Professional Documents
Culture Documents
He Thong Phat Hien Va Ngan Chan Xam Nhap Snort Iptable
He Thong Phat Hien Va Ngan Chan Xam Nhap Snort Iptable
CHNG 1
TNG QUAN V H THNG PHT HIN V NGN CHN
XM NHP
Trang 1
hiu (signatures) hoc cc qui tc (rules). H thng pht hin c th d tm, ghi li
cc hot ng ng ng ny v a ra cc cnh bo. Anomaly-based IDS thng
da vo phn header giao thc ca gi tin c cho l bt thng. Trong mt s
trng hp cc phng php c kt qu tt hn vi Signature-based IDS. Thng
thng IDS s bt ly cc gi tin trn mng v i chiu vi cc rule tm ra cc
du hiu bt thng ca gi tin.
1.1.3. Chnh sch ca IDS
Trc khi ci t mt h thng IDS ln h thng th cn phi c mt chnh
sch pht hin k tn cng v cch x l khi pht hin ra cc hot ng tn cng.
Bng cch no chng phi c p dng. Cc chnh sch cn cha cc phn sau
(c th thm ty theo yu cu ca tng h thng):
Ai s gim st h thng IDS? Ty thuc vo IDS, c th c c ch cnh bo
cung cp thng tin v cc hnh ng tn cng. Cc cnh bo ny c th
hnh thc vn bn n gin (simple text) hoc chng c th dng phc tp
hn. C th c tch hp vo cc h thng qun l mng tp trung nh HP
Openview hoc MySQL database. Cn phi c ngi qun tr gim st
cc hot ng xm nhp v cc chnh sch cn c ngi chu trch nhim.
Cc hot ng xm nhp c th c theo di v thng bo theo thi gian
thc bng cch s dng ca s pop-up hoc trn giao din web. Cc nh
qun tr phi c kin thc v cnh bo v mc an ton ca h thng.
Ai s iu hnh IDS? Nh vi tt c cc h thng, IDS cn c c bo tr
thng xuyn.
Ai s x l cc s c v nh th no? Nu cc s c khng c x l th
IDS xem nh v tc dng.
Cc bo co c th c to v hin th vo cui ngy hoc cui tun hoc
cui thng.
Cp nht cc du hiu. Cc hacker th lun to ra cc k thut mi tn
cng h thng. Cc cuc tn cng ny c pht hin bi h thng IDS da
trn cc du hiu tn cng.
Cc ti liu th rt cn thit cho cc d n. Cc chnh sch IDS nn c m
t di dng ti liu khi cc cuc tn cng c pht hin. Cc ti liu c th
Vn nh Qun-0021
Trang 2
Vn nh Qun-0021
Trang 3
Vn nh Qun-0021
Trang 4
Vn nh Qun-0021
Trang 5
Vn nh Qun-0021
Trang 6
Vn nh Qun-0021
Trang 7
a. u im ca HIDS
C kh nng xc nh cc user trong h thng lin quan n s kin.
HIDS c kh nng pht hin cc cuc tn cng din ra trn mt my, NIDS
khng c kh nng ny.
C kh nng phn tch cc d liu c m ha.
Cung cp cc thng tin v host trong lc cuc tn cng ang din ra trn
host.
b. Hn ch ca HIDS
Thng tin t HIDS s khng cn ng tin cy ngay sau khi cuc tn cng vo
host ny thnh cng.
Khi h iu hnh b tha hip tc l HIDS cng mt tc dng.
HIDS phi c thit lp trn tng host cn gim st.
HIDS khng c kh nng pht hin vic thm d mng (Nmap, Netcat).
HIDS cn ti nguyn trn host hot ng.
HIDS c th khng pht huy c hiu qu khi b tn cng t chi dch v
DoS.
a s c pht trin trn h iu hnh Window. Tuy nhin cng c mt s
chy trn Linux hoc Unix.
V HIDS cn c ci t trn cc my ch nn s gy kh khn cho nh
qun tr khi phi nng cp phin bn, bo tr phn mm v cu hnh. Gy mt nhiu
thi gian v pht tp. Thng h thng ch phn tch c nhng lu lng trn
my ch nhn c, cn cc lu lng chng li mt nhm my ch, hoc cc hnh
ng thm d nh qut cng th chng khng pht huy c tc dng. Nu my ch
b tha hip hacker c th tt c HIDS trn my . Khi HIDS s b v hiu
ha.
Do HIDS phi cung cp y kh nng cnh bo. Trong mi trng hn
tp iu ny c th tr thnh vn nu HIDS phi tng thch vi nhiu h iu
hnh. Do , la chn HIDS cng l vn quan trng
Vn nh Qun-0021
Trang 8
HIDS
NIDS
****
****
****
****
****
****
**
Gi thnh
***
****
****
Vn nh Qun-0021
Cc nh gi
nu chn ng sn phm
C hai tng ng nhau
Trang 9
HIDS yu cu vic o to t hn
**
Tng gi thnh
***
**
**
**
NIDS
Bng tn cn yu cu
trong LAN
Network overhead
****
**
****
****
Bn ghi
***
***
mt file mu trung tm
NIDS c kh nng thch nghi trong
i vi bt k mng LAN no
C hai u cn bng tn Internet
Cc yu cu v cng m
rng
cn HIDS th khng
NIDS cn 2 yu cu bng tn mng
Bng tn cn yu cu
(Internet)
HIDS tiu tn t hn
cc nn ng dng hn
Ch HIDS mi c th thc hin cc
kiu qut ny
C hai h thng c chc nng bn
ghi
C hai h thng u c chc nng
***
***
Qut PAN
****
Loi b gi tin
****
Vn nh Qun-0021
nhn ca bn
Ch cc tnh nng NIDS mi c
Trang 10
phng thc ny
Cn nhiu kin thc chuyn mn khi
Kin thc chuyn mn
***
****
Qun l tp trung
**
***
****
Kh nng v hiu ha cc
h s ri ro
NIDS c chim u th hn
NIDS c h s ri ro nhiu hn so vi
HIDS
R rng kh nng nng cp phn
Kh nng cp nht
***
****
**
Vn nh Qun-0021
Trang 11
Vn nh Qun-0021
Trang 12
Vn nh Qun-0021
Trang 13
Vn nh Qun-0021
Trang 14
Vn nh Qun-0021
Trang 15
Vn nh Qun-0021
Trang 16
Trang 17
Vn nh Qun-0021
Trang 18
Vn nh Qun-0021
Trang 19
.
File du hiu c cung cp km theo vi h thng IPS, v th k xm nhp
c th s dng h thng IPS thc hin kim tra Mt khi k xm nhp hiu ci
g to ra cnh bo th h c th thay i phng php tn cng cng nh cng c
tn cng nh bi h IPS.
Chnh v pht hin bt thng khng s dng nhng c s d liu du hiu
nh dng trc nn k xm nhp khng th bit chnh xc ci g gy ra cnh bo.
Pht hin bt thng c th nhanh chng pht hin mt cuc tn cng t bn trong
s dng ti khon ngi dng b tha hip (compromised user account) .
Nu ti khon ngi dng l s hu ca mt ph t qun tr ang c s
dng thi hnh qun tr h thng, h IPS s dng pht hin bt thng s gy ra
Vn nh Qun-0021
Trang 20
Vn nh Qun-0021
Trang 21
Vn nh Qun-0021
Trang 22
Vn nh Qun-0021
Trang 23
1.3.2. Bo v hai ln
Bi v IDS v IPS c t cc v tr khc nhau trn mng. Chng nn
c s dng ng thi. Mt h thng IPS t bn ngoi mng s ngn chn c
cc cuc tn cng zero day, nh l virus hoc worm. Ngay c cc mi e da mi
nht cng c th c ngn chn. Mt IDS t bn trong mng s gim st c cc
hot ng ni b.
Vn nh Qun-0021
Trang 24
CHNG 2
SNORT V IPTABLES TRN H IU HNH LINUX
Trang 25
Vn nh Qun-0021
Trang 26
Vn nh Qun-0021
Trang 27
Vn nh Qun-0021
Trang 28
Vn nh Qun-0021
Trang 29
B phn ny hot ng theo hai cch khc nhau theo hai phin bn ca Snort.
Phin bn 1.x: Vic x l gi tin cn hn ch trong trng hp cc du hiu
trong gi tin ph hp vi du hiu trong nhiu rule. Khi nu c rule
no c p dng trc th cc rule cn li s b b qua mc d cc rule c
u tin khc nhau. Nh vy s ny sinh trng hp cc rule c u tin
cao hn b b qua.
Phin bn 2.x: Nhc im trn ca phin bn 1.x c khc phc hon
ton nh vo c ch kim tra trn ton b rule. Sau ly ra rule c u
tin cao nht to thng bo.
Vn nh Qun-0021
Trang 30
Vn nh Qun-0021
Trang 31
ls-R
hin danh
sch cc th mc.
Tuy nhin s phn cp ny s to ra nhiu th mc trong gi cao im nn
rt kh xem ht tt c th mc v file ny. Nu ai s dng full scan vi 65536
TCP Port v 65535 UDP ports v s to ra 131000 hoc tng y file .
Log vi dng nh phn (binary) tt c nhng g c th c c bi Snort, n
lm tng c kh nng bt gi tin ca Snort. Hu ht cc h thng c th capture
v log tc 100Mbps m khng c vn g.
log packet ch nh phn, s dng c -b:
#Snort -b -l /usr/local/log/Snort/temp.log
Vn nh Qun-0021
Trang 32
Vn nh Qun-0021
Trang 33
Vn nh Qun-0021
Trang 34
Transport protocols
Cc phin TCP c nh ngha thng qua kt ni TCP. Cc phin UDP
c thit lp l kt qu ca hng lot gi UDP gi ng thi trn cng mt cng.
Target-based
Trong stream 5 cng gii thiu v cc action target-based iu khin vic
chng cho d liu v cc du hiu bt thng trong gi TCP khc. Cc phng
thc iu khin qu trnh chng cho d liu, gi tr TCP Timestamp, d liu trong
SYN, FIN,v cc chnh sch u c h tr trong stream 5 c nghin cu
trn nhiu h iu hnh khc nhau.
Stream API
Stream5 h tr y Stream API cho php cu hnh ng cc giao thc
hoc cc Preprocessor khi c yu cu ca giao thc thuc lp ng dng, xc nh
cc session no b b qua, cp nht thng tin v cc sensor mi m c th c s
dng cho sau ny.
Rule Options
Stream5 thm vo la chn stream-size. La chn ny cho php cc rule
i chiu lu lng theo cc byte c xc nh trc, c xc nh bi thng s
TCP sequence number.
nh dng:
Stream_size:<direction>,<operation>,<size>
Vn nh Qun-0021
Trang 35
SMTP Preprocessor.
FTP/Telnet Preprocessor.
SSH.
DCE/ RPC.
SSL/ TLS.
ARP Spoof Preprocessor.
DCE/ RPC 2 Preprocessor.
2.1.7. Cu trc ca Rules
Mt trong nhng chc nng c nh gi cao nht ca Snort l cho php
ngi s dng t vit cc rule ca ring mnh. Ngoi s lng ln cc rule i km
vi Snort, ngi qun tr c th vn dng kh nng ca mnh pht trin ra cc
rule ring thay v ph thuc vo cc c quan, t chc bn ngoi.
Vy rule l g? Rule l tp hp cc qui tc la chn cc traffic mng ph
hp vi mt m hnh nh trc.
Rule Snort c chia lm hai phn: rule header v rule options.
2.1.7.1. Rule header.
Rule header cha thng tin xc nh mt packet cng nh tt c nhng g
cn thc hin vi tt c cc thuc tnh ch nh trong rule. Rule header bao gm cc
phn sau: Rule actions, protocol, IP address, port number, Direction operator.
Vn nh Qun-0021
Trang 36
a. Rule action
Cho Snort bit phi lm g khi n tm thy mt gi tin ph hp vi rule, c
nm hnh ng c mc nh sn trong Snort:
alert: Cnh bo v ghi li packet.
log: ghi li packet.
pass: b qua packet.
Active: Cnh bo v thc hin gi mt rule khc.
Dynamic: trng thi idle cho n khi mt rule khc c kch hot.
Ngoi ra khi chy Snort ch inline, cn thm cc ty chn l drop, reject
v sdrop.
drop: cho php iptables b qua packet ny v log li packet va b qua.
reject: cho php iptables b qua packet ny, log li packet, ng thi gi
thng bo t chi n my ngun.
sdrop: cho php iptables b qua packet ny nhng khng log li packet, cng
khng thng bo n my ngun.
b. Protocols
Trng tip theo ca rule l protocol. Hin nay Snort ch h tr bn giao
thc sau: TCP, UDP, ICMP, IP. Trong tng lai c th h tr thm cc giao thc
khc nh: ARP, IGRP, GRE, OSPF, RIP
c. IP address
Cc a ch IP c hnh thnh bi dng thp phn: xxxx.xxxx.xxxx.xxxx v
mt CIDR. Snort khng cung cp c ch tra cu tn host tng ng vi a ch IP.
CIDR : cho bit a ch lp mng.
Cc nh dng:
Any: bt k a ch IP no.
Static: mt a ch IP duy nht.
Class: mt lp cc a ch IP.
Negation: Ph nh li cc a ch trn.
d. Port number
Port number c th c xc nh gm:
Vn nh Qun-0021
Trang 37
V d:
alert tcp 192.168.1.0/24 any any any (msg: <HTTP matched>;
content: HTTP, offset: 4)
reference:
L t kha cho php tham chiu n cc h thng pht hin cc kiu tn cng
bn ngoi. N khng ng mt vai tr quan trng no trong c ch pht hin. C
nhiu h thng tham kho nh CVE v Brugtraq nhng h thng ny gi thng tin
v cc kiu tn cng c bit.
Vn nh Qun-0021
Trang 38
nh dng:
reference: <id system>, <id>;
V d:
alert tcp any any -> any 21 (msg:"IDS287/ftp-wuftp260-venglinlinux";
flags:AP;
content:"|31c031db
reference:arachnids,
IDS287;
31c9b046
cd80
31c031db|";
reference:bugtraq,1387;
reference:cve,CAN-2000-1574;)
gid:
L t kha dng xc nh b phn no ca snort s to ra s kin khi thc
thi, n gip cho qu trnh gii m ca preprocessor. Nu khng c nh ngha
trong rule n s ly gi tr l 1. trnh xung t vi cc rule mc nh ca snort,
khuyn co ly gi tr ln hn 1.000.000. T kha gid c s dng vi t kha sid.
nh dng :
gid: <generator id>;
V d:
alert tcp any any -> any 80 (content:"BOB"; gid:1000001; sid:1;
rev:1;)
sid:
L t kha duy nht xc nh snort rule, n cho php cc thnh phn
output xc nh cc rule d dng hn. Option ny nn dng vi t kha dev.
nh dng:
sid: <snort rules id>;
rev:
T kha ch ra s revision ca rule. Nu rule c cp nht, th t kha
ny c s dng phn bit gia cc phin bn. Cc module output cng c th
s dng t kha ny nhn dng s revision. Option ny nn dng vi t kha
dev.
Vn nh Qun-0021
Trang 39
nh dng :
rev: <revison integer>;
V d:
alert tcp any any -> any 80 (content:"BOB"; sid:1000983; rev:1;)
Classtype
Classtype l t kha s dng phn loi rule pht hin tn cng khc nhau.
nh dng:
classtype: <class name>;
V d:
alert tcp any any -> any 80 (msg:"EXPLOIT ntpdx overflow"; dsize:
>128; classtype:attempted-admin; priority:10 );
priority
y l t kha ch u tin cho rule, t kha classtype ch ra u tin
mc nh. Tuy nhin nu ta thit lp thm gi tr ny n c th ghi ln gi tr mc
nh .
nh dng:
priority: <priority interger>;
V d:
alert
TCP
any
any
->
any
80
(msg:
"WEB-MISC
phf
attempt";
metadata:
Cho php ngi dng nhng thm thng tin v rule.
nh dng:
Metadata : key1 value1
Metadata : key1 value1, key2value2
V d:
alert tcp any any -> any 80 (msg: "Shared Library Rule Example";
metadata:engine shared, soid 3|12345;)
Vn nh Qun-0021
Trang 40
content
Content l t kha im quan trng trong Snort, n cho php ngi dng
thit lp cc rule nhm tm ra ni dung c bit trong gi tin. Vic la chn d liu
cho gi content tng i pht tp, n c th cha d liu dng vn bn hoc
dng nh phn
nh dng:
content : [!] <content string>;
V d:
alert tcp any any -> any 139(content:"|5c00|P|00|I|00|P|00|E|00
5c|";)
Hoc ph nh:
alert tcp any any -> any 80 (content:!"GET";)
Nocase
L t kha c s dng kt hp vi t kha content. N khng c i s,
mc ch ca n l thc hin vic tm kim mu c th khng phn bit k t hoa
hoc thng.
nh dng
No case;
V d:
alert tcp any any -> any 21 (msg:"FTP ROOT"; content:"USER root";
nocase;)
offset
offset l t kha s dng kt hp vi t kha content. S dng kha ny, c
th bt u tm kim t mt v tr xc nh so vi v tr bt u ca gi tin. S dng
mt con s nh l i s ca t kha ny
nh dng:
Offset: <number>;
depth
depth l t kha c s dng kt hp vi t kha content xc nh gii
hn ca vic so snh mu. S dng t kha ny, c th xc nh mt v tr so vi v
tr bt u. D liu sau v tr ny s khng c tm kim so mu. Nu dng c
Vn nh Qun-0021
Trang 41
V d:
alert tcp any any -> any 80 (content: "cgi-bin/phf"; offset:4;
depth:20;)
distance
T kha distance cng tng t nh offset, im khc bit l offset cho bit
v tr tm kim tnh t u payload, trong khi distance s tnh t v tr ca mu trc
. T kha ny c dng kt hp vi t kha content.
nh dng:
distance: <byte count>;
V d:
alert
tcp
any
any
->
any
any
(content:"ABC";
content:
"DEF";
distance:1;)
Vn nh Qun-0021
Trang 42
id
id l t kha c s dng kim tra trng ID ca header gi tin IP. Mc
ch ca n l pht hin cc cch tn cng mt s ID c nh.
nh dng:
id: <number>;
dsize
dsize l t kha c s dng tm chiu di mt phn d liu ca gi tin.
Nhiu cch tn cng s dng l hng trn b m bng cch gi gi tin c kch
tht ln. S dng t kha ny tm thy gi tin c chiu di d liu ln hoc nh
hn mt s xc nh.
nh dng:
dsize : [<>] <number> [<><number>];
V d:
flags
flags l t kha c s dng tm ra bit flag no c thit lp trong
header TCP ca gi tin. Cc bit sau c th c kim tra:
F- FIN
S-SYN
R-RST
P-PSH
A-ACK
U-URG
1- Reserved bit 1
2- Reserved bit 2
0- No TCP flags set
Mt s ty chn khc c s dng
+ Ph hp vi mt hoc nhiu bit c ch ra.
* Ph hp vi bt k bit no c thit lp
! Ph hp vi cc bit khng c thit lp.
nh dng:
flags:[!|*|+]<FSRPAU120>[,<FSRPAU120>];
Vn nh Qun-0021
Trang 43
V d:
alert tcp any any -> any any (flags:SF,12;)
Vn nh Qun-0021
Trang 44
ng
hin
ti
ch
203.162.2.4:26314
thnh
Trang 45
2.2.3. C ch x l gi tin.
Tt c mi gi d liu u c kim tra bi iptables bng cch dng
cc bng tun t xy dng sn (queue). C 3 loi bng ny gm :
Mangle table: chu trch nhim bin i quality of service bits trong TCP
header. Thng thng loi table ny c ng dng trong SOHO (Small
Office/Home Office).
Filter queue: chu trch nhim thit lp b lc packet (packet filtering), c ba
loi built-in chains c m t thc hin cc chnh sch v firewall (firewall
policy rules).
Forward chain: Cho php packet ngun chuyn qua firewall.
Input chain: Cho php nhng gi tin i vo t firewall.
Output chain: Cho php nhng gi tin i ra t firewall.
NAT queue: thc thi chc nng NAT (Network Address Translation), cung
cp hai loi built-in chains sau y:
Pre-routing chain: NAT t ngoi vo trong ni b. Qu trnh NAT s thc
hin trc khi thc thi c ch routing. iu ny thun li cho vic i a
ch ch a ch tng thch vi bng nh tuyn ca firewall, khi cu hnh
ta c th dng kha DNAT m t k thut ny.
Post-routingchain: NAT t trong ra ngoi. Qu trnh NAT s thc hin sau
khi thc hin c ch nh tuyn. Qu trnh ny nhm thay i a ch ngun
ca gi tin. K thut ny c gi l NAT one-to-one hoc many-to-one,
c gi l Source NAT hay SNAT.
Vn nh Qun-0021
Trang 46
Chcnng
queues
Quy tc x l
gi
(chain)
FORWARD
Filter
Lc gi
INPUT
OUTPUT
Network
PREROUTING
Lc gi i ra khi firewall
Vic thay i a ch din ra
trc khi dn ng. Thay i
Address
NAT
ca firewall.
Lc gi i n firewall
a ch ch s gip gi d liu
Translation
ph hp vi bng ch ng ca
( Bin dch
a ch mng )
NAT or DNAT.
POSTROUTING Vic thay i a ch din ra
sau khi dn ng . S dng
source NAT, or SNAT.
OUTPUT
Chnh sa
Mangle TCP
header .
- home
PREROUTING
office) .
iu chnh cc bit quy nh cht
POSTROUTING
OUTPUT
INPUT
FORWARD
Vn nh Qun-0021
office
trng
ng. Him
khi
dng
trong
Trang 47
V d: M t ng i ca gi d liu
u tin, gi d liu n mng A , tip n c kim tra bi mangle table
PREROUTING chain (nu cn). Tip theo l kim tra gi d liu bi nat
table's PREROUTING chain kim tra xem gi d liu c cn DNAT hay khng?
DNAT s thay i a ch ch ca gi d liu . Ri gi d liu c dn i .
Nu gi d liu i vo mt mng c bo v, th n s c lc bi
FORWARD chain ca filter table, v nu cn gi d liu s c SNAT trong
POSTROUTING chain thay i IP ngun trc khi vo mng B.
Nu gi d liu c nh hng i vo trong bn trong firewall , n s c
kim tra bi INPUT chain trong mangle table, v nu gi d liu qua c cc
kim tra ca INPUT chain trong filter table, n s vo trong cc chng trnh ca
server bn trong firewall .
Khi firewall cn gi d liu ra ngoi . Gi d liu s c dn v i qua s
kim tra ca OUTPUT chain trong mangle table( nu cn ), tip l kim
tra trong OUTPUT chain ca nat table xem DNAT (DNAT s thay i a ch
n) c cn hay khng v OUTPUT chain ca filter table s kim tra gi d liu
nhm pht hin cc gi d liu khng c php gi i. Cui cng trc khi gi d
liu c a ra li Internet, SNAT and QoS s c kim tra trong
POSTROUTING chain.
Vn nh Qun-0021
Trang 48
Vn nh Qun-0021
Trang 49
2.2.4 Target
Target l hnh ng s din ra khi mt gi d liu c kim tra v ph
hp vi mt yu cu no . Khi mt target c nhn dng , gi d liu cn
nhy ( jump ) thc hin cc x l tip theo . Bng sau lit k cc targets m
iptables s dng.
Bng 2-2. Miu t cc target m iptables hay s dng nht
Tar
ngha
Ty Chn
iptables ngng x l gi
d liu v chuyn tip
ACCEPT
n vo mt ng dng
cui hoc h iu hnh
x l .
Iptables ngng x l gi
DROP
d liu v gi d liu
b chn, loi b.
LOG
--log-prefix string
Thng tin ca gi s c a
Iptables s thm vo log
vo syslog kim tra.
message mt chui do ngi
Iptables tip tc x l gi
dung nh
sn . Thng
vi quy lut k tip .
thng l thng bo l do
v sao gi b b .
Vn nh Qun-0021
Trang 50
--reject-with qualifier
Tham s qualifier s cho bit
loi thng bo gi tr li pha
gi. Qualifier gm cc loi
Tng t nh DROP, nhngsau:
icmp-port-
gi mt thng bo li rngicmp-net-unreachable
gi b chn v loi b .
icmp-host-unreachable
icmp-proto-nreachable
icmp-net-prohibited
icmp-
host-prohibited
tcp-reset echo-ply.
Dng
thc
hin
--to-destination ipaddress
translation, a ch ch ca
gi d liu s c vit li.
Iptables s vit li a
ch ipaddress vo a
ch ch ca gi d liu.
address
translation, vit li a
ch ngun ca gi d liu.
--to-source <address>
[-<address>][:<Port>
-<port>]
Miu t IP v port s c
vit li bi iptables .
Vn nh Qun-0021
Trang 51
<port>]]
nh x c.
Trang 52
Vn nh Qun-0021
Trang 53
b. Replace mode:
Packet b sa i nu n ph hp vi du hiu tn cng.
Vn nh Qun-0021
Trang 54
CHNG 3
TRIN KHAI H THNG IPS VI SNORT-INLINE V IPTABLES
Trong chng ny chng ta tin hnh trin khai mt h thng IPS trn thc
t s dng snort_inline v iptables firewall ca Linux tin hnh ngn chn cc
hot ng tri php n h thng mng c IPS bo v.
Vn nh Qun-0021
Trang 55
3.2. CI T SNORT
3.2.1. Ci t cc gi h tr
u tin cn ci cc gi phn mm h tr sau:
httpd
httpd-devel
mysql
mysql-sever
mysql-devel
php
php-mysql
php-mbstring
php-mcryp
iptables
iptables-devel
libnet
Pcre
pcre-devel
gcc
3.2.2.2. Ci t phpmypadmin
phpmyadmin dng qun l mysql
[root@localhost]# wget http://packages.sw.be/rpmforgerelease/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
[root@localhost]# rpm -Uvh rpmforge-release-0.3.61.el5.rf.i386.rpm
[root@localhost]# yum install phpmyadmin
[root@localhost]# vi /etc/httpd/conf.d/phpmyadmin.conf
#
# Web application to manage MySQL
#
#<Directory "/usr/share/phpmyadmin">
# Order Deny,Allow
# Deny from all
# Allow from 127.0.0.1
#</Directory>
Alias /phpmyadmin /usr/share/phpmyadmin
Alias /phpMyAdmin /usr/share/phpmyadmin
Alias /mysqladmin /usr/share/phpmyadmin
Vn nh Qun-0021
Trang 56
[root@localhost]# vi /usr/share/phpmyadmin/config.inc.php
Tm dng
# var RULE_PATH /etc/snort_inline/drop-rules
Thay th thnh
# var RULE_PATH /etc/snort_inline/rules
output
database:
log,
mysql,
user=snort
password=12345
dbname=snort host=localhost
[root@localhost]# cd snort_inline-2.8.2.1
./configure with-mysql --enable-dynamicplugin
./make && make install
Vn nh Qun-0021
Trang 57
= 'snort';
$alert_host
= 'localhost';
$alert_port
= '';
$alert_user
= 'snort';
$alert_password = '12345';
Vn nh Qun-0021
Trang 58
# Stop daemons.
# Stop Snort_Inline
# echo "Shutting down snort_inline: "
killall snort_inline
# Remove all the iptables rules and
# set the default Netfilter policies to accept
echo "Removing iptables rules:"
iptables -F
# -F -> flush iptables
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# -P -> default policy
}
restart(){
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
*)
echo $"Usage: $0 {start|stop|restart|}"
exit 1
esac
icmp
any
any
192.168.2.2/24
80
(msg:
ping;
ttl:128;sid:1000001;)
Vn nh Qun-0021
Trang 59
Rule th 2:
drop icmp any any 192.168.1.9/24 80 (msg: Drop Ping;
ttl:100;sid:1000002;)
Vn nh Qun-0021
Trang 60
Bc 2: Ti my server
Ta truy cp vo ACIDBase xem log c ghi li:
Vn nh Qun-0021
Trang 61
Vn nh Qun-0021
Trang 62
Vn nh Qun-0021
Trang 63
KT LUN V HNG M
KT LUN
V mt l thuyt lun vn nu c nhng vn c bn nht ca mt h
thng pht hin xm nhp v h thng ngn chn xm nhp. Bn cnh a ra
c gii php xy dng mt h thng IPS trn thc t c trin khai rt hiu
qu v c nh gi cao.
xy dng thnh cng mt h thng IPS trn thc t v hot ng ng
vi cc yu cu t ra.
Hn ch ca ti l ch trin khai h thng trn mt phn on mng nh,
nn cha nh gi c ht hiu xut ca h thng v cc vn h thng IPS s
gp phi khi trin khai trn thc t
HNG M
ng dng trin khai h thng IPS vi Snort v iptables trn thc t nh
gi ht hiu nng cng nh cc vn s gp phi. T c bin php khc
phc, hon thin hn cho h thng.
ng dng Snort xy dng cc h thng IDS, IPS ln c th t ti cc ISP
hn ch cc hot ng tn cng mng cho mt mng ln. Xy dng v pht trin
h thng IPS phn tn.
Vn nh Qun-0021
Trang 64
2. Ting Anh
[1]
Rafeeq Ur Rehman Intrusion Detection Systems with Snort. Prentice Hall PTR,
2003
[2]
Jay Beale and Snort Development Team Snort 2.1 Instrusion Detection Second
[4]
Red Hat Product Documentation Team - Red Hat Enterprice Linux 4: Security
http://www.windowsecurity.com/articles/IDS-Part2-Classification-methods-
techniques.html
[3]
http://www.windowsecurity.com/articles/Hids_vs_Nids_Part2.html
[4]
http://www.openmaniak.com/inline_final.php
[5]
http://www.focus.com/fyi/it-security/ids-vs-ips/
[6]
http://linuxgazette.net/117/savage.html
[8]
http://snort.org
[9]
http://sourcefire.com
[10] http://hvaonline.net
Vn nh Qun-0021
Trang 65