi thng tin chnh sch c th c lu trong
h thng c bo v hoc bn ngoi. Trong trng hp no , v d, khi lung d
liu s kin c truyn ti trc tip n b phn tch m khng c s lu d liu no
c thc hin. iu ny cng lin quan mt cht no n cc gi mng.

Cc thnh phn IDS
- Vai tr ca b cm bin l dng lc thng tin v loi b d liu khng tng thch
t c t cc s kin lin quan vi h thng bo v, v vy c th pht hin c
cc hnh ng nghi ng. B phn tch s dng c s d liu chnh sch pht hin cho
mc ny. Ngoi ra cn c cc thnh phn: du hiu tn cng, profile hnh vi thng
thng, cc tham s cn thit (v d: cc ngng). Thm vo , c s d liu gi cc
tham s cu hnh, gm c cc ch truyn thng vi module p tr. B cm bin
cng c c s d liu ca ring n, gm d liu lu v cc xm phm phc tp tim
n (to ra t nhiu hnh ng khc nhau).
- IDS c th c sp t tp trung (v d nh c tch hp vo trong tng la) hoc
phn tn. Mt IDS phn tn gm nhiu IDS khc nhau trn mt mng ln, tt c

Trang 16
chng truyn thng vi nhau. Nhiu h thng tinh vi i theo nguyn l cu trc mt
tc nhn, ni cc module nh c t chc trn mt host trong mng c bo v.
- Vai tr ca tc nhn l kim tra v lc tt c cc hnh ng bn trong vng c
bo v v ph thuc vo phng php c a ra to phn tch bc u v thm
ch m trch c hnh ng p tr. Mng cc tc nhn hp tc bo co n my ch
phn tch trung tm l mt trong nhng thnh phn quan trng ca IDS. DIDS c th
s dng nhiu cng c phn tch tinh vi hn, c bit c trang b s pht hin cc
tn cng phn tn. Cc vai tr khc ca tc nhn lin quan n kh nng lu ng v
tnh roaming ca n trong cc v tr vt l. Thm vo , cc tc nhn c th c bit
dnh cho vic pht hin du hiu tn cng bit no . y l mt h s quyt nh
khi ni n ngha bo v lin quan n cc kiu tn cng mi. Cc gii php da trn
tc nhn IDS cng s dng cc c ch t phc tp hn cho vic nng cp chnh sch
p tr.
- Gii php kin trc a tc nhn c a ra nm 1994 l AAFID (cc tc nhn t tr
cho vic pht hin xm phm). N s dng cc tc nhn kim tra mt kha cnh
no v cc hnh vi h thng mt thi im no . V d: mt tc nhn c th
cho bit mt s khng bnh thng cc telnet session bn trong h thng n kim tra.
Tc nhn c kh nng a ra mt cnh bo khi pht hin mt s kin kh nghi. Cc
tc nhn c th c nhi v thay i bn trong cc h thng khc (tnh nng t tr).
Mt phn trong cc tc nhn, h thng c th c cc b phn thu pht kim tra tt
c cc hnh ng c kim sot bi cc tc nhn mt host c th no . Cc b
thu nhn lun lun gi cc kt qu hot ng ca chng n b kim tra duy nht.
Cc b kim tra nhn thng tin t cc mng (khng ch t mt host), iu c ngha
l chng c th tng quan vi thng tin phn tn. Thm vo , mt s b lc c th
c a ra chn lc v thu thp d liu.

1.9 K thut x l d liu ca IDS.
Ph thuc vo kiu phng php c s dng pht hin xm nhp, cc c ch x l khc
nhau (k thut) cng c s dng cho d liu i vi mt IDS. Di y l mt s h thng
c m t vn tt:
- H thng Expert: h thng ny lm vic trn mt tp cc nguyn tc c nh
ngha t trc miu t cc tn cng. Tt c cc s kin c lin quan n bo mt
u c kt hp vo cuc kim nh v c dch di dng nguyn tc if-then-else.
Ly v d Wisdom & Sense v ComputerWatch (c pht trin ti AT&T).
- Phn tch du hiu ging nh phng php h thng Expert, phng php ny da
trn nhng hiu bit v tn cng. Chng bin i s m t v ng ngha t ca mi

Trang 17
tn cng thnh nh dng kim nh thch hp. Nh vy, du hiu tn cng c th
c tm thy trong cc bn ghi hoc u vo ca lung d liu theo mt cch d
hiu. Mt kch bn tn cng c th c m t, v d nh mt chui s kin kim
nh i vi cc tn cng hoc mu d liu c th tm kim ly c trong cuc
kim nh. Phng php ny s dng cc t tng ng tru tng ca d liu kim
nh. S pht hin c thc hin bng cch s dng chui vn bn chung hp vi
cc c ch. in hnh, n l mt k thut rt mnh v thng c s dng trong cc
h thng thng mi (v d nh Stalker, Real Secure, NetRanger, Emerald eXpert-
BSM).
- Phng php Colored Petri Nets thng c s dng tng qut ha cc tn cng
t nhng hiu bit c bn v th hin cc tn cng theo ha. H thng IDIOT
ca i hc Purdue s dng Colored Petri Nets. Vi k thut ny, cc qun tr vin s
d dng hn trong vic b sung thm du hiu mi. Mc d vy, vic lm cho hp
mt du hiu phc tp vi d liu kim nh l mt vn gy tn nhiu thi gian.
K thut ny khng c s dng trong cc h thng thng mi.
- Phng php Colored Petri Nets thng c s dng tng qut ha cc tn
cng t nhng hiu bit c bn v th hin cc tn cng theo ha. H thng
IDIOT ca i hc Purdue s dng Colored Petri Nets. Vi k thut ny, cc qun tr
vin s d dng hn trong vic b sung thm du hiu mi. Mc d vy, vic lm cho
hp mt du hiu phc tp vi d liu kim nh l mt vn gy tn nhiu thi
gian. K thut ny khng c s dng trong cc h thng thng mi.
- Phn tch trng thi phin: mt tn cng c miu t bng mt tp cc mc tiu v
phin cn c thc hin bi mt k xm nhp gy tn hi h thng. Cc phin
c trnh by trong s trng thi phin.
- Phng php phn tch thng k: y l phng php thng c s dng. Hnh
vi ngi dng hoc h thng (tp cc thuc tnh) c tnh theo mt s bin thi gian.
V d, cc bin nh l: ng nhp ngi dng, ng xut, s file truy nhp trong mt
chu k thi gian, hiu sut s dng khng gian a, b nh, CPU, Chu k nng cp
c th thay i t mt vi pht n mt thng. H thng lu gi tr c ngha cho mi
bin c s dng pht hin s vt qu ngng c nh ngha t trc. Ngay
c phng php n gin ny cng khng th hp c vi m hnh hnh vi ngi
dng in hnh. Cc phng php da vo vic lm tng quan profile ngi dng
ring l vi cc bin nhm c gp li cng t c hiu qu. V vy, mt m hnh
tinh vi hn v hnh vi ngi dng c pht trin bng cch s dng profile ngi
dng ngn hn hoc di hn. Cc profile ny thng xuyn c nng cp bt kp
vi thay i trong hnh vi ngi dng. Cc phng php thng k thng c s
dng trong vic b sung trong IDS da trn profile hnh vi ngi dng thng thng.
- Neural Networks s dng cc thut ton ang c nghin cu ca chng nghin
cu v mi quan h gia cc vector u vo - u ra v tng qut ha chng rt ra
mi quan h vo/ra mi. Phng php neural network c s dng cho pht hin
xm nhp, mc ch chnh l nghin cu hnh vi ca ngi tham gia vo mng
(ngi dng hay k xm phm). Thc ra cc phng php thng k cng mt phn
c coi nh neural networks. S dng mng neural trn thng k hin c hoc tp
trung vo cc n gin biu din mi quan h khng tuyn tnh gia cc bin v
trong vic nghin cu cc mi quan h mt cch t ng. Cc thc nghim c
tin hnh vi s d on mng neural v hnh vi ngi dng. T nhng kt qu cho
thy rng cc hnh vi ca siu ngi dng UNIX (root) l c th d on. Vi mt s
t ngoi l, hnh vi ca hu ht ngi dng khc cng c th d on. Neural
networks vn l mt k thut tnh ton mnh v khng c s dng rng ri trong
cng ng pht hin xm nhp.

Trang 18
- Phn bit nh ngi dng: K thut ny m hnh ha cc hnh vi thng thng
ca ngi dng bng mt tp nhim v mc cao m h c th thc hin c trn h
thng (lin quan n chc nng ngi dng). Cc nhim v thng cn n mt s
hot ng c iu chnh sao cho hp vi d liu kim nh thch hp. B phn tch
gi mt tp hp nhim v c th chp nhn cho mi ngi dng. Bt c khi no mt
s khng hp l c pht hin th mt cnh bo s c sinh ra.
- Computer immunology Analogies vi s nghin cu min dch c ch nh
pht trin cc k thut c xy dng t m hnh hnh vi thng thng trong cc dch
v mng UNIX hn l ngi dng ring l. M hnh ny gm c cc chui ngn cuc
gi h thng c to thnh bi cc qu trnh. Cc tn cng khai thc l hng trong
m ng dng rt c kh nng gy ra ng dn thc thi khng bnh thng. u tin,
mt tp d liu kim nh tham chiu c su tp trnh by hnh vi hp l ca
cc dch v, sau kin thc c bn c b sung thm vi tt c cc chui c bit
r v cuc gi h thng. Cc mu sau c s dng cho vic kim tra lin tc
cc cuc gi h thng, xem chui c to ra c lit k trong c s kin thc
cha; nu khng, mt bo cnh s c to ra. K thut ny c t l bo cnh sai rt
thp. Tr ngi ca n l s bt lc trong vic pht hin li trong cu hnh dch v
mng.
- Machine learning (k thut t hc). y l mt k thut thng minh nhn to, n lu
lung lnh u ra ngi dng vo cc biu mu vector v s dng nh mt tham
chiu ca profile hnh vi ngi dng thng thng. Cc profile sau c nhm
vo trong mt th vin lnh ngi dng c cc thnh phn chung no .
2 IPS.
2.1 Khi nim.
- Mt h thng chng xm nhp ( Intrusion Prevention System IPS) c nh ngha
l mt phn mm hoc mt thit b chuyn dng c kh nng pht hin xm nhp v
c th ngn chn cc nguy c gy mt an ninh. IDS v IPS c rt nhiu im chung,
do h thng IDS v IPS c th c gi chung l IDP-Intrusion Detection and
Prevention.
- IPS ra i khi no, ti sao li cn IPS ch khng phi l IDS?
Trc cc hn ch ca h thng IDS, nht l sau khi xut hin cc cuc tn
cng t trn quy m ln nh Code Red, NIMDA, SQL Slammer, mt vn
c t ra l lm sao c th t ng ngn chn c cc tn cng ch khng
ch a ra cc cnh bo nhm gim thiu cng vic ca ngi qun tr h
thng. H thng IPS c ra i vo nm 2003 v ngay sau , nm 2004 n
c ph bin rng ri.
Kt hp vi vic nng cp cc thnh phn qun tr, h thng IPS xut hin
dn thay th cho IDS bi n gim bt c cc yu cu tc ng ca con
ngi trong vic p tr li cc nguy c pht hin c, cng nh gim bt
c phn no gnh nng ca vic vn hnh. Hn na trong mt s trng
hp c bit, mt IPS c th hot ng nh mt IDS bng vic ngt b tnh
nng ngn chn xm nhp. Ngy nay cc h thng mng u hng ti s
dng cc gii php IPS thay v h thng IDS c.
- Nhn b ngoi, cc gii php pht hin xm nhp v ngn nga xm nhp xut hin
theo kiu cnh tranh nhau. Rt cuc, chng chia s mt danh sch cc chc nng
ging nhau nh kim tra gi tin, phn tch c trng thi, rp li cc on, rp li cc
TCP-segment, kim tra gi tin su, xc nhn tnh hp l giao thc v thch ng ch
k. Mt IPS hot ng ging nh mt ngi bo v gc cng cho mt khu dn c,

Trang 19
cho php v t chi truy nhp da trn c s cc u nhim v tp quy tc ni quy no
. Mt IDS (h thng pht hin xm nhp) lm vic ging nh mt xe tun tra bn
trong khu dn c, gim st cc hot ng v tm ra nhng tnh hung bt bnh thng.
D mc an ninh ti cng vo khu dn c mnh n mc no, xe tun tra vn tip
tc hot ng trong mt h thng gim st v s cn bng ca chnh n.
2.2 Pht hin v ngn nga xm nhp.
2.2.1 Pht hin xm nhp.
- Mc ch ca pht hin xm nhp l cung cp s gim st, kim tra, tnh php l v
bo co v cc hot ng ca mng. N hot ng trn cc gi tin c cho php
thng qua mt thit b kim sot truy nhp. Do nhng hn ch v tin cy v nhng
e do bn trong, Ngn nga Xm nhp phi cho php mt s vng xm (gray
area) tn cng trnh cc trng hp bo ng gi. Mt khc, nhng gii php IDS
c nhi tr thng minh c s dng nhiu k thut khc nhau nhn bit nhng
cuc xm nhp, nhng khai thc, lm dng bt chnh v cc cuc tn cng tim tng.
Mt IDS c th thc hin cc hot ng m khng lm nh hng n cc kin trc
tnh ton v kt ni mng.
- Bn cht b ng ca IDS nm ch cung cp sc mnh ch o phn tch thng
minh cc lu lng gi tin. Nhng v tr IDS ny c th nhn ra :
Cc cuc tn cng quen bit theo ng ch k (signature) v cc quy tc.
Nhng bin thin trong lu lng v phng hng s dng nhng quy tc v
phn tch thng k phc tp.
Nhng bin i mu lu lng truyn thng c s dng phn tch lung.
Pht hin hot ng bt bnh thng c s dng phn tch lch ng c s
(baseline deviation analysis).
Pht hin hot ng ng nghi nh phn tch lung, cc k thut thng k v
pht hin s bt bnh thng.
2.2.2 Ngn nga xm nhp.
- Nh c cp trc y, cc gii php Ngn nga Xm nhp nhm mc ch
bo v ti nguyn, d liu v mng. Chng s lm gim bt nhng mi e do tn
cng bng vic loi b nhng lu lng mng c hi hay c c trong khi vn cho
php cc hot ng hp php tip tc. Mc ch y l mt h thng hon ho
khng c nhng bo ng gi no lm gim nng sut ngi dng cui v khng c
nhng t chi sai no to ra ri ro qu mc bn trong mi trng. C l mt vai tr
ct yu hn s l cn thit tin tng, thc hin theo cch mong mun di bt
k iu kin no. iu ny c ngha cc gii php Ngn nga Xm nhp c t
vo ng v tr phc v vi:
Nhng ng dng khng mong mun v nhng cuc tn cng Trojan horse
nhm vo cc mng v cc ng dng c nhn, qua vic s dng cc nguyn tc
xc nh v cc danh sch iu khin truy nhp (access control lists).
Cc gi tin tn cng ging nh nhng gi tin t LAND v WinNuke qua vic
s dng cc b lc gi tc cao.
S lm dng giao thc v nhng hnh ng lng trnh nhng thao tc giao
thc mng ging nh Fragroute v nhng kho st ln TCP (TCP overlap
exploits) thng qua s rp li thng minh.
Cc tn cng t chi dch v (DOS/DDOS) nh lt cc gi tin SYN v
ICMP bi vic s dng cc thut ton lc da trn c s ngng.

Trang 20
S lm dng cc ng dng v nhng thao tc giao thc cc cuc tn cng
bit v cha bit chng li HTTP, FTP, DNS, SMTP .v.v. qua vic s dng
nhng quy tc giao thc ng dng v ch k.
Nhng cuc tn cng qu ti hay lm dng ng dng bng vic s dng cc
hu hn tiu th ti nguyn da trn c s ngng.
- Tt c cc cuc tn cng v trng thi d b tn cng cho php chng tnh c xy ra
u c chng minh bng ti liu. Ngoi ra, nhng khc thng trong cc giao thc
truyn thng t mng qua lp ng dng khng c ch cho bt c loi lu lng hp
php no, lm cho cc li tr thnh t chn lc trong ng cnh xc nh.
2.3 Yu cu tng lai ca IPS.
- Trong tng lai, mt gii php cng an ninh ni tuyn (inline) phi t c cc mc
tiu ny :
Kh nng pht hin v ngn chn tn cng da trn c s s dng lgic v vt
l ca nhiu cng ngh p buc. Rng hn, iu ny cn bao gm c kh nng
ngn nga c hai dng tn cng bit v cha bit c s dng cc bin php
phng th ng dng (Application Defenses).
Kh nng cng nhau hot ng vi c s h tng an ninh c trin khai cho
nhng mc ch h tr tp hp d liu, bng chng in t, gim st theo di
v phc tng iu chnh khi cn.
Kh nng khng ph v nhng hot ng kinh doanh do thiu tnh sn sng,
hiu nng km, nhng khng nh sai hay khng c kh nng hot ng cng
nhau vi cc c s h tng chng thc quy nh.
Kh nng h tr cc chuyn gia an ninh CNTT trong vic chuyn giao k
hoch qun l ri ro ca t chc ca h bao gm chi ph cho thc hin, hot
ng v nhng kt qu lm vic t cc cnh bo v bo co t h thng.
- Nhng thch thc t c mc ch
Hin thi khng c cc nghin cu ca i tc th ba c th chp nhn c
tnh hiu qu ca IPS nh l mt gii php. S qung co thi phng xung
quanh Ngn nga Xm nhp ang lm ln ln gia nhng g cng ngh ny
c th cung cp v nhng g n ha hn.
Cch tip cn nhiu lp cho an ninh CNTT tip tc c gi tr trong khi cng
nghip pht trin. N khng c v l s di tr ra xa khi phng th chiu su
phn lp ng nh n c t chc.
Nhiu gii php IPS s i hi nhng yu cu ging IDS iu chnh, gim
st v bo co.
- Mt cch nhn thc dng trong tng lai: Hin ti khng c sn phm no thch hp
cho tt c c th lm vic ph hp vi nhu cu th trng rng ln ti mc m n c
th thay th tng la hin ti, NIDS (Network Intrusion Detection System), cc b
chuyn mch lp 7 v cc thnh phn khc c th hay khng th tr thnh cc cng an
ninh ni tuyn ca ngy mai. Tuy vy, nu mt sn phm nh vy xut hin, n s
phi ph hp vi nhng mc tiu c tho lun trc y trong ti liu ny, bao
gm c kh nng phng th ng dng (Application Defenses). Tip theo l g? Mt
cuc cch mng khng phi l ci g c th on trc c v ni chung gm
nhiu bc trong tng lai. Nhng mi e do trong tng lai m ngy hm nay
chng ta cha bit s iu khin phng hng ca nhng gii php ca chng ta
trong tng lai. C th c nhng mi e do mi v tnh d b tn thng mi c
pht hin tc ng n cc khi nim an ninh Ngn nga Xm nhp ca ngy hm
nay theo nhng cch c bn. Nhng s pht trin cc H thng Ngn nga Xm

Trang 21
nhp phn nhiu ging nh s ho trn tng bc mt qua thi gian ca cc khi
nim an ninh khc nhau vo trong mt m hnh phng th ng dng ch thc.
3 So snh IDS v IPS.
- Hin nay, Cng ngh ca IDS c thay th bng cc gii php IPS. Nu nh hiu
n gin, ta c th xem nh IDS ch l mt ci chung cnh bo cho ngi qun tr
bit nhng nguy c c th xy ra tn cng. D nhin ta c th thy rng, n ch l mt
gii php gim st th ng, tc l ch c th cnh bo m thi, vic thc hin ngn
chn cc cuc tn cng vo h thng li hon ton ph thuc vo ngi qun tr. V
vy yu cu rt cao i vi nh qun tr trong vic xc nh cc lu lng cn v cc
lu lng c nghi vn l du hiu ca mt cuc tn cng. V d nhin cng vic ny
th li ht sc kh khn. Vi IPS, ngi qun tr khng nhng c th xc nh c
cc lu lng kh nghi khi c du hiu tn cng m cn gim thiu c kh nng
xc nh sai cc lu lng. Vi IPS, cc cuc tn cng s b loi b ngay khi mi c
du hiu v n hot ng tun theo mt quy lut do nh Qun tr nh sn.
- IDS hin nay ch s dng t mt n 2 c ch pht hin tn cng. V mi cuc tn
cng li c cc c ch khc nhau ca n (C th tham kho thm cc bi vit v DoS
ca tui ), v vy cn c cc c ch khc nhau phn bit. Vi IDS, do s lng c
ch l t nn c th dn n tnh trng khng pht hin ra c cc cuc tn cng vi
c ch khng nh sn, dn n kh nng cc cuc tn cng s thnh cng, gy nh
hng n h thng. Thm vo , do cc c ch ca IDS l tng qut, dn n tnh
trng bo co nhm, cnh bo nhm, lm tn thi gian v cng sc ca nh qun tr.
Vi IPS th c xy dng trn rt nhiu c ch tn cng v hon ton c th to mi
cc c ch ph hp vi cc dng thc tn cng mi nn s gim thiu c kh nng
tn cng ca mng, thm , chnh xc ca IPS l cao hn so vi IDS.
- Nn bit rng vi IDS, vic p ng li cc cuc tn cng ch c th xut hin sau khi
gi tin ca cuc tn cng i ti ch, lc vic chng li tn cng l vic n gi
cc yu cu n cc my ca h thng xo cc kt ni n my tn cng v my
ch, hoc l gi thng tin thng bo n tng la ( Firewall) tng la thc hin
chc nng ca n, tuy nhin, vic lm ny i khi li gy tc ng ph n h thng.
V d nh nu Attacker gi mo (sniffer) ca mt i tc, ISP, hay l khch hng,
to mt cuc tn cng t chi dch v th c th thy rng, mc d IDS c th chn
c cuc tn cng t chi dch v nhng n cng s Block lun c IP ca khch
hng, ca ISP, ca i tc, nh vy thit hi vn tn ti v coi nh hiu ng ph ca
DoS thnh cng mc d cuc tn cng t chi dch v tht bi. Nhng vi IPS th
khc n s pht hin ngay t u du hiu ca cuc tn cng v sau l kho ngay
cc lu lng mng ny th mi c kh nng gim thiu c cc cuc tn cng.

Trang 22
4 Snort.
4.1 Gii Thiu.

- SNORT l mt h thng m ngun m pht hin, ngn chn xm nhp trn mng, c
kh nng phn tch lu thng trn mng thi gian thc v ghi log cc gi tin trn
mng dng giao thc IP. H thng c th thc hin phn tch giao thc, so khp ni
dung v c th c s dng pht hin cc kiu tn cng khc nhau, nh l: trn b
nh m, qut port, tn cng CGI S dng SNORT khng kh, nhng h thng ny
c nhiu ty chn khi dng dng lnh.
- SNORT c th c cu hnh chy trong cc ch sau:
Sniffer: lng nghe gi tin trn mng v hin th chng theo mt lung lin tip
nhau ln mn hnh console.
Packet Logger: ghi log cc gi tin v b nh.
Network Intrusion Detection System (NIDS): nhn cc gi tin t
libpcap/winpcap, phn tch lu thng trn mng so khp vi tp cc lut do
ngi dng nh ngha v c nhiu hnh ng tng ng.
Inline: nhn cc gi tin t bng iptables, sau lm cho iptables cho php hay
b gi tin da vo cc lut ca SNORT.
- SNORT c pht trin bi Sourcefire Inc. Eric Raymond ph bin v s dng
m ng cho Linux thnh cng trn th trng h iu hnh, mi ngi trn cng
ng m ngun m SNORT c th pht hin v phn hi cc li v nhng mi nguy
him v bo mt mt cch nhanh hn v hiu qu hn l mi trng m ngun ng.
- SNORT s dng cc rules cha trong cc tp tin dng vn bn text bnh thng v
cc tp tin ny c th c sa v b sung bi ngi dng. Cc rules ny c tp
hp li thnh cc mc ring bit v c cha trong cc tp tin ring bit (v d nh
web-attack.rule, misc.rule). Cc tp tin ny sau s c khai bo trong tp tin
cu hnh, gi l SNORT.conf. SNORT s c cc rules ny lc khi ng v xy
dng cc cu trc d liu bn trong n hoc kt ni cc rules li bt cc gi tin.
4.2 M hnh hot ng.
4.2.1 Network Intrusion Detection Systems (NIDS).
- NIDS Thng c t trong h thng mng gim st cc giao dch gi a ca c thit
b. Chng ta c th qut tt c cc thng tin vo v ra h thng.

Trang 23

Hnh 1: M hnh trin khai ca NIDS (hnh c trch t sch Snort for dummies)
4.2.2 Host Intrusion Detection Systems (HIDS)
- HIDS chy trn mt my ring bit hoc cc thit b trn mng, nhm pht hin ra s
tn cng vo chnh cc thit b

Trang 24
4.3 Cu trc Snort.
Packet capture
(LibPcap/WinPcap)
Decoder
Preprocessors
Detection Engine
Output Plug-ins
(Logging and Alerting System)
Detection Plug-ins
Selected Output Mode
(Log files, Console, Sockets, ...)
Rules file
Reads/Applies
References
Network Traffic
Alert

SNORT s dng pcap bt c cc gi tin trn mng. Pcap dng mt hm callback l
ProcessPacket mi khi n c mt gi tin. T hm ny s gi n b phn tch gi
tin(decoder), sau qu trnh phn tch, ty theo cch cu hnh SNORT khi ng, n i tip
n cc thnh phn trn . Di y l m t ngn gn v cc thnh phn c bn ca snort.
4.3.1 Decoder.
Decoder ly cc packet m Pcap hay LibCap gi ln chun b packet cho qu trnh
preprocessor hoc c gi thng ti detection engine
4.3.2 Preprocessor (Input Plugin).
Preprocessor hay Input plugin c th hot ng di nhiu mc ch khc nhau
- N c th l ni chnh hoc sp xp li d liu trong payload ca packet trc khi
gi ln cho dectection engine thc hin detect, y l tnh nng kh quan trng gip
chng li cc k thut m cc hacker thng dng qua mt IDS.
- N c th thc hin vic detect mt packet.
- N cng c th thc hin chc nng defragment mt gi tin y cng l mt phn
quan trng trong qu trnh detect.
4.3.3 Detection Engine.
- y l thnh phn quan trng l tri tim ca snort n thc hin qu trnh detect
intrusion vi cc gi tin da trn cc rule c nh ngha. N tin hnh c cc rule
c nh ngha trong file snort.conf v xy dng mt cu trc thc hin vic
detect. Nu qu trnh detect pht hin packet trng vi mt rule no th mt action
tng ng s c to ra.

Trang 25
- Qu trnh detect c th thc hin trn Header ca gi tin nh IP Header, ICMP
Header, TCP Header, hoc trong payload ca gi tin.
4.3.4 Logging v Alert:
Ty vo ci g c Detection engine pht hin trong packet m packet c th c log trc
khi active mt rule hoc to ra mt alert. y l ni to ra cc message v alert.
4.3.5 Output Plugin.
y l ni x l cc output c sinh ra bi thnh phn Logging v Alert, ty vo vic cu
hnh m n c th thc hin cc chc nng sau:
- Loging gi tin vo mt file no .
- Loging vo trong c s d liu
- To ra mt file output xml
- iu chnh li cu hnh ca tng la
- Gi mt SMB message ti mt my window no .
- Ngoi ra cn nhiu thao tc khc nh gi email, SMNP, .
4.4 Cu Trc Rule.
Mt rule trong Snort c chia thnh hai phn rule header v rule options
Hnh: Cu trc rule (trch t IDS with snort)
4.4.1 Rule Header.

Hnh: Cu trc rule Header (trch t IDS with snort)
- Action: y l trng xc nh dng hnh ng khi rule c Detection engine so
khp vi mt gi tin n. Di y l m t cc action c nh ngha sn trong
snort
Alert: to ra mt alert message v log li gi tin
Log: log li gi tin
Dynamic: lut c thc hin da vo mt lnh khc active n.
Pass: pass gi tin
Drop: drop mt gi tin to mt alert message v log li gi tin .
Reject: drop gi tin log li to mt alert message v gi thong bo v ngun.
SDrop: drop mt gi tin v khng to mt alert message khng log li gi tin
khng gi li thng bo cho ngun.
- Protocol: y l trng nh ngha protocol ca packet m rule ny c p dng,
hin ti snort h tr cc loi protocol sau: IP, ICMP, TCP, UDP.
- Address: y l a ch IP ngun v ch ca pakcet m rule ny c p dng
- Port: y l port ngun v ch ca packet m rule ny c p dng ch c gi tr
khi protocol l TCP hay UDP.
- Direction: dng xc nh Address v Port no l ngun v ci no l ch, c 3
loi direction nh sau: , , <>.
- V d: alert icmp any any any any (msg: Example; sid: 1000001)

Trang 26
4.4.2 Rule option.
V c bn rule option c th c chia thnh cc loi nh sau: Rule content, IP Option,
ICMP Option, TCP Option, Meta Data Option, Miscellaneous Rule Option.
a. Rule content:
y l option rt mnh v quan trng n cho php bn vit nhng lut dng phn tch
payload ca mt gi tin thng qua gi tr binary hay ASCII, ngoi ra chng ta c th phi
hp vi nhiu option khc xc nh chnh xc malilous code trong ni dung ca
packet.
- Content option: y l option cho php bn nh ngha mt chui ASCII hoc mt
chui binary mang nhng du hiu tn cng thuc v rule c th tn ti trong packet.
V d: alert tcp any any -> any any (content: "|0101 FFFF|/etc/passwd|E234|";
msg:"Searching for Ascii and Binary stuff!";) trong lut ny
content option va cha gi tr ASCII va cha gii tr binary, gi
tr binary c kp gia du ||.
- Depth option: y l option cho php ch r s lng byte ti a trong payload s
c so khp vi content string c nh ngha trong content option
- Offset option: y l option nh ngha v tr trong payload bt u thc hin so khp
vi content string c nh ngha trong content option
V d: alert tcp any any -> any 80 (content: "GET"; depth: 10; offset: 0
msg:"Searching for Ascii with offset and depth stuff!";) trong lut
ny ch r ch thc hin so khp chui 'GET' bt u v tr th 0
trong payload ca gi tin v thc hin tm kim ti a ti v tr th
10 ca payload.
- Nocase option: ch r l khi thc hin so khp content string vi payload ca gi tin
th khng cn thc hin phn bit ch hoa hay ch thng.
b. I p options:
y l option thao tc trn ni dung header ca gi IP, n thng c dng xc nh
cc cuc tn cng vo thit b, cc hnh ng qut mng, .
- Equivalent Source and Destination option: option dng detect nhng gi tin c
soucer ip v destination ip trng nhau
V d: alert ip any any -> any any (msg:" Same Source and Destination IP
Address"; sameip;)
- I P option: thc hin detect trn trng option trong header ca gi tin ip, c php
ipopts: <IP_OPTION>;.
Ip Options M t tng qut
Eol S dng ch s kt thc ca mt ip list
Lsrr Ip loose soure routing
Nop S dng ch gi tin c c option khng c set
Rr Record route
Satid Ip stream identifier
Sec
Ssrr Ip strict source routing
Ts Time stamp field
- TOS option: thc hin detect trn trng TOS trong header ca gi tin ip, c php
tos: value;.
V d: alert tcp $EXTERNAL any -> $CISCO any (msg:" Cisco TOS Example";
tos:!"0";) ch ra nhng gi c tos khc 0.

Trang 27
- TTL option: thc hin detect trn trng TTL trong header ca gi tin ip, c php ttl:
value;.
- I D option: thc hin detect trn trng ID trong header ca gi tin ip, c php id:
value;.
c. Tcp options:
Cng ging nh ip option, tcp option dng detect cc gi tr trong trng header ca
gi tin tcp. Trong tcp options ch c 3 options l Seq, ack v flag trong seq v ack rt
him khi si ta ch si option flag.
- seq option: dng ch c th mt con s trong trng seq header ca gi tin tcp
m ta mun detect, c php: seq: <sequence_number_value>;
- ack option: dng ch c th mt con s trong trng ack header ca gi tin tcp
m ta mun detect, c php: ack: <ack_numerical_value>;
- flag option: dng ch ra cc c c thit lp hoc khng thit lp, hoc s dng
kt hp vi cc c khc trong gi tcp m ta mun detect, c php: flags:
<TCP_VALUES>; . Cc gi tr hin nay m snort h tr l:
TCP Flags M t
A y l ty chn check c ACK c bt
F y l ty chn check c FIN c bt
P y l ty chn check c PSH c bt
R y l ty chn check c RST c bt
U y l ty chn check c URG c bt
S y l ty chn check c SYN c bt
0 y l ty chn kim tra packet khng c c no c bt
1
2
+ Du cng c dung din t c c ch r i km vi bt k mt c no
khc, v d: A+ ngha l lut s c thc hin nu gi tin c bt c ACK v
km thm mt c bt k.
* Du * dng ch bt k c no trong packet trng vi c c ch ra trong
lut, v d *AS lut s c thc hin nu gi tin c c ACK hoc SYN hoc
c hai c bt
! Du ph nh dng ch gi tin khng c c c ch r trong lut, v d:
!S ngha l lut s c thc hin nu gi c c SYN khng c bt.

d. I CMP options:
Snort hin nay h tr 4 icmp options c th c dng trong rule options to ra nhng
rule cho vic detect nhng du hiu tn cng c th. 4 icmp option l ICMP ID, ICMP
SEQUENCE, ICODE, ITYPE
- I D option: y l trng khc vi trng id ca gi IP, lut ny c thc hin da
trn gi tr c ch r trong trng ID ca gi icmp, y l trng cn c th dng
xc nh cc chng trnh s dng gi tr ICMP ID tnh, c php : icmp_id :
VALUE; .
- Sequence option: tng t nh trng ID ICMP, c php icmp_seq :VALUE;.
- icode option: cho php ch r mt gi tr trong trng code ca gi tin icmp, trng
ny c hai cch s dng mt l ch r code hp l ca gi icmp nh vy lut ny s

Trang 28
c thc hin nu gi tin icmp no m trng code c gi tr trng vi gi tr c
dnh ngha, hai l ch ra mt gi tr code khng hp l dng detect cc gi icmp c
gi tr trong trng code khng hp l, c php icode : VALUE;.
- itype option: tng t nh trng icode, dng kim tra gi tr trong trng type
ca gi icmp, c php itype: VALUE;.
e. Metadata options:
y l nhng option h tr cho vic phn loi, nh danh v to ti liu cho cc alert m
snort to ra, nhng option ny nn c to mt cch cn thn h tr qu trnh report
v cu hnh snort c thun li.
- Snort id options: y l options dng phn loi, nh danh mt rule c th, c php
s dng l sid:VALUE. Bng di y lit k cc snort id.
Tm gi tr ngha
< 100 Dng cho mc ch lu tr
100 1000000 Dng cho snort phn phi cc tp lut ca mnh
> 1000000 Dng cho ngi dng nh ngha cc lut ca mnh

- Rule revision number: y l trng dng trong trng hp bn thay i mt lut
no v mun phn bit vi cc ln thay i khc hoc vi lut gc, c php rev :
REVISION_NUMBER; . V d di y cho thy mt lut c sid l 10000001 v rev
l 3
Alert tcp any any -> any any (sid: 10000001; rev:3; msg: sid and
revision)
- Serverity I dentifier options: y l option cho php ghi ln gi tr priority mc
nh ca rule c thit lp bi rule classtification, y chng ta c th tng hoc
gim prioprity bng cch s dng c php nh sau priority: <PRIORITY_VALUE> v
d: alert udp any any -> $INTERNAL 21974 (priority:1; msg: "Bad Worm
Backdoor";)
- Classification I dentifier options: y l options cho php bn phn loi cc rule da
trn nhng nhng dng tn cng khc nhau, cc classtification ny s c nh ngha
trong mt file config, c php classtype: <NAME_OF_CLASSTIFICATION>, di
y l mt s classtification c snort nh ngha sn:

Trang 29

cc hnh trn c trch t sch snort 2.1
- External reference: y l option dng thm cc tham chiu ti cc ti liu cho
mt alert khi n c to ra bi snort phc v cho mc ch bo co, sp xp v lm
t liu v cc alert ca snort, c php: reference: <SYSTEM>,<ID VALUE>.
4.5 Ci t.
Chng ta cn chun b tt c nhng phn mm sau tin hnh ci t snort:
- snort-2.4.2.tar.gz
- snortrules.tar.gz
- snort-1.0.wbm
- Net_SSLeay.pm-1.2.0.tar.gz
- webmin-1.230-1.noarch.rpm
- acid-0.9.6b23.tar.gz
- adodbb461.tar.gz
- gd-2.0.33.tar.gz
- phplot-4.4.6.tar.gz
4.5.1 Ci t snort.
Ci t snort bng gi snort-2.4.2.tar.gz, vi cc lnh sau:
# cp snort-2.4.2.tar.gz /usr/
# cd /usr/
# tar xzvf snort-2.4.2.tar.gz
# cd snort-2.4.2
# ./configure --with-mysql
# make

Trang 30
# make install

Cp nht tp lut cho snort, snort c th hot ng mode NIDS l nh vo tp lut ny.
# mkdir /etc/snort
# cp snortrules.tar.gz /etc/snort
# cd /etc/snort
# tar xzvf snortrules.tar.gz

V cc ng dn c cu hnh mc nh trong snort, snort c th chy ng, chun
xc cn di chuyn tt c cc lut t th mc: /etc/snort/snortrules n th mc /etc/snort.
Xa th mc /etc/snort/snortrules.
Sa file /etc/snort/snort.conf nhng dng sau: (815)
# output database: log, mysql, user=root password=test dbname=db host=localhost
sa thnh
output database: log, mysql, user=snort password=123456 dbname=snort
host=000.000.000.000

var RULE_PATH ../rules
sa thnh
#var RULE_PATH ../rules

B tt c $RULE_PATH nhng dng include nh sau: (73)
# include $RULE_PATH/bad-traffic.rules

sa thnh
#include bad-traffic.rules
.

To th mc ghi li cc s kin log
# mkdir /var/log/snort

To file khi ng snort v th start, stop snort
# cp snortd /etc/rc.d/init.d
# cd /etc/rc.d/init.d
# chmod 755 snortd
# chkconfig level 2345 snortd on
#. /etc/rc.d/init.d/snortd start
#./etc/rc.d/init.d/snortd start
4.5.2 Ci t Webmin.
Trc khi ci t webmin, chng ta phi ci t SSL m bo d liu c truyn bo
mt). Theo cc cu lnh sau ci t SSL

# cp Net_SSLeay.pm-1.20.tar.gz /usr
# cd /usr/Net_SSLeay.pm-1.20.tar.gz
# tar xzvf Net_SSLeay.pm-1.20.tar.gz
# cd Net_SSLeay.pm-1.20
#perl Makefile.PL
#make install

Trang 31

Ci t webmin bng gi rpm
# rpm ivh webmin-1.230-1.noarch.rpm

Sau khi ci t webmin, chng ta tin hnh cu hnh SSL. M trnh duyt Mozilla. g vo a
ch: http://localhost:10000. Sau login vo vi quyn ROOT, chng ta s thy xut hin
mn hnh sau:

Hnh 4-1: Webmin Configuration
Chng ta chn biu tng: Webmin Configuration, s xut hin mn hnh tip theo:

Hnh 4-2: SSL encrytion
Chng ta s chn chc nng SSL Encryption, sau chn tip ty chn: Enable SSL
support if available kch hot chc nng ca SSL. T lc ny, chng ta s phi log vo
trang ny a ch: https://localhost:10000.
Tr li vi hnh 2.1.Webmin Configuration, chng ta chn chc nng Webmin Modules
ci t webmin cho snort.

Trang 32

Hnh 4-3: Webmin Modules
Tip theo chn ci t vi local file, chn ng dn n snort-1.0.wbm tin hnh ci t.
4.5.3 Ci t adodb, acid, gd, phplot.
Trc khi ci t cc gi adodb, acid, gd, phplot, chng ta phi tin hnh cu hnh mysql theo
cc bc nh sau:

# mysql u root
mysql> set password for root@localhost=password(123456);
mysql> create database snort;
mysql> exit;
# chkconfig level mysqld on
# mysql u root p
mysql> connect snort;
mysql> source create_mysql;
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to
snort@localhost;
mysql> grant CREATE,INSERT,SELECT,UPDATE on snort.* to acidviewer;
mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to
acidviewer@localhost;
mysql> connect mysql;
mysql> set password for snort@localhost=password(123456);
mysql> set password for snort@%=password(123456);
mysql> set password for acidviewer@localhost=password(123456);
mysql> set password for acidviewer@%=password(123456);
mysql> flush privileges;
mysql> exit;

Trang 33

Tip theo chng ta tin hnh ci t acid, adodb, gd, phplot
# tar xzvf acid-0.9.6b23.tar.gz C /var/www/html
# tar xzvf adodb461.tar.gz C /var/www/html
# tar xzvf gd-2.0.33.tar.gz C /var/www/html
# tar xzvf phplot-4.4.6.tar.gz C /var/www/html

i tn cc th mc gd-2.0.33 v phplot-4.4.6 thnh gd v phplot. Copy th mc acid thnh
mt th mc khc l acidviewer.
Sa file /var/www/html/acid/acid_conf.php v file /var/www/html/acidviewer/
acid_conf.php cc dng sau:
$DBlib_path=../adodb;
$alert_dbname=snort;
$alert_user=snort; (hoc acidviewer)
$alert_password=123456;
$Chartlib_path=../phplot;
Tip tc cu hnh cc bc sau:
# mkdir /usr/lib/apache
# mkdir /usr/lib/apache/passwords
# htpasswd c /usr/lib/apache/passwords/passwords snort
# htpasswd /usr/lib/apache/passwords/passwords acidviewer

Thm on sau vo file /etc/httpd/conf/httpd.conf

<Directory /var/www/html/acid>
AuthType Basic
AuthName snort solution
AuthUserFile /usr/lib/apache/passwords/passwords
Require user snort
AllowOverride None
</Directory>

<Directory /var/www/html/acid>
AuthType Basic
AuthName snort solution
AuthUserFile /usr/lib/apache/passwords/passwords
Require user acidviewer
AllowOverride None
</Directory>

By gi chng ta truy cp vo trang acid thng qua a ch: http://localhost/acid/, s thy
mn hnh sau:

Trang 34

Hnh 4-4: ACID setup
Click vo Setup page, s thy mn hnh sau:

Hnh 4-5: DB setup
Click vo Create ACID AG, s thy mn hnh sau:

Hnh 4-6: DB setup
Click Main page v tt c hon tt.
Qu trnh ci t ca chng ta hon tt, chng ta c th qun l snort bng cch log
vo a ch https://localhost:10000 vi quyn ROOT, chn biu tng Servers:

Trang 35

Hnh 4-7: Module Server
Sau , chn tip biu tng Snort IDS Admin

Hnh 4-8: Snort IDS admin
Mun xem thng tin v cc packet m snort log li c th vo a ch
http://localhost/acid vi quyn ca snort hoc http://localhost/acidviewer vi quyn ca
acidviewer.

4.6 Cu Hnh Snort:
Cu hnh snort c thc hin ch yu trong file cu hnh c tn thng dng l snort.conf,
y l mt file c cu trc dng text.

Trang 36

Hnh: File Snort.conf
Di y l cc bc cu hnh c bn
Thit lp cc bin: y l ni thit lp cc bin ton cc xi cho rule, cc ch lnh nh
include, Khai bo c dng var $Ten_Bien = gia tri.
Cu hnh preprocessor: y l ni cu hnh cc preprocessor s hot ng, khai bo c
dng preprocessor <name_of_processor>: <configuration_options>.
Cu hnh output plugin: y l ni cu hnh cc output plugin s hot ng, khai bo
c dng output <name_of_plugin>: <configuration_options>
nh ngha cc rule type mi c s dng trong cc nh ngha rule di y l v
d c th v vic nh ngha mt rule type mi
ruletype suspicious
{
type log
output log_tcpdump: suspicious.log
}
To ra cc rule: y l ni bn s nh ngha ra cc rule m snort s s dng detect
cc gi tin, thng th s nh ngha trn mt file khc tin qun l v y bn s
include vo.
Ngoi ra cn mt s cu hnh khc bn c th xem chi tit trong file snort.conf hoc manual
i km.
4.7 Hng Dn S Dng Snort Trong Linux.
4.7.1 Sniffer mode.
Nh gii thiu, mode sniffer, snort c thng tin v cc packet ang lu chuyn trong
mng v hin th thng tin ln mn hnh console.
Nu ch mun bit thng tin header ca packet th s dng:
./snort v

Trang 37
Cu lnh sau s cung cp nhiu thng tin hn, ngoi thng tin v header, snort cn cho bit
packet ang c ng dng no lu chuyn:
./snort v d
Nu bn mun c cung cp nhiu thng tin hn na, mun hin th cc header ca tng
datalink th s dng cu lnh:
./snort vde hoc ./snort v d e
4.7.2 Packet logger mode.
Packet logger mode l mt mode h tr lu thng tin packet vo a cng. Bn ch cn n
gin s dng cu lnh sau, snort s hiu phi hot ng mode Packet logger, v lu thng
tin xung file c ch nh:
./snort dev l ./log
Nu bn mun log thng tin packet dng phc tp hn phc v cho vic phn tch sau
ny, bn c th log thng tin dng binary. Khi , bn s dng cu lnh sau:
./snort l ./log b
Mt khi lu thng tin dng binary, bn cn mt chng trnh dch file binary ra dng
m bn c th c c, nh: tcpdump hoc Ethereal. Snort cng h tr vic c ngc ny,
n gin bng cch s dng lnh:
./snort dv r packet.log
Bn c th thm tham s, bo cho snort bit loi packet cn c. V d: bn ch cn thng
tin v cc gi icmp, hy s dng cu lnh:
./snort dv r packet.log icmp
4.7.3 Network Intrusion Detection Mode (NIDS).
y l mode hot ng phc tp nht ca snort, c rt nhiu tham s s dng. Tuy nhin
tham s quan trng, bt buc phi c ca mode hot ng ny l c. Tham s ny ch ra
ng dn ca cc file lut, nh snort ch log li nhng packet m cc file lut ny yu
cu.
./snort u snort g snort d D c /etc/snort
4.7.3.1 nh dng ca mt cnh bo (alert).
Mt cnh bo (alert) c nh dng sau:
[**] [116:56:1] {snort_decoder}: T/TCP Detected [**]
S u tin l Generator ID (GID), GID s cho bit cnh bo ny do thnh phn no ca
snort pht sinh (do li no pht sinh). c danh sch cc GID tm trong file
/etc/generators.
S th hai l Snort ID (SID), SID s cho bit cnh bo ny do preprocessor no to ra. c
danh sch cc preprocessor xem trong file /etc/gen-msg.map.
S th ba l revision ID, s ny phn bit cc cnh bo.
4.7.3.2 Cc tham s cnh bo.
NIDS c rt nhiu ty chn nh ngha cch cnh bo, cch ghi li packet. Mc nh ca
mode ny l cnh bo full alert v log li packet theo dng ASCII. Sau y l bng cc tham
s nh ngha cc cnh bo:
Tham s Cch cnh bo
-A fast
NIDS s a ra cnh bo dng n gin gm c: thng ip cnh bo, a
ch IP ngun v a ch IP ch.
-A full y l mode c s dng mc nh nu bn khng dng tham s.
-A unsock Gi cnh bo n mt cng UNIX mt chng trnh khc c th lng

Trang 38
nghe.
-A none Tt cnh bo.
-A console In nhng cnh bo di dng fast ra mn hnh console.
-A cmg To nhng cnh bo dng cmg.

4.7.4 Inline mode.
Khi hot ng mode ny, snort s can thip trc tip vo iptables. C 3 loi lut c s
dng khi snort hot ng mode Inline:
- drop: vi kiu lut drop, iptables s b qua packet v log li s kin ny.
- reject: vi kiu lut reject, iptables s b qua packet, log li s kin, v thng bo n
my tnh rng packet ny s khng n ni.
- sdrop: vi kiu lut sdrop, iptables s b qua packet, khng thng bo n my ch
v cng khng log li s kin.
snort hot ng mode Inline, khi bin dch snort cn ch cc tham s nh sau:
./configure enable-inline
make
make install
gi snort chy mode inline, s dng cu lnh sau:
snort_inline QDc ../etc/drop.conf l /var/log/snort
Cc tham s c ngha nh sau:
-Q: ly packet t iptables.
-D: chy daemon snort_inline.
-c: c file cu hnh.
-l: ghi li s kin vo th mc.

Bao Cao de Tai Phat Hien Xam Nhap IDS IPS

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bao Cao de Tai Phat Hien Xam Nhap IDS IPS

Uploaded by

Copyright:

Available Formats

Nghin cu phng chng thm nhp tri php IDS,IDP, Snort trn Linux

You might also like