He Thong Phat Hien Va Ngan Chan Xam Nhap Snort Iptable

H Thng Pht Hin V Ngn Chn
Xm Nhp Vi Snort v IPTables
H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables
CHNG 1
TNG QUAN V H THNG PHT HIN V NGN CHN
XM NHP
H thng pht hin xm nhp ra i cch y khong 25 nm v n tr

nn rt hu dng cho vic bo v cc h thng mng v h thng my tnh. Bng
cch a ra cc cnh bo khi c du hiu ca s xm nhp n h thng. Nhng h
thng IDS vn c nhiu hn ch khi a ra cc cnh bo sai v cn c ngi gim
st. Th h tip theo ca IDS l h thng IPS ra i nm 2004, ang tr nn rt ph
bin v ang dn thay th cho cc h thng IDS. H thng IPS bao gm c ch pht
hin, a ra cc cnh bo v cn c th ngn chn cc hot ng tn cng bng
cch kt hp vi firewall.
1.1. H THNG PHT HIN XM NHP

1.1.1. Khi nim
H thng pht hin xm nhp IDS l thit b phn cng, phn mm hay c s
kt hp ca c hai thc hin vic gim st, theo di v thu thp thng tin t nhiu
ngun khc nhau. Sau s phn tch tm ra du hiu ca s xm nhp hay tn
cng h thng v thng bo n ngi qun tr h thng. Ni mt cch tng qut,
IDS l h thng pht hin cc du hiu lm hi n tnh bo mt, tnh ton vn v
tnh sn dng ca h thng my tnh hoc h thng mng, lm c s cho bo m an
ninh h thng.
1.1.2. Pht hin xm nhp
Pht hin xm nhp l tp hp cc k thut v phng php c s dng
pht hin cc hnh vi ng ng c cp mng v my ch. H thng pht hin
xm nhp phn thnh hai loi c bn:
H thng pht hin da trn du hiu xm nhp.
H thng pht hin cc du hiu bt thng.
K tn cng c nhng du hiu, ging nh l virus, c th c pht hin
bng cch s dng phn mm. Bng cch tm ra d liu ca gi tin m c cha bt
k du hiu xm nhp hoc d thng c bit n. Da trn mt tp hp cc du
Vn nh Qun-0021
Trang 1
hiu (signatures) hoc cc qui tc (rules). H thng pht hin c th d tm, ghi li
cc hot ng ng ng ny v a ra cc cnh bo. Anomaly-based IDS thng
da vo phn header giao thc ca gi tin c cho l bt thng. Trong mt s
trng hp cc phng php c kt qu tt hn vi Signature-based IDS. Thng
thng IDS s bt ly cc gi tin trn mng v i chiu vi cc rule tm ra cc
du hiu bt thng ca gi tin.
1.1.3. Chnh sch ca IDS
Trc khi ci t mt h thng IDS ln h thng th cn phi c mt chnh
sch pht hin k tn cng v cch x l khi pht hin ra cc hot ng tn cng.
Bng cch no chng phi c p dng. Cc chnh sch cn cha cc phn sau
(c th thm ty theo yu cu ca tng h thng):
Ai s gim st h thng IDS? Ty thuc vo IDS, c th c c ch cnh bo
cung cp thng tin v cc hnh ng tn cng. Cc cnh bo ny c th
hnh thc vn bn n gin (simple text) hoc chng c th dng phc tp
hn. C th c tch hp vo cc h thng qun l mng tp trung nh HP
Openview hoc MySQL database. Cn phi c ngi qun tr gim st
cc hot ng xm nhp v cc chnh sch cn c ngi chu trch nhim.
Cc hot ng xm nhp c th c theo di v thng bo theo thi gian
thc bng cch s dng ca s pop-up hoc trn giao din web. Cc nh
qun tr phi c kin thc v cnh bo v mc an ton ca h thng.
Ai s iu hnh IDS? Nh vi tt c cc h thng, IDS cn c c bo tr
thng xuyn.
Ai s x l cc s c v nh th no? Nu cc s c khng c x l th
IDS xem nh v tc dng.
Cc bo co c th c to v hin th vo cui ngy hoc cui tun hoc
cui thng.
Cp nht cc du hiu. Cc hacker th lun to ra cc k thut mi tn
cng h thng. Cc cuc tn cng ny c pht hin bi h thng IDS da
trn cc du hiu tn cng.
Cc ti liu th rt cn thit cho cc d n. Cc chnh sch IDS nn c m
t di dng ti liu khi cc cuc tn cng c pht hin. Cc ti liu c th
Vn nh Qun-0021
Trang 2
bao gm cc log n gin hoc cc vn bn. Cn phi xy dng mt s hnh

thc ghi v lu tr ti liu. Cc bo co cng l cc ti liu.
1.1.4. Kin trc ca h thng pht hin xm nhp
Kin trc ca mt h thng IDS bao gm cc thnh phn chnh sau: Thnh
phn thu thp gi tin (information collection), thnh phn phn tch gi tin
(detection) v thnh phn phn hi (respotion). Trong ba thnh phn ny, thnh
phn phn tch gi tin l quan trng nht v b cm bin (sensor) ng vai tr quan
quyt nh nn cn c phn tch hiu r hn v kin trc ca mt h thng
pht hin xm nhp
Hnh 1-1. Kin trc ca mt h thng pht hin xm nhp

B cm bin c tch hp vi thnh phn su tp d liu. B to s kin.
Cch su tp ny c xc nh bi chnh sch to s kin nh ngha ch lc
thng tin s kin. B to s kin (h iu hnh, mng, ng dng) cung cp mt s
chnh sch thch hp cho cc s kin, c th l mt bn ghi cc s kin ca h thng
hoc cc gi mng. S chnh sch ny cng vi thng tin chnh sch c th c lu
trong h thng c bo v hoc bn ngoi.
Vai tr ca b cm bin l dng lc thng tin v loi b d liu khng
tng thch t c t cc s kin lin quan vi h thng bo v, v vy c th
pht hin c cc hnh ng nghi ng. B phn tch s dng c s d liu chnh
sch pht hin cho mc ny. Ngoi ra cn c cc thnh phn: du hiu tn cng,
profile hnh vi thng thng, cc tham s cn thit (v d: cc ngng). Thm vo
Vn nh Qun-0021
Trang 3
, c s d liu gi cc tham s cu hnh, gm c cc ch truyn thng vi

module p tr. B cm bin cng c c s d liu ca ring n, gm d liu lu v
cc xm phm phc tp tim n (to ra t nhiu hnh ng khc nhau).
IDS c th c sp t tp trung (v d nh c tch hp vo trong tng
la) hoc phn tn. Mt IDS phn tn gm nhiu IDS khc nhau trn mt mng ln,
tt c chng truyn thng vi nhau. Nhiu h thng tinh vi i theo nguyn l cu
trc mt tc nhn, ni cc module nh c t chc trn mt host trong mng c
bo v.
Vai tr ca tc nhn l kim tra v lc tt c cc hnh ng bn trong
vng c bo v v ph thuc vo phng php c a ra. To phn tch bc
u v thm ch m trch c hnh ng p tr. Mng cc tc nhn hp tc bo co
n my ch phn tch trung tm l mt trong nhng thnh phn quan trng ca
IDS. DIDS c th s dng nhiu cng c phn tch tinh vi hn, c bit c trang
b s pht hin cc tn cng phn tn. Cc vai tr khc ca tc nhn lin quan n
kh nng lu ng v tnh roaming ca n trong cc v tr vt l. Thm vo , cc
tc nhn c th c bit dnh cho vic pht hin du hiu tn cng bit no .
y l mt h s quyt nh khi ni n ngha v bo v lin quan n cc kiu tn
cng mi.
Gii php kin trc a tc nhn c a ra nm 1994 l AAFID (cc tc
nhn t tr cho vic pht hin xm phm). N s dng cc tc nhn kim tra mt
kha cnh no v cc hnh vi h thng mt thi im no . V d: mt tc
nhn c th cho bit mt s khng bnh thng cc telnet session bn trong h
thng n kim tra. Tc nhn c kh nng a ra mt cnh bo khi pht hin mt s
kin kh nghi. Cc tc nhn c th c nhi v thay i bn trong cc h thng
khc (tnh nng t tr). Mt phn trong cc tc nhn, h thng c th c cc b phn
thu pht kim tra tt c cc hnh ng c kim sot bi cc tc nhn mt
host c th no . Cc b thu nhn lun lun gi cc kt qu hot ng ca chng
n b kim tra duy nht. Cc b kim tra nhn thng tin t cc mng (khng ch
t mt host), iu c ngha l chng c th tng quan vi thng tin phn tn.
Thm vo mt s b lc c th c a ra chn lc v thu thp d liu.
Vn nh Qun-0021
Trang 4
Hnh 1-2. Gii php kin trc a tc nhn

1.1.5. Phn loi h thng pht hin xm nhp
C hai loi c bn l: Network-based IDS v Host-based IDS.
1.1.5.1. Network-based IDS (NIDS)
NIDS l mt h thng pht hin xm nhp bng cch thu thp d liu ca cc
gi tin lu thng trn cc phng tin truyn dn nh (cables, wireless) bng cch
s dng cc card giao tip. Khi mt gi d liu ph hp vi qui tc ca h thng,
mt cnh bo c to ra thng bo n nh qun tr v cc file log c lu vo
c s d liu.
a. Li th ca NIDS
Qun l c mt phn on mng (network segment).
Trong sut vi ngi s dng v k tn cng.
Ci t v bo tr n gin, khng lm nh hng n mng.
Trnh c vic b tn cng dch v n mt host c th.
C kh nng xc nh c li tng network.
c lp vi h iu hnh.
b. Hn ch ca NIDS
C th xy ra trng hp bo ng gi, tc l khng c du hiu bt thng
m IDS vn bo.
Khng th phn tch c cc lu lng c m ha nh SSH, IPSec,
SSL
Vn nh Qun-0021
Trang 5
NIDS i hi phi lun c cp nht cc du hiu tn cng mi nht

thc s hot ng hiu qu.
Khng th cho bit vic mng b tn cng c thnh cng hay khng,
ngi qun tr tin hnh bo tr h thng.
Mt trong nhng hn ch l gii hn bng thng. Nhng b thu thp d liu
phi thu thp tt c lu lng mng, sp xp li v phn tch chng. Khi tc
mng tng ln th kh nng ca b thu thp thng tin cng vy. Mt gii
php l phi m bo cho mng c thit k chnh xc.
Mt cch m hacker c gng che y cho hot ng ca h khi gp cc h

thng IDS l phn mnh d liu gi tin. Mi giao thc c mt kch c gi d liu c
hn, nu d liu truyn qua mng truyn qua mng ln hn kch c ny th d liu
b phn mnh. Phn mnh n gin l qu trnh chia nh d liu. Th t sp xp
khng thnh vn min l khng b chng cho d liu, b cm bin phi ti hp
li chng.
Hacker c gng ngn chn pht hin bng cch gi nhiu gi d liu phn
mnh chng cho. Mt b cm bin khng pht hin c cc hot ng xm nhp
nu khng sp xp gi tin li mt cch chnh xc.
Vn nh Qun-0021
Trang 6
Hnh 1-3. Network-based IDS

1.1.5.2. Host-based IDS (HIDS)
HIDS l h thng pht hin xm nhp c ci t trn cc my tnh (host).
HIDS ci t trn nhiu kiu my ch khc nhau, trn my trm lm vic hoc my
notebook. HIDS cho php thc hin mt cch linh hot trn cc phn on mng
m NIDS khng thc hin c. Lu lng gi n host c phn tch v
chuyn qua host nu chng khng tim n cc m nguy him. HIDS c th hn vi
cc nn ng dng v phc v mnh m cho h iu hnh. Nhim v chnh ca
HIDS l gim st s thay i trn h thng. HIDS bao gm cc thng phn chnh:
Cc tin trnh.
Cc entry ca registry.
Mc s dng CPU.
Kim tra tnh ton vn v truy cp trn file h thng.
Mt vi thng s khc.
Cc thng s ny vt qua mt ngng nh trc hoc thay i kh nghi
trn h thng s gy ra cnh bo.
Vn nh Qun-0021
Trang 7
a. u im ca HIDS
C kh nng xc nh cc user trong h thng lin quan n s kin.
HIDS c kh nng pht hin cc cuc tn cng din ra trn mt my, NIDS
khng c kh nng ny.
C kh nng phn tch cc d liu c m ha.
Cung cp cc thng tin v host trong lc cuc tn cng ang din ra trn
host.
b. Hn ch ca HIDS
Thng tin t HIDS s khng cn ng tin cy ngay sau khi cuc tn cng vo
host ny thnh cng.
Khi h iu hnh b tha hip tc l HIDS cng mt tc dng.
HIDS phi c thit lp trn tng host cn gim st.
HIDS khng c kh nng pht hin vic thm d mng (Nmap, Netcat).
HIDS cn ti nguyn trn host hot ng.
HIDS c th khng pht huy c hiu qu khi b tn cng t chi dch v
DoS.
a s c pht trin trn h iu hnh Window. Tuy nhin cng c mt s
chy trn Linux hoc Unix.
V HIDS cn c ci t trn cc my ch nn s gy kh khn cho nh
qun tr khi phi nng cp phin bn, bo tr phn mm v cu hnh. Gy mt nhiu
thi gian v pht tp. Thng h thng ch phn tch c nhng lu lng trn
my ch nhn c, cn cc lu lng chng li mt nhm my ch, hoc cc hnh
ng thm d nh qut cng th chng khng pht huy c tc dng. Nu my ch
b tha hip hacker c th tt c HIDS trn my . Khi HIDS s b v hiu
ha.
Do HIDS phi cung cp y kh nng cnh bo. Trong mi trng hn
tp iu ny c th tr thnh vn nu HIDS phi tng thch vi nhiu h iu
hnh. Do , la chn HIDS cng l vn quan trng
Vn nh Qun-0021
Trang 8
Hnh 1-4. Host-based IDS

1.1.5.3. So snh gia NIDS v HIDS
Bng 1-1. So snh, nh gi gia NIDS v HIDS
Chc nng
HIDS
NIDS
Bo v trong mng LAN
****
****
Bo v ngoi mng LAN
****
D dng cho vic qun tr
****
****
Tnh linh hot
****
**
Gi thnh
***
****
****
C hai u bo v khi user hot ng
Vn nh Qun-0021
khi trong mng LAN

Ch c HIDS
Tng ng nh nhau xt v bi
cnh qun tr chung
HIDS l h thng linh hot hn
HIDS l h thng u tit kim hn
D dng trong vic b

sung
Cc nh gi
nu chn ng sn phm
C hai tng ng nhau
Trang 9
HIDS yu cu vic o to t hn
o to ngn hn cn thit ****
**
Tng gi thnh
***
**
**
**
NIDS
Bng tn cn yu cu
trong LAN
Network overhead
NIDS s dng bng tn LAN rng,
****
HIDS nng cp tt c cc client vi

****
**
****
****
Bn ghi
***
***
mt file mu trung tm
NIDS c kh nng thch nghi trong
Ch qut thanh ghi cc

b
cng m bo lu lng LAN ca

bn c qut
Kh nng thch nghi trong

cc nn ng dng
cp nht kp thi cc file mu

NIDS yu cu phi kch hot m rng
Chu k nng cp cho cc

client
i vi bt k mng LAN no
C hai u cn bng tn Internet
Cc yu cu v cng m
rng
cn HIDS th khng
NIDS cn 2 yu cu bng tn mng
Bng tn cn yu cu
(Internet)
HIDS tiu tn t hn
cc nn ng dng hn
Ch HIDS mi c th thc hin cc
kiu qut ny
C hai h thng c chc nng bn
ghi
C hai h thng u c chc nng
Chc nng cnh bo
***
***
cnh bo cho tng c nhn v qun tr

vin
Ch c HIDS qut cc vng mng c
Qut PAN
****
Loi b gi tin
****
Vn nh Qun-0021
nhn ca bn
Ch cc tnh nng NIDS mi c
Trang 10
phng thc ny
Cn nhiu kin thc chuyn mn khi
Kin thc chuyn mn
***
****
ci t v s dng NIDS i vi ton

b vn bo mt mng ca bn
Qun l tp trung
**
***
****
Kh nng v hiu ha cc
h s ri ro
NIDS c chim u th hn
NIDS c h s ri ro nhiu hn so vi
HIDS
R rng kh nng nng cp phn
Kh nng cp nht
mm l d hn phn cng. HIDS c

***
***
th c nng cp thng qua script

c tp trung
HIDS c kh nng pht hin theo
Cc nt pht hin nhiu

on mng LAN
****
**
nhiu on mng ton din hn
1.2. H THNG NGN CHN XM NHP

1.2.1. Khi nim
H thng ngn chn xm nhp IPS l mt k thut an ninh mi, kt hp cc
u im ca k thut firewall v h thng pht hin xm nhp IDS. C kh nng
pht hin cc cuc tn cng v t ng ngn chn cc cuc tn cng .
IPS khng n gin l d cc cuc tn cng, chng c kh nng ngn chn
hoc cn tr cc cuc tn cng . Chng cho php t chc u tin, thc hin cc
bc ngn chn tn cng. Phn ln cc h thng IPS c t vnh ai mng,
kh nng bo v tt c cc thit b trong mng.
1.2.2. Kin trc ca h thng ngn chn xm nhp
Mt h thng IPS gm c 3 module chnh:
Module phn tch gi tin.
Module pht hin tn cng.
Module phn ng.
Vn nh Qun-0021
Trang 11
1.2.2.1 Module phn tch gi tin

Module ny c nhim v phn tch cu trc thng tin ca gi tin. NIC Card
ca my tnh c gim st c t ch promiscuous mode, tt c cc gi tin
qua chng u c sao chp li v chuyn ln lp trn. B phn tch gi tin c
thng tin tng trng trong gi tin, xc nh chng thuc kiu gi tin g, dch v g,
s dng loi giao thc noCc thng tin ny c chuyn ln module pht hin
tn cng.
1.2.2.2 Module pht hin tn cng
y l module quan trng nht ca h thng pht hin xm nhp, c kh
nng pht hin ra cc cuc tn cng. C mt s phng php pht hin ra cc
du hiu xm nhp hoc cc kiu tn cng (signature-based IPS, anomally-based
IPS,).
a. Phng php d s lm dng:
Phng php ny phn tch cc hot ng ca h thng, tm kim cc s kin
ging vi cc mu tn cng bit trc. Cc mu tn cng ny c gi l du
hiu tn cng. Do vy phng php ny cn gi l phng php d du hiu.
Phng php ny c u im l pht hin cc cuc tn cng nhanh v chnh
xc, khng a ra cc cnh bo sai dn n lm gim kh nng hot ng ca mng
v gip cho ngi qun tr xc nh cc l hng bo mt trong h thng ca minh.
Tuy nhin, phng php ny c nhc im l khng pht hin c cc cuc tn
cng khng c trong c s d liu, cc kiu tn cng mi, do vy h thng phi
lun lun cp nht cc kiu tn cng mi.
b. Phng php d s khng bnh thng:
y l k thut d thng minh, nhn dng ra cc hnh ng khng bnh
thng ca mng. Quan nim ca phng php ny v cc cuc tn cng l khc
vi cc hot ng bnh thng.
Ban u chng s lu tr cc m t s lc v cc hot ng bnh thng
ca h thng. Cc cuc tn cng s c nhng hnh ng khc so vi bnh thng v
phng php ny c th nhn dng ra. C mt s k thut d s khng bnh thng
ca cc cuc tn cng.
Vn nh Qun-0021
Trang 12
Pht hin mc ngng:

K thut ny nhn mnh vic o m cc hot ng bnh thng trn mng.
Cc mc ngng v cc hot ng bnh thng c t ra. Nu c s bt thng
no , v d nh ng nhp vo h thng qu s ln qui nh, s lng cc tin
trnh hot ng trn CPU, s lng mt loi gi tin c gi qu mcTh h
thng cho rng c du hiu ca s tn cng.
Pht hin nh qu trnh t hc:
K thut ny bao gm 2 bc, khi bt u thit lp h thng pht hin tn
cng s chy ch t h v to h s v cch c x ca mng vi cc hot ng
bnh thng. Sau thi gian khi to, h thng s chy ch lm vic, tin hnh
theo di, pht hin cc hot ng bt thng ca mng bng cch so snh vi h s
c to.
Ch t hc c th chy song song vi ch lm vic cp nht h s
ca mnh nhng nu d ra cc du hiu tn cng th ch t hc phi ngng li
cho n khi cuc tn cng kt thc
Pht hin s khng bnh thng ca giao thc:
K thut ny cn c vo hot ng ca cc giao thc, cc dch v ca h
thng tm ra cc gi tin khng hp l, cc hot ng bt thng vn l du hiu
ca s xm nhp. K thut ny rt hiu qu trong vic ngn chn cc hnh thc qut
mng, qut cng thu thp thng tin h thng ca hacker.
Phng php d s khng bnh thng ca h thng rt hu hiu trong vic pht
hin cc kiu tn cng t chi dch v DoS. u im ca phng php ny l c th
pht hin cc kiu tn cng mi, cung cp thng tin hu ch b sung cho phng
php d s lm dng. Tuy nhin, chng c nhc im l thng gy ra cc cnh
bo sai lm gim hiu sut hot ng ca mng.
1.2.2.3 Module phn ng
Khi c du hiu ca s tn cng hoc xm nhp, module pht hin tn cng
s gi tn hiu bo hiu c s tn cng hoc xm nhp n module phn ng. Lc
module phn ng s kck hot firewall thc hin chc nng ngn chn cuc tn
cng. Ti module ny, nu ch a ra cc cnh bo ti cc ngi qun tr v dng
li th h thng ny c gi l h thng phng th b ng. Module phn ng
Vn nh Qun-0021
Trang 13
ny ty theo h thng m c cc chc nng khc nhau. Di y l mt s k thut

ngn chn:
Terminate session:
C ch ca k thut ny l h thng IPS gi gi tin reset, thit lp li cuc
giao tip ti c client v server. Kt qu cuc giao tip s c bt u li, cc mc
ch ca hacker khng t c, cuc tn cng b ngng li. Tuy nhin phng
php ny c mt s nhc im nh thi gian gi gi tin reset n ch l qu lu
so vi thi gian gi tin ca hacker n c Victim, dn n reset qu chm so vi
cuc tn cng, phng php ny khng hiu ng vi cc giao thc hot ng trn
UDP nh DNS, ngoi ra gi Reset phi c trng sequence number ng (so vi
gi tin trc t client) th server mi chp nhn, do vy nu hacker gi cc gi
tin vi tc nhanh v trng sequence number thay i th rt kh thc hin c
phng php ny.
Drop attack:
K thut ny dng firewall hy b gi tin hoc chn ng mt gi tin
n, mt phin lm vic hoc mt lung thng tin gia hacker v victim. Kiu phn
ng ny l an ton nht nhng li c nhc im l d nhm vi cc gi tin hp l.
Modify firewall polices:
K thut ny cho php ngi qun tr cu hnh li chnh sch bo mt khi
cuc tn cng xy ra. S cu hnh li l tm thi thay i cc chnh sch iu khin
truy cp bi ngi dng c bit trong khi cnh bo ti ngi qun tr.
Real-time Alerting:
Gi cc cnh bo thi gian thc n ngi qun tr h nm c chi tit
cc cuc tn cng, cc c im v thng tin v chng.
Log packet:
Cc d liu ca cc gi tin s c lu tr trong h thng cc file log. Mc
ch cc ngi qun tr c th theo di cc lung thng tin v l ngun thng tin
gip cho module pht hin tn cng hot ng.
Ba module trn hat ng theo tun t to nn h thng IPS hon chnh. Mt
h thng IPS c xem l thnh cng nu chng hi t c cc yu t: thc hin
Vn nh Qun-0021
Trang 14
nhanh, chnh xc, a ra cc thng bo hp l, phn tch c ton b thng lng,

cm bin ti a, ngn chn thnh cng v chnh sch qun l mm do.
Cc kiu tn cng mi ngy cng pht trin e da n s an ton ca cc h
thng mng. Vi cc u im ca mnh, h thng IPS dn tr thnh khng th thiu
trong cc h thng bo mt.
1.2.3. Cc kiu IPS c trin khai trn thc t
Trn thc t c 2 kiu IPS c trin khai l: Promiscuous mode IPS v Inline IPS.
1.2.3.1 Promiscuous mode IPS
Mt IPS ng trn firewall. Nh vy lung d liu vo h thng mng s
cng i qua firewall v IPS. IPS c th kim sot lung d liu vo, phn tch v
pht hin cc du hiu xm nhp, tn cng. Vi v tr ny, promiscuous mode IPS
c th qun l firewall, ch dn firewall ngn chn cc hnh ng ng ng.
Hnh 1-5. Promiscous mode IPS
Vn nh Qun-0021
Trang 15
1.2.3.2. In-line mode IPS

V tr IPS t trc firewall, lung d liu phi i qua chng trc khi n
c firewall. im khc chnh so vi promiscouous mode IPS l c thm chc
nng traffic-blocking. iu ny lm cho IPS c th ngn chn lung giao thng
nguy him nhanh hn promiscuous mode IPS nhanh hn. Tuy nhin khi t v tr
ny lm cho tc lung thng tin ra vo mng chm hn.
Vi mc tiu ngn chn cc cuc tn cng, h thng IPS phi hot ng theo
thi gian thc. Tc hot ng ca h thng l mt yu t v cng quan trng.
Qu trnh pht hin xm nhp phi nhanh c th ngn chn cc cuc tn cng
ngay tc th. Nu khng p ng c iu ny th cc cc cuc tn cng thc
hin xong. H thng IPS tr nn v tc dng.
Hnh 1-6. Inline mode IPS
Vn nh Qun-0021
Trang 16
1.2.4. Cng ngh ngn chn xm nhp ca IPS

1.2.4.1. Signature-based IPS
Hnh 1-7. Signature-based IPS

L to ra cc rule gn lin vi nhng hot ng xm nhp tiu biu. Vic to
ra cc signature-based yu cu ngi qun tr phi tht r cc k thut tn cng,
nhng mi nguy hi v cn phi bit pht trin nhng signature c th d tm
nhng cuc tn cng v cc mi nguy hi cho h thng ca mnh.
Signature-based IPS gim st tt c cc traffic v so snh vi d liu hin c.
Nu khng c s a ra nhng cnh bo cho ngi qun tr bit v cuc tn cng
. xc nh c mt du hiu tn cng th cn phi bit cu trc ca kiu tn
cng, signature-based IPS s xem header ca gi tin hoc phn payload ca d liu.
Mt signature-based l mt tp nhng nguyn tc s dng xc nh nhng
hot ng xm nhp thng thng. Nhng nghin cu v nhng k thut nhm tm
ra du hiu tn cng, nhng mu v phng php vit ra cc du hiu tn cng.
Khi cng nhiu phng php tn cng v phng php khai thc c khm ph,
nhng nh sn xut cung cp bn cp nht file du hiu. Khi cp nht file du
hiu th h thng IPS c th phn tch tt c lu lng trn mng. Nu c du hiu
no trng vi file du hiu th cc cnh bo c khi to
a. Li ch ca vic dng Signature-Based IPS:
Nhng file du hiu c to nn t nhng hot ng v phng php tn
cng c bit, do nu c s trng lp th xc sut xy ra mt cuc tn cng
l rt cao. Pht hin s dng sai s c t cnh bo nhm (false positive report) hn
kiu pht hin s bt thng. Pht hin da trn du hiu khng theo di nhng
mu lu lng hay tm kim nhng s bt thng. Thay vo n theo di nhng
Vn nh Qun-0021
Trang 17
hot ng n gin tm s tng xng i vi bt k du hiu no c nh

dng.
Bi v phng php pht hin s dng sai da trn nhng du hiu, khng
phi nhng mu lu lng. H thng IPS c th c nh dng v c th bt u
bo v mng ngay lp tc. Nhng du hiu trong c s d liu cha nhng hot
ng xm nhp bit v bn m t ca nhng du hiu ny. Mi du hiu trong c
s d liu c th c thy cho php, khng cho php nhng mc cnh bo khc
nhau cng nh nhng hnh ng ngn cn khc nhau, c th c nh dng cho
nhng du hiu ring bit. Pht hin s dng sai d hiu cng nh d nh dng hn
nhng h thng pht hin s bt thng .
File du hiu c th d dng c ngi qun tr thy v hiu hnh ng no
phi c tng xng cho mt tn hiu cnh bo. Ngi qun tr bo mt c th c
th bt nhng du hiu ln, sau h thc hin cuc kim tra trn ton mng v
xem xem c cnh bo no khng.
Chnh v pht hin s dng sai d hiu ,b sung, kim tra, do nh qun tr
c nhng kh nng to ln trong vic iu khin cng nh t tin vo h thng IPS
ca h.
b. Nhng hn ch ca Signature-Based IPS:
Bn cnh nhng li im ca c ch pht hin s dng sai th n cng tn ti
nhiu hn ch. Pht hin s dng sai d dng hn trong nh dng v hiu, nhng
chnh s gin n ny tr thnh ci gi phi tr cho s mt mt nhng chc nng v
overhead. y l nhng hn ch:
Khng c kh nng pht hin nhng cuc tn cng mi hay cha c bit :
H thng IPS s dng pht hin s dng sai phi bit trc nhng hot ng
tn cng n c th nhn ra t tn cng . Nhng dng tn cng mi m
cha tng c bit hay khm ph trc y thng s khng b pht hin.
Khng c kh nng pht hin nhng s thay i ca nhng cuc tn cng
bit : Nhng file du hiu l nhng file tnh tc l chng khng thch nghi
vi mt vi h thng da trn s bt thng. Bng cch thay i cch tn
cng, mt k xm nhp c th thc hin cuc xm nhp m khng b pht
hin(false negative).
Vn nh Qun-0021
Trang 18
Kh nng qun tr c s d liu nhng du hiu : Trch nhim ca nh qun

tr bo mt l bo m file c s d liu lun cp nht v hin hnh. y l cng
vic mt nhiu thi gian cng nh kh khn.
Nhng b b cm bin phi duy tr tnh trng thng tin : Ging nh firewall,
b cm bin phi duy tr trng thi d liu. Hu ht nhng b cm bin gi trng
thi thng tin trong b nh tm li nhanh hn, nhng m khong trng th gii
hn.
1.2.4.2. Anomaly-based IPS
Pht hin da trn s bt thng hay m t s lc phn tch nhng hot
ng ca mng my tnh v lu lng mng nhm tm kim s bt thng.
Khi tm thy s bt thng, mt tn hiu cnh bo s c khi pht. S bt thng
l bt c s chch hng hay i khi nhng th t, dng, nguyn tc thng thng.
Chnh v dng pht hin ny tm kim nhng bt thng nn nh qun tr bo mt
phi nh ngha u l nhng hot ng, lu lng bt thng. Nh qun tr bo
mt c th nh ngha nhng hot ng bnh thng bng cch to ra nhng bn m
t s lc nhm ngi dng (user group profiles).
Bn m t s lc nhm ngi dng th hin ranh gii gia nhng hot ng
cng nh nhng lu lng mng trn mt nhm ngi dng cho trc.
Nhng nhm ngi dng c nh ngha bi k s bo mt v c dng th
hin nhng chc nng cng vic chung. Mt cch in hnh, nhng nhm s dng
nn c chia theo nhng hot ng cng nh nhng ngun ti nguyn m nhm
s dng.
Mt web server phi c bn m t s lc ca n da trn lu lng web,
tng t nh vy i vi mail server. Bn chc chn khng mong i lu lng
telnet vi web server ca mnh cng nh khng mun lu lng SSH n vi mail
server. Chnh v l do ny m bn nn c nhiu bn m t s lc khc nhau cho
mi dng dch v c trn mng ca bn. a dng nhng k thut c s dng
xy dng nhng bn m t s lc ngi dng v nhiu h thng IPS c th c
nh dng xy dng nhng profile ca chng. Nhng phng php in hnh
nhm xy dng bn m t s lc nhm ngi dng l ly mu thng k (statistical
sampling), da trn nhng nguyn tc v nhng mng neural.
Vn nh Qun-0021
Trang 19
Mi profile c s dng nh l nh ngha cho ngi s dng thng thng

v hot ng mng. Nu mt ngi s dng lm chch qu xa nhng g h nh
ngha trong profile, h thng IPS s pht sinh cnh bo.
Hnh 1-8. Anomaly-Based IPS

a. Li ch ca vic dng Anomaly-Based IPS
Vi phng php ny, k xm nhp khng bao gi bit lc no c, lc no
khng pht sinh cnh bo bi v h khng c quyn truy cp vo nhng profile s
dng pht hin nhng cuc tn cng.
Nhng profile nhm ngi dng rt ging c s d liu du hiu ng lun
thay i khi mng ca bn thay i. Vi phng php da trn nhng du hiu, k
xm nhp c th kim tra trn h thng IPS ca h ci g lm pht sinh tn hiu cnh
bo
.
File du hiu c cung cp km theo vi h thng IPS, v th k xm nhp
c th s dng h thng IPS thc hin kim tra Mt khi k xm nhp hiu ci
g to ra cnh bo th h c th thay i phng php tn cng cng nh cng c
tn cng nh bi h IPS.
Chnh v pht hin bt thng khng s dng nhng c s d liu du hiu
nh dng trc nn k xm nhp khng th bit chnh xc ci g gy ra cnh bo.
Pht hin bt thng c th nhanh chng pht hin mt cuc tn cng t bn trong
s dng ti khon ngi dng b tha hip (compromised user account) .
Nu ti khon ngi dng l s hu ca mt ph t qun tr ang c s
dng thi hnh qun tr h thng, h IPS s dng pht hin bt thng s gy ra
Vn nh Qun-0021
Trang 20
mt cnh bo min l ti khon khng c s dng qun tr h thng mt

cch bnh thng.
u im ln nht ca pht hin da trn profile hay s bt thng l n
khng da trn mt tp nhng du hiu c nh dng hay nhng t tn cng
c bit profile c th l ng v c th s dng tr tu nhn to xc nh
nhng hot ng bnh thng.
Bi v pht hin da trn profile khng da trn nhng du hiu bit, n
thc s ph hp cho vic pht hin nhng cuc tn cng cha h c bit trc
y min l n chch khi profile bnh thng. Pht hin da trn profile c s
dng pht hin nhng phng php tn cng mi m pht hin bng du hiu
khng pht hin c.
b. Hn ch ca vic dng Anomaly-Based IPS:
Nhiu hn ch ca phng php pht hin bt thng phi lm vi vic sng
to nhng profile nhm ngi dng , cng nh cht lng ca nhng profile ny .
Thi gian chun b ban u cao.
Khng c s bo v trong sut thi gian khi to ban u.
Thng xuyn cp nht profile khi thi quen ngi dng thay i.
Kh khn trong vic nh ngha cch hnh ng thng thng : H thng IPS
ch tht s tt khi n nh ngha nhng hnh ng no l bnh thng. nh ngha
nhng hot ng bnh thng thm ch cn l th thch khi m mi trng ni m
cng vic ca ngi dng hay nhng trch nhim thay i thng xuyn.
Cnh bo nhm: Nhng h thng da trn s bt thng c xu hng c nhiu
false positive bi v chng thng tm nhng iu khc thng.
Kh hiu : Hn ch cui cng ca phng php pht hin da trn s bt
thng l s phc tp. Ly mu thng k, da trn nguyn tc, v mng
neural l nhng phng cch nhm to profile m tht kh hiu v gii thch.
Vn nh Qun-0021
Trang 21
1.2.4.3. Policy-Based IPS
Hnh 1-9 Policy-Based IPS
Mt Policy-Based IPS n s phn ng hoc c nhng hnh ng nu c s vi

phm ca mt cu hnh policy xy ra. Bi vy, mt Policy-Based IPS cung cp mt
hoc nhiu phng thc c u chung ngn chn.
a. Li ch ca vic dng Policy-Based IPS.
Ta c th policy cho tng thit b mt trong h thng mng.
Mt trong nhng tnh nng quan trng ca Policy-Based IPS l xc thc v
phn ng nhanh, rt t c nhng cnh bo sai. y l nhng li ch c th
chp nhn c bi v ngi qun tr h thng a cc security policy ti
IPS mt cch chnh xc n l g v n c c cho php hay khng?
b. Hn ch ca vic dng Policy-Based IPS.
Khi cng vic ca ngi qun tr cc k vt v.
Khi mt thit b mi c thm vo trong mng th li phi cu hnh.
Kh khn khi qun tr t xa.
1.2.4.4. Protocol Analysis-Based IPS
Gii php phn tch giao thc(Protocol Analysis-Based IPS) v vic chng
xm nhp th cng tng t nh Signature-Based IPS, nhng n s i su hn v
vic phn tch cc giao thc trong gi tin (packet).V d: Mt hacker bt u chy
mt chng trnh tn cng ti mt Server. Trc tin hacker phi gi mt gi tin IP
cng vi kiu giao thc, theo mt RFC, c th khng cha d liu trong payload.
Mt Protocol Analysis-Based s pht hin ra kiu tn cng c bn trn mt s giao
thc.
Vn nh Qun-0021
Trang 22
Kim tra kh nng ca giao thc xc nh gi tin c hp php hay

khng?
Kim tra ni dung trong Payload (pattern matching).
Thc hin nhng cnh co khng bnh thng.
1.3. SO SNH GIA H THNG IDS V IPS
mc c bn nht, IDS kh th ng, theo di d liu ca packet i qua
mng t mt port gim st, so snh cc traffic ny n cc rules c thit lp v
a ra cc cnh bo nu pht hin bt k du hiu bt thng no. Mt h thng
IDS c th pht hin hu ht cc loi traffic c hi b tng la trt, bao
gm cc cuc tn cng t chi dich v, tn cng d liu trn cc ng dng, ng
nhp tri php my ch, v cc phn mm c hi nh virus, Trojan, v worms.
Hu ht cc h thng IDS s dng mt s phng php pht hin ra cc
mi e da, thng da trn du hiu xm nhp v phn tch trng thi ca giao
thc.
IDS lu cc file log vo CSDL v to ra cc cnh bo n ngi qun tr.
IDS cho tm nhn su vi cc hot ng mng, nn n gip xc nh cc vn vi
chnh sch an ninh ca mt t chc.
Vn chnh ca IDS l thng a ra cc bo ng gi. Cn phi ti a ha
tnh chnh xc trong vic pht hin ra cc du hiu bt thng .
1.3.1. Li th ca IPS
mc c bn nht, IPS c tt c tnh nng ca h thng IDS. Ngoi ra n
cn ngn chn cc lung lu lng gy nguy hi n h thng. N c th chm dt
s kt ni mng ca k ang c gng tn cng vo h thng, bng cch chn ti
khon ngi dng, a ch IP, hoc cc thuc tnh lin kt n k tn cng. Hoc
chn tt c cc truy cp vo my ch, dch v, ng dng.
Ngoi ra, mt IPS c th phn ng vi cc mi e da theo hai cch. N c
th cu hnh li cc iu khin bo mt khc nh router hoc firewall, chn ng
cc cuc tn cng. Mt s IPS thm ch cn p dng cc bn v li nu my ch c
l hng. Ngoi ra, mt s IPS c th loi b cc ni dung c hi t cuc tn cng,
nh xa cc tp tin nh km vi mail ca user m cha ni dung nguy him n h
thng.
Vn nh Qun-0021
Trang 23
1.3.2. Bo v hai ln
Bi v IDS v IPS c t cc v tr khc nhau trn mng. Chng nn
c s dng ng thi. Mt h thng IPS t bn ngoi mng s ngn chn c
cc cuc tn cng zero day, nh l virus hoc worm. Ngay c cc mi e da mi
nht cng c th c ngn chn. Mt IDS t bn trong mng s gim st c cc
hot ng ni b.
Vn nh Qun-0021
Trang 24
CHNG 2
SNORT V IPTABLES TRN H IU HNH LINUX
C hai cch ph bin bo v h thng mng l firewall v h thng pht

hin xm nhp IDS. Tuy nhin chng mang li hiu qu khng cao khi hot ng
c lp. S kt hp gia h thng pht hin xm nhp Snort (Snort_inline) v
iptables firewall ca h iu hnh Linux thc s mang li hiu qu cao trong vic
pht hin v ngn chn cc cuc tn cng tri php n h thng mng. Chng
ny s gii thiu v h thng pht hin xm nhp Snort v iptables firewall ca
Linux v s kt hp ca chng xy dng nn mt h thng IPS hon chnh.
2.1. TNG QUAN V SNORT

2.1.1. Gii thiu v Snort
Snort l mt h thng ngn chn xm nhp v pht hin xm nhp m ngun
m c pht trin bi sourcefire. Kt hp nhng li ch ca du hiu, giao thc v
du hiu bt thng, Snort l cng ngh IDS/IPS c trin khai rng ri trn ton
th gii.
Snort l mt ng dng bo mt hin i c ba chc nng chnh: n c th
phc v nh mt b phn lng nghe gi tin, lu li thng tin gi tin hoc mt h
thng pht hin xm nhp mng (NIDS). Bn cnh c rt nhiu add-on cho Snort
qun l (ghi log, qun l, to rules). Tuy khng phi l phn li ca Snort
nhng cc thnh phn ny ng vai tr quan trng trong vic s dng cng nh khai
thc cc tnh nng ca Snort.
Thng thng, Snort ch ni chuyn vi TCP/IP. Mc d, vi cc phn ty
chnh m rng, Snort c th thc hin h tr cc giao thc mng khc, chng hn
nh Novells IPX. TCP/IP l mt giao thc ph bin ca Internet. Do , Snort ch
yu phn tch v cnh bo trn giao thc TCP/IP.
2.1.2. Cc yu cu vi h thng Snort
2.1.2.1. Qui m ca h thng mng cn bo v
Ni mt cch tng qut, qui m mng cng ln, cc my mc cn phi tt
hn v d nh cc Snort sensor. Snort cn c th theo kp vi qui m ca mng, cn
Vn nh Qun-0021
Trang 25
c khng gian cha cc cnh bo, cc b x l nhanh v b nh x

l nhng lung lu lng mng.
2.1.2.2. Phn cng my tnh
Yu cu phn cng ng mt vai tr thit yu trong vic thit k mt h
thng an ninh tt.
2.1.2.3. H iu hnh
Snort chy trn nhiu h iu hnh khc nhau nh: Linux, FreeBSD,
NetBSD, OpenBSD, v Window. Cc h thng khc c h tr bao gm kin trc
Sparc-Solaric, MacOS X v MkLinux, v PA-RISC HP UX.
2.1.2.4. Cc phn mm h tr khc
Ngoi cc h iu hnh c bn, mt s cng c c bn gip bin dch Snort
nh: autoconf and automake, gcc, lex and yacc, or the GNU equivalents ex and
bison, libpcap.
Mt s cng c gip qun l Snort nh cng c phn tch console ph bin
cho h thng pht hin (ACID) c giao din web. Mt s cng c ph bin nh:
ACID, Oinkmaster, SnortSnart, SnortResport.
2.1.3. V tr ca Snort trong h thng mng
2.1.3.1. Gia Router v firewall
Hnh 2-1. Snort-sensor t gia Router v firewall
Vn nh Qun-0021
Trang 26
2.1.3.2. Trong vng DMZ
Hnh 2-2. Snort-sensor t trong vng DMZ

2.1.3.3. Sau firewall
Hnh 2-3. Snort-sensor t sau firewall
Vn nh Qun-0021
Trang 27
2.1.4. Cc thnh phn ca Snort

Snort c chia thnh nhiu thnh phn mt cch logic. Nhng thnh phn
ny lm vic cng nhau pht hin cc cuc tn cng c th v to ra cc nh
dng cn thit t h thng pht hin. Snort bao gm cc thnh phn chnh sau y:
Packet Decoder
Preprocessors
Detection Engine
Loging and alerting system
Output Modules
hnh 2.4 cho thy cc thnh phn ny c sp xp. Bt k d liu no n
t internet u i vo packet decoder. Trn ng i ca n vi cc module u ra,
n hoc b loi b, ghi nhn hoc mt cnh bo c to ra.
Hnh 2-4. Cc thnh phn ca Snort

2.1.4.1. Packet Decoder (b phn gii m gi tin)
Cc gi d liu i vo qua cc cng giao tip mng, cc cng giao tip ny
c th l: Ethernet, SLIP, PPP V c gii m bi packet decoder, trong xc
nh giao thc c s dng cho gi tin v d liu ph hp vi hnh vi c cho
php ca phn giao thc ca chng. Packet Decoder c th to ra cc cnh bo ring
ca mnh da trn cc tiu ca giao thc, cc gi tin qu di, bt thng hoc
khng chnh xc cc ty chn TCP c thit lp trong cc tiu , v cc hnh vi
khc. C th kch hot hoc v hiu ha cc cnh bo di dng cho tt c cc trng
trong tp tin snort.conf.
Vn nh Qun-0021
Trang 28
Sau khi d liu c gii m ng, chng s c gi n b phn tin x l

(preprocessor).
2.1.4.2. Preprocessor (b phn tin x l)
Cc Preprocessor l nhng thnh phn hoc plug-in c th s dng cho Snort
sp xp, chnh sa cc gi d liu trc khi b phn Detection Engine lm vic
vi chng. Mt s Preprocessor cng thc hin pht hin du hiu d thng bng
cch tm trong phn tiu ca gi tin v to ra cc cnh bo.
Preprocessor rt quan trng vi bt k h thng IDS no chun b d liu
cn thit v gi tin b phn Detection Engine lm vic.
Preprocessor cn dng ti hp gi tin cho cc gi tin c kch thc ln.
Ngoi ra n cn gii m cc gi tin c m ha trc khi chuyn n b phn
Detection Engine.
2.1.4.3. Detection Engine (b phn kim tra)
Detection Engine l b phn quan trng nht ca Snort. Trch nhim ca n
l pht hin bt k du hiu tn cng no tn ti trong gi tin bng cch s dng cc
rule i chiu vi thng tin trong gi tin. Nu gi tin l ph hp vi rule, hnh
ng thch hp c thc hin
Hiu sut hot ng ca b phn ny ph thuc cc yu t nh: S lng
rule, cu hnh my m Snort ang chy, tc bus s dng cho my Snort, lu
lng mng.
Detection Engine c th phn chia gi tin v p dng rule cho cc phn khc
nhau ca gi tin. Cc phn c th l:
Phn IP header ca gi tin
Phn header ca tn transport: y l phn tiu bao gm TCP, UDP hoc
cc header ca tng transport khc. N cng c th lm vic vi header ca
ICMP.
Phn header ca cc lp ng dng: Bao gm header ca lp ng dng,
nhng khng gii hn, DNS header, FTP header, SNMP header, v SMTP
header.
Packet payload: C ngha l c th to ra rule c s dng bi detection
engine tm kim mt chui bn trong d liu ca gi tin.
Vn nh Qun-0021
Trang 29
B phn ny hot ng theo hai cch khc nhau theo hai phin bn ca Snort.
Phin bn 1.x: Vic x l gi tin cn hn ch trong trng hp cc du hiu
trong gi tin ph hp vi du hiu trong nhiu rule. Khi nu c rule
no c p dng trc th cc rule cn li s b b qua mc d cc rule c
u tin khc nhau. Nh vy s ny sinh trng hp cc rule c u tin
cao hn b b qua.
Phin bn 2.x: Nhc im trn ca phin bn 1.x c khc phc hon
ton nh vo c ch kim tra trn ton b rule. Sau ly ra rule c u
tin cao nht to thng bo.
Tc ca phin bn 2.x nhanh hn rt nhiu so vi phin bn 1.x nh phin

bn 2.x c bin dch li.
2.1.4.4. Logging and Alerting System (B phn ghi nhn v thng bo)
Khi b phn detection engine pht hin ra cc du hiu tn cng th n s
thng bo cho b phn Logging and Alerting System. Cc ghi nhn, thng bo c
th c lu di dng vn bn hoc mt s nh dng khc. Mc nh th chng
c lu ti th mc ./var/log/snort.
2.1.4.5. Output Modules (b phn u ra)
B phn u ra ca Snort ph thuc vo vic ta ghi cc ghi nhn, thng bo
theo cch thc no. C th cu hnh b phn ny thc hin cc chc nng sau:
Lu cc ghi nhn v thng bo theo nh dng cc file vn bn hoc vo c
s d liu.
Gi thng tin SNMP.
Gi cc thng ip n h thng ghi log.
Lu cc ghi nhn v thng bo vo c s d liu (MySQL, Oracle).
To u ra XML.
Chnh sa cu hnh trn Router, Firewall.
Gi cc thng ip SMB.
Vn nh Qun-0021
Trang 30
2.1.5. Cc ch thc thi ca Snort

2.1.5.1. Sniff mode
ch ny, Snort hot ng nh mt chng trnh thu thp v phn tch
gi tin thng thng. Khng cn s dng file cu hnh, cc thng tin Snort s thu
c khi hot ng ch ny:
Date and time.
Source IP address.
Source port number.
Destination IP address.
Destination port.
Transport layer protocol used in this packet.
Time to live or TTL value in this packet.
Type of service or TOS value.
Packer ID.
Length of IP header.
IP payload.
Dont fragment or DF bit is set in IP header.
Two TCP flags A and P are on.
TCP sequence number.
Acknowledgement number in TCP header.
TCP Window field.
TCP header length.
2.1.5.2. Pakcet logger mode
Khi chy ch ny, Snort s tp hp tt c cc packet n thy c v
a vo log theo cu trc phn tng. Ni cch khc, mt th mc mi s c to ra
ng vi mi a ch n bt c, v d liu s ph thuc vo a ch m n lu
trong th mc . Snort t cc packet vo trong file ASCII, vi tn lin quan n
giao thc v cng. S sp xp ny d dng nhn ra ai ang kt ni vo mng ca
Vn nh Qun-0021
Trang 31
mnh v giao thc, cng no ang s dng. n gin s dng
ls-R
hin danh
sch cc th mc.
Tuy nhin s phn cp ny s to ra nhiu th mc trong gi cao im nn
rt kh xem ht tt c th mc v file ny. Nu ai s dng full scan vi 65536
TCP Port v 65535 UDP ports v s to ra 131000 hoc tng y file .
Log vi dng nh phn (binary) tt c nhng g c th c c bi Snort, n
lm tng c kh nng bt gi tin ca Snort. Hu ht cc h thng c th capture
v log tc 100Mbps m khng c vn g.
log packet ch nh phn, s dng c -b:
#Snort -b -l /usr/local/log/Snort/temp.log
Khi capture, ta c th c li file mi va to ra ngay vi c -r v phn hin th

ging nh mode sniffer:
#Snort -r /usr/local/log/Snort/temp.log
Trong phn ny Snort khng gii hn dc cc file binary trong ch

sniffer. Ta c th chy Snort ch NIDS vi vic set cc rule hoc filters tm
nhng traffic nghi ng.
2.1.5.3. NIDS mode
Snort thng c s dng nh mt NIDS. N nh, nhanh chng, hiu qu
v s dng cc rule p dng ln gi tin. Khi pht hin c du hiu tn cng
trong gi tin th n s ghi li v to thng bo. Khi dng ch ny phi khai bo
file cu hnh cho Snort hot ng. Thng tin v thng bo khi hot ng ch
ny:
Fast mode: Date and time, Alert message, Source and destination IP
address, Source and destination ports, Type of packet.
Full mode: Gm cc thng tin nh ch fast mode v thm mt s thng
tin sau: TTL value, TOS value, Length of packet header, length of packet,
Type of packet, Code of packet, ID of packet, Sequence number.
2.1.5.4. Inline mode
y l phin bn chnh sa t Snort cho php phn tch cc gi tin t
firewall iptables s dng cc tp lnh mi nh: pass, drop, reject.
Vn nh Qun-0021
Trang 32
2.1.6. Preprocessor (B tin x l)

2.1.6.1. Gii thiu
B phn preprocessor l mt trong nhng b phn quan trng, cu thnh nn
mt h thng Snort hon thin. Cc tin x l l cc module vi nhng on m
phc tp c bin dch nhm nng cao kh nng thc thi cho Snort. Cc
preprocessor khng ch thc thi cc chc nng kim tra, r sot cc giao thc thng
thng m chng cn c kh nng to ra cc thng bo, gim ti rt nhiu cho b
phn Detection Engine.
Qu trnh s dng v vn hnh cc preprocessor mt cch thch hp lm cho
h thng IDS tr nn uyn chuyn linh hot hn rt nhiu, lm tng kh nng nhn
dng cc packet nghi ng, tng kh nng nhn din attacker s dng cc k thut
nh lc hng IDS.
2.1.6.2 M hnh
Hnh 2-5. M hnh x l ca b phn tin x l
Vn nh Qun-0021
Trang 33
2.1.6.3 Mt s tin x l thng dng

a. Frag3
Cc IDS hot ng nh vo vic i chiu cc rule vi tng packet ring
bit. Do , k tn cng c th chia nh gi tin ra (thay i kch thc gi tin)
nh la c ch ny. Do frag3 thc hin ghp ni gi tin li vi nhau thnh mt
gi hon chnh ri mi chuyn n b phn Detection Engine x l.
Frag3 c a ra nhm thay th cho Frag2 v c cc c im sau:
Thc thi nhanh hn Frag2 trong vic x l cc d liu pht tp ( khong
250%).
C hai c ch qun l b nh thc thi cho tng mi trng ring bit.
S dng cng ngh anti-evasion (chng kh nng nh la ca k tn cng).
Frag2 s dng thut ton splay trees trong vic qun l d liu cu trc gi
tin phn mnh. y l mt thut ton tin tin nhng gii thut ny ch ph hp
vi d liu c t s thay i. Cn khi t thut ton ny trong mi trng m d liu
c s bin i cao th b hn ch v kh nng thc thi (performance). gii quyt
nhng hn ch th Frag3 ra i.
Frag3 s dng cu trc d liu sfxhash qun l d liu trong mi trng
phn mnh cao. Target-based analysis l mt khi nim mi trong NIDS. tng
ca h thng ny l da vo h thng ch thc t trong mng thay v ch da vo
cc giao thc v thng tin tn cng cha bn trong n. Nu mt k tn cng c
nhiu thng tin v h thng ch hn IDS th chng c th nh la c cc IDS.
b. Stream5
Stream5 l mt module theo kiu target-based, c thit k gip Snort
chng li cc tn ti cc sensor bng cch gi nhiu cc packet cha d liu ging
nhau nh trong rule nhm cho IDS bo ng sai.
Stream5 thay th cho cc tin x l nh Stream4 v flow. N c kh nng
theo di c phin ca TCP v UDP.
Stream4 v Stream5 khng th dng ng thi. V vy khi dng Stream5 th
phi xa b cu hnh Stream4 v Flow trong file cu hnh snort.config
Cc c im ca Stream5:
Vn nh Qun-0021
Trang 34
Transport protocols
Cc phin TCP c nh ngha thng qua kt ni TCP. Cc phin UDP
c thit lp l kt qu ca hng lot gi UDP gi ng thi trn cng mt cng.
Target-based
Trong stream 5 cng gii thiu v cc action target-based iu khin vic
chng cho d liu v cc du hiu bt thng trong gi TCP khc. Cc phng
thc iu khin qu trnh chng cho d liu, gi tr TCP Timestamp, d liu trong
SYN, FIN,v cc chnh sch u c h tr trong stream 5 c nghin cu
trn nhiu h iu hnh khc nhau.
Stream API
Stream5 h tr y Stream API cho php cu hnh ng cc giao thc
hoc cc Preprocessor khi c yu cu ca giao thc thuc lp ng dng, xc nh
cc session no b b qua, cp nht thng tin v cc sensor mi m c th c s
dng cho sau ny.
Rule Options
Stream5 thm vo la chn stream-size. La chn ny cho php cc rule
i chiu lu lng theo cc byte c xc nh trc, c xc nh bi thng s
TCP sequence number.
nh dng:
Stream_size:<direction>,<operation>,<size>
+ Direction nhn cc gi tr sau:

Client: ch cho d liu pha client
Server : ch cho d liu pha server
Both: cho d liu c hai pha
Either: cho d liu mt trong hai bn hoc l client hoc l server.
+ Operator: =, <, >, !=, <=, =>
Ngoi ra cn mt s tin x l khc nh:
sfPortscan.
RPC Decode.
Performance Monitor.
HTTP inspect.
Vn nh Qun-0021
Trang 35
SMTP Preprocessor.
FTP/Telnet Preprocessor.
SSH.
DCE/ RPC.
SSL/ TLS.
ARP Spoof Preprocessor.
DCE/ RPC 2 Preprocessor.
2.1.7. Cu trc ca Rules
Mt trong nhng chc nng c nh gi cao nht ca Snort l cho php
ngi s dng t vit cc rule ca ring mnh. Ngoi s lng ln cc rule i km
vi Snort, ngi qun tr c th vn dng kh nng ca mnh pht trin ra cc
rule ring thay v ph thuc vo cc c quan, t chc bn ngoi.
Vy rule l g? Rule l tp hp cc qui tc la chn cc traffic mng ph
hp vi mt m hnh nh trc.
Rule Snort c chia lm hai phn: rule header v rule options.
2.1.7.1. Rule header.
Rule header cha thng tin xc nh mt packet cng nh tt c nhng g
cn thc hin vi tt c cc thuc tnh ch nh trong rule. Rule header bao gm cc
phn sau: Rule actions, protocol, IP address, port number, Direction operator.
Hnh 2-6. Cu trc ca rule header
Vn nh Qun-0021
Trang 36
a. Rule action
Cho Snort bit phi lm g khi n tm thy mt gi tin ph hp vi rule, c
nm hnh ng c mc nh sn trong Snort:
alert: Cnh bo v ghi li packet.
log: ghi li packet.
pass: b qua packet.
Active: Cnh bo v thc hin gi mt rule khc.
Dynamic: trng thi idle cho n khi mt rule khc c kch hot.
Ngoi ra khi chy Snort ch inline, cn thm cc ty chn l drop, reject
v sdrop.
drop: cho php iptables b qua packet ny v log li packet va b qua.
reject: cho php iptables b qua packet ny, log li packet, ng thi gi
thng bo t chi n my ngun.
sdrop: cho php iptables b qua packet ny nhng khng log li packet, cng
khng thng bo n my ngun.
b. Protocols
Trng tip theo ca rule l protocol. Hin nay Snort ch h tr bn giao
thc sau: TCP, UDP, ICMP, IP. Trong tng lai c th h tr thm cc giao thc
khc nh: ARP, IGRP, GRE, OSPF, RIP
c. IP address
Cc a ch IP c hnh thnh bi dng thp phn: xxxx.xxxx.xxxx.xxxx v
mt CIDR. Snort khng cung cp c ch tra cu tn host tng ng vi a ch IP.
CIDR : cho bit a ch lp mng.
Cc nh dng:
Any: bt k a ch IP no.
Static: mt a ch IP duy nht.
Class: mt lp cc a ch IP.
Negation: Ph nh li cc a ch trn.
d. Port number
Port number c th c xc nh gm:
Vn nh Qun-0021
Trang 37
Any ports: C ngha l bt k port no.

Static port: l ch nh mt port duy nht, nh: 80 (web), 21 (telnet),
Ranger: phm vi cc port c th c p dng.
e. Direction Operator
Ch ra hng i ca rule, c hai loi l:
: ch ra hng ca rule bt ngun t a ch IP v port bn tri .
: Hng ca rule ny l hai chiu, iu ny s thun li cho vic phn tch
c hai mt ca mt traffic, nh l telnet hoc POP3
f. Active/ Dynamic rules
Active/ Dynamic rules cung cp cho snort nhng tnh nng mnh m. C mt
rule khc khi hnh ng c thc hin vi mt s gi tin. iu nay rt hu ch cho
snort thc hin ghi li mt s rule c th.
2.1.7.2. Rule Options
y chnh l tri tim chnh ca Snort, c 4 loi rule options chnh: general,
Payload, Non-Payload, Post- detections.
a. General options
Cung cp thng tin v rule nhng khng gy ra bt k nh hng no n
qu trnh pht hin packet.
msg:
c s dng thm mt chui k t vo vic ghi log hoc a ra cnh
bo. Thm vo thng ip sau du ngoc kp.
nh dng:
msg: <message text>;
V d:
alert tcp 192.168.1.0/24 any any any (msg: <HTTP matched>;
content: HTTP, offset: 4)
reference:
L t kha cho php tham chiu n cc h thng pht hin cc kiu tn cng
bn ngoi. N khng ng mt vai tr quan trng no trong c ch pht hin. C
nhiu h thng tham kho nh CVE v Brugtraq nhng h thng ny gi thng tin
v cc kiu tn cng c bit.
Vn nh Qun-0021
Trang 38
nh dng:
reference: <id system>, <id>;
V d:
alert tcp any any -> any 21 (msg:"IDS287/ftp-wuftp260-venglinlinux";
flags:AP;
content:"|31c031db
reference:arachnids,
IDS287;
31c9b046
cd80
31c031db|";
reference:bugtraq,1387;
reference:cve,CAN-2000-1574;)
gid:
L t kha dng xc nh b phn no ca snort s to ra s kin khi thc
thi, n gip cho qu trnh gii m ca preprocessor. Nu khng c nh ngha
trong rule n s ly gi tr l 1. trnh xung t vi cc rule mc nh ca snort,
khuyn co ly gi tr ln hn 1.000.000. T kha gid c s dng vi t kha sid.
nh dng :
gid: <generator id>;
V d:
alert tcp any any -> any 80 (content:"BOB"; gid:1000001; sid:1;
rev:1;)
sid:
L t kha duy nht xc nh snort rule, n cho php cc thnh phn
output xc nh cc rule d dng hn. Option ny nn dng vi t kha dev.
nh dng:
sid: <snort rules id>;
+ id <100: D tr cho tng lai.

+ 100<id<1.000.000: Xc nh rule i km theo bng phn phi.
+ id>1.000.000: Do ngi vit rule t nh ngha.
V d:
alert tcp any any -> any 80 (content:"BOB"; sid:1000983; rev:1;)
rev:
T kha ch ra s revision ca rule. Nu rule c cp nht, th t kha
ny c s dng phn bit gia cc phin bn. Cc module output cng c th
s dng t kha ny nhn dng s revision. Option ny nn dng vi t kha
dev.
Vn nh Qun-0021
Trang 39
nh dng :
rev: <revison integer>;
V d:
alert tcp any any -> any 80 (content:"BOB"; sid:1000983; rev:1;)
Classtype
Classtype l t kha s dng phn loi rule pht hin tn cng khc nhau.
nh dng:
classtype: <class name>;
V d:
alert tcp any any -> any 80 (msg:"EXPLOIT ntpdx overflow"; dsize:
>128; classtype:attempted-admin; priority:10 );
priority
y l t kha ch u tin cho rule, t kha classtype ch ra u tin
mc nh. Tuy nhin nu ta thit lp thm gi tr ny n c th ghi ln gi tr mc
nh .
nh dng:
priority: <priority interger>;
V d:
alert
TCP
any
any
->
any
80
(msg:
"WEB-MISC
phf
attempt";
flags:A+; content: "/cgi-bin/phf"; priority:10;)
metadata:
Cho php ngi dng nhng thm thng tin v rule.
nh dng:
Metadata : key1 value1
Metadata : key1 value1, key2value2
V d:
alert tcp any any -> any 80 (msg: "Shared Library Rule Example";
metadata:engine shared, soid 3|12345;)
b. Payload Detection Rule Options

Tm kim thng tin trong phn payload ca packet. Phn ny gm cc t
kha nh: content, nocase, rawbytes, depth, offset, distance, within, http client body,
http cookie, http header, http method, http uri, fast pattern, uricontent, urilent,
isdataat, pcre, byte test, byte jump, ftpbuonce, asn1, cvs.
Vn nh Qun-0021
Trang 40
content
Content l t kha im quan trng trong Snort, n cho php ngi dng
thit lp cc rule nhm tm ra ni dung c bit trong gi tin. Vic la chn d liu
cho gi content tng i pht tp, n c th cha d liu dng vn bn hoc
dng nh phn
nh dng:
content : [!] <content string>;
V d:
alert tcp any any -> any 139(content:"|5c00|P|00|I|00|P|00|E|00
5c|";)
Hoc ph nh:
alert tcp any any -> any 80 (content:!"GET";)
Nocase
L t kha c s dng kt hp vi t kha content. N khng c i s,
mc ch ca n l thc hin vic tm kim mu c th khng phn bit k t hoa
hoc thng.
nh dng
No case;
V d:
alert tcp any any -> any 21 (msg:"FTP ROOT"; content:"USER root";
nocase;)
offset
offset l t kha s dng kt hp vi t kha content. S dng kha ny, c
th bt u tm kim t mt v tr xc nh so vi v tr bt u ca gi tin. S dng
mt con s nh l i s ca t kha ny
nh dng:
Offset: <number>;
depth
depth l t kha c s dng kt hp vi t kha content xc nh gii
hn ca vic so snh mu. S dng t kha ny, c th xc nh mt v tr so vi v
tr bt u. D liu sau v tr ny s khng c tm kim so mu. Nu dng c
Vn nh Qun-0021
Trang 41
t kha offset v depth th c th xc nh mt khong d liu thc hin vic so

snh mu.
nh dng:
depth :<number>;
V d:
alert tcp any any -> any 80 (content: "cgi-bin/phf"; offset:4;
depth:20;)
distance
T kha distance cng tng t nh offset, im khc bit l offset cho bit
v tr tm kim tnh t u payload, trong khi distance s tnh t v tr ca mu trc
. T kha ny c dng kt hp vi t kha content.
nh dng:
distance: <byte count>;
V d:
alert
tcp
any
any
->
any
any
(content:"ABC";
content:
"DEF";
distance:1;)
c. Non-Payload Detection Rule Options

Tm kim thng tin trong phn non-payload ca packet, bao gm cc t
kha: frag ,offset, ttl, tos, id, ipopts, fragbits, dsize, flags, flow, flowbits, seq, ack,
window, itype, icode, icmp id, icmp seq, rpc, ip proto, sameip, stream size.
ttl
L t kha c s dng kim tra trng TTL (time to live) trong phn
header ip ca gi tin. T kha ny c th s dng vi tt c cc giao thc xy dng
trn IP nh ICMP, UDP v TCP. S dng t kha ttl kim tra ai ang c gng
traceroute h thng mng.
tos
y l t kha c s dng pht hin mt gi tr c th trong trng
TOS (Type of service) ca IP Header.
nh dng:
tos: [!] <number>;
Vn nh Qun-0021
Trang 42
id
id l t kha c s dng kim tra trng ID ca header gi tin IP. Mc
ch ca n l pht hin cc cch tn cng mt s ID c nh.
nh dng:
id: <number>;
dsize
dsize l t kha c s dng tm chiu di mt phn d liu ca gi tin.
Nhiu cch tn cng s dng l hng trn b m bng cch gi gi tin c kch
tht ln. S dng t kha ny tm thy gi tin c chiu di d liu ln hoc nh
hn mt s xc nh.
nh dng:
dsize : [<>] <number> [<><number>];
V d:
flags
flags l t kha c s dng tm ra bit flag no c thit lp trong
header TCP ca gi tin. Cc bit sau c th c kim tra:
F- FIN
S-SYN
R-RST
P-PSH
A-ACK
U-URG
1- Reserved bit 1
2- Reserved bit 2
0- No TCP flags set
Mt s ty chn khc c s dng
+ Ph hp vi mt hoc nhiu bit c ch ra.
* Ph hp vi bt k bit no c thit lp
! Ph hp vi cc bit khng c thit lp.
nh dng:
flags:[!|*|+]<FSRPAU120>[,<FSRPAU120>];
Vn nh Qun-0021
Trang 43
V d:
alert tcp any any -> any any (flags:SF,12;)
d. Post-Detection Rule Options

Xy ra khi mt rule c kch hot, gm cc t kha: logto, session, resp,
react, tag, activated by, count.
2.2. FIREWALL IPTABLES TRONG H IU HNH LINUX
2.2.1. Gii thiu v Iptables
Iptables l mt ng dng tng la lc gi d liu rt mnh, min ph v c
sn trn h iu hnh linux (kernel 2.4 tr i).
Netfilter/iptables gm c 2 phn chnh. Netfilter trong nhn v iptables
nm ngoi nhn. Iptables chu trch nhim giao tip vi ngi s dng v netfilter
y cc lut ca ngi dng vo cho netfilter x l. Netfilter tin hnh lc cc
gi d liu mc IP. Netfilter lm vic trc tip trong nhn, nhanh v khng lm
gim tc ca h thng.
Hnh 2-7. Netfilter/iptables

Tin thn ca iptables l ipchain (kernel 2.2) v mt trong nhng im ci
tin quan trng ca iptables l stateful packet filtering.
Iptables cn cung cp cc tnh nng nh NAT (Network Address Tranlation)
v rate limit rt hu hiu khi chng DoS.
2.2.2. C ch x l ca iptables
2.2.2.1. Cu trc ca iptables
Iptables c chia lm 4 bng (tables):
Bng filter dng lc gi d liu.
Bng NAT dng thao tc vi cc gi d liu c NAT ngun hay NAT
ch.
Vn nh Qun-0021
Trang 44
Bng Mangle dng thay i cc thng s trong gi IP.

V bng conntrack dng theo di cc kt ni.
Mi tables c nhiu chui (chains). Chain gm nhiu lut (rule) thao tc
vi gi d liu. Rule c th l:
ACCEPT-Chp nhn gi d liu.
DROP-Th gi.
REJECT-Loi b gi.
REFERENCE-Tham chiu n chain khc.
2.2.2.2. Cc i a ch IP ng (dynamic IP)
NAT ng l mt trong nhng k thut chuyn i a ch IP NAT (Network
Address Translation). Cc a ch IP ni b c chuyn sang IP NAT nh sau.
NAT Router m nhn vic chuyn dy IP ni b 169.168.0.x sang dy IP
mi 203.162.2.x. Khi c gi liu vi IP ngun l 192.168.0.200 n router, router s
i IP ngun thnh 203.162.2.200 sau mi gi ra ngoi. Qu trnh ny gi l
SNAT (Source-NAT, NAT ngun). Router lu d liu trong mt bng gi l bng
NAT ng. Ngc li, khi c mt gi t liu t gi t ngoi vo vi IP ch l
203.162.2.200, router s cn c vo bng NAT ng hin ti i a ch ch
203.162.2.200 thnh a ch ch mi l 192.168.0.200. Qu trnh ny gi l DNAT
(Destination-NAT, NAT ch). Lin lc gia 192.168.0.200 v 203.162.2.200 l
hon ton trong sut (transparent) qua NAT router. NAT router tin hnh chuyn
tip (forward) gi d liu t 192.168.0.200 n 203.162.2.200 v ngc li.
2.2.2.3 Cch ng gi a ch IP.
NAT Router chuyn dy IP ni b 192.168.0.x sang mt IP duy nht l
203.162.2.4 bng cch dng cc s hiu cng (port-number) khc nhau. Chng hn
khi c gi d liu IP vi ngun 192.168.0.168:1204, ch 211.200.51.15:80 n
router, router s i ngun thnh 203.162.2.4:26314 v lu d liu ny vo mt
bng gi l bng masquerade ng. Khi c mt gi d liu t ngoi vo vi ngun
l 221.200.51.15:80, ch 203.162.2.4:26314 n router, router s cn c vo bng
masquerade
ng
hin
ti
ch
203.162.2.4:26314
thnh
192.168.0.164:1204. Lin lc gia cc my trong mng LAN vi my khc bn

ngoi hon ton trong sut qua router.
Vn nh Qun-0021
Trang 45
2.2.3. C ch x l gi tin.
Tt c mi gi d liu u c kim tra bi iptables bng cch dng
cc bng tun t xy dng sn (queue). C 3 loi bng ny gm :
Mangle table: chu trch nhim bin i quality of service bits trong TCP
header. Thng thng loi table ny c ng dng trong SOHO (Small
Office/Home Office).
Filter queue: chu trch nhim thit lp b lc packet (packet filtering), c ba
loi built-in chains c m t thc hin cc chnh sch v firewall (firewall
policy rules).
Forward chain: Cho php packet ngun chuyn qua firewall.
Input chain: Cho php nhng gi tin i vo t firewall.
Output chain: Cho php nhng gi tin i ra t firewall.
NAT queue: thc thi chc nng NAT (Network Address Translation), cung
cp hai loi built-in chains sau y:
Pre-routing chain: NAT t ngoi vo trong ni b. Qu trnh NAT s thc
hin trc khi thc thi c ch routing. iu ny thun li cho vic i a
ch ch a ch tng thch vi bng nh tuyn ca firewall, khi cu hnh
ta c th dng kha DNAT m t k thut ny.
Post-routingchain: NAT t trong ra ngoi. Qu trnh NAT s thc hin sau
khi thc hin c ch nh tuyn. Qu trnh ny nhm thay i a ch ngun
ca gi tin. K thut ny c gi l NAT one-to-one hoc many-to-one,
c gi l Source NAT hay SNAT.
Vn nh Qun-0021
Trang 46
Bng 2-1. Cc loi queues v chain cng chc nng ca n

Loi
queue
Chcnng
queues
Quy tc x l
gi
(chain)
FORWARD
Chc nng ca chain

Lc gi d liu i n cc server
khc kt ni trn cc NIC khc
Filter
Lc gi
INPUT
OUTPUT
Network
PREROUTING
Lc gi i ra khi firewall
Vic thay i a ch din ra
trc khi dn ng. Thay i
Address
NAT
ca firewall.
Lc gi i n firewall
a ch ch s gip gi d liu
Translation
ph hp vi bng ch ng ca
( Bin dch
firewall. S dng destination
a ch mng )
NAT or DNAT.
POSTROUTING Vic thay i a ch din ra
sau khi dn ng . S dng
source NAT, or SNAT.
OUTPUT
NAT s dng cho cc gi d

liu xut pht t firewall . Him
khi dng trong mi
SOHO (small
Chnh sa
Mangle TCP
header .
- home
PREROUTING
office) .
iu chnh cc bit quy nh cht
POSTROUTING
lng dch v trc khi dn
OUTPUT
INPUT
FORWARD
Vn nh Qun-0021
office
trng
ng. Him
khi
dng
trong
mi trng SOHO (Small Office

- Home Office) .
Trang 47
Hnh 2-8. M t s lc v qun l trong iptables
V d: M t ng i ca gi d liu
u tin, gi d liu n mng A , tip n c kim tra bi mangle table
PREROUTING chain (nu cn). Tip theo l kim tra gi d liu bi nat
table's PREROUTING chain kim tra xem gi d liu c cn DNAT hay khng?
DNAT s thay i a ch ch ca gi d liu . Ri gi d liu c dn i .
Nu gi d liu i vo mt mng c bo v, th n s c lc bi
FORWARD chain ca filter table, v nu cn gi d liu s c SNAT trong
POSTROUTING chain thay i IP ngun trc khi vo mng B.
Nu gi d liu c nh hng i vo trong bn trong firewall , n s c
kim tra bi INPUT chain trong mangle table, v nu gi d liu qua c cc
kim tra ca INPUT chain trong filter table, n s vo trong cc chng trnh ca
server bn trong firewall .
Khi firewall cn gi d liu ra ngoi . Gi d liu s c dn v i qua s
kim tra ca OUTPUT chain trong mangle table( nu cn ), tip l kim
tra trong OUTPUT chain ca nat table xem DNAT (DNAT s thay i a ch
n) c cn hay khng v OUTPUT chain ca filter table s kim tra gi d liu
nhm pht hin cc gi d liu khng c php gi i. Cui cng trc khi gi d
liu c a ra li Internet, SNAT and QoS s c kim tra trong
POSTROUTING chain.
Vn nh Qun-0021
Trang 48
Hnh 2-9. ng i ca gi d liu
Vn nh Qun-0021
Trang 49
2.2.4 Target
Target l hnh ng s din ra khi mt gi d liu c kim tra v ph
hp vi mt yu cu no . Khi mt target c nhn dng , gi d liu cn
nhy ( jump ) thc hin cc x l tip theo . Bng sau lit k cc targets m
iptables s dng.
Bng 2-2. Miu t cc target m iptables hay s dng nht
Tar
ngha
Ty Chn
iptables ngng x l gi
d liu v chuyn tip
ACCEPT
n vo mt ng dng
cui hoc h iu hnh
x l .
Iptables ngng x l gi
DROP
d liu v gi d liu
b chn, loi b.
LOG
--log-prefix string
Thng tin ca gi s c a
Iptables s thm vo log
vo syslog kim tra.
message mt chui do ngi
Iptables tip tc x l gi
dung nh
sn . Thng
vi quy lut k tip .
thng l thng bo l do
v sao gi b b .
Vn nh Qun-0021
Trang 50
--reject-with qualifier
Tham s qualifier s cho bit
loi thng bo gi tr li pha
gi. Qualifier gm cc loi
Tng t nh DROP, nhngsau:
icmp-port-
n s gi tr li cho pha ngiunreachable(default)

REJECT
gi mt thng bo li rngicmp-net-unreachable
gi b chn v loi b .
icmp-host-unreachable
icmp-proto-nreachable
icmp-net-prohibited
icmp-
host-prohibited
tcp-reset echo-ply.
Dng
thc
hin
--to-destination ipaddress
Destination network address

DNAT
translation, a ch ch ca
gi d liu s c vit li.
Iptables s vit li a
ch ipaddress vo a
ch ch ca gi d liu.
Dng thc hin Source

Network
SNAT
address
translation, vit li a
ch ngun ca gi d liu.
--to-source <address>
[-<address>][:<Port>
-<port>]
Miu t IP v port s c
vit li bi iptables .
Vn nh Qun-0021
Trang 51
Dng thc hin Source [--to-ports <port>[Networkaddress
<port>]]
MASQUERADE Translation. Mc nh th a Ghi r tm cc port ngun

ch IP ngun s ging nh IP m port ngun gc c th
ngun ca firewall.
nh x c.
2.2.5 u im v nhc im ca Iptables

2.2.5.1. u im
Linux c nhiu ngi tha nhn nh l mt nn tng h iu hnh an ton,
t b tn cng, khng ch bi kin trc ca phn li bn di, m cn nh nhng lp
gip tr bo v bn trn. Mt trong nhng lp che chn hiu qu nht lp ngoi
cng l phn mm tng la ngun m ni ting iptables.
u im ca iptables l ch chng l mt phn ca li Linux 2.4 (v sau
ny). Iptables l mt cng c qun l cu hnh tng la. Vi n, c th to ra mt
tp cc i tng m t tng la ca bn, cc my ch v cc mng con ca mng
ca bn v sau ko nhng i tng ny vo trong cc quy tc cch x s
trin khai tng la ca bn. iu d dng hn nhiu so vi sa cha cc tp tin
cu hnh mt cch th cng v n l ngun m.
Ngoi ra Iptables cn c:
L mt statefull firewall.
Filter packet da trn a ch MAC v cc c ca TCP header.
NAT tt hn.
H tr vic tch hp mt cch trong sut vi cc chng trnh nh Web
proxy: Squid.
Mt u im khc ca iptables n l gii hn c s lng kt ni, gip
cho ta chng c cc c ch tn cng nh DoS (Denial of Service attack).
2.2.5.2. Nhc im
Nhc im ln nht ca iptables l vic ci t v hiu r cu hnh chng
khng d dng cht no.
S dng tng la cn phi x l mt lng ln thng tin nn vic x l lc
thng tin c th lm chm qu trnh kt ni ca ngi kt ni.
Vn nh Qun-0021
Trang 52
Vic s dng tng la ch hu hiu i vi nhng ngi khng thnh tho

k thut vt tng la, nhng ngi s dng khc c hiu bit c th d dng vt
qua tng la bng cch s dng cc proxy khng b ngn chn.
2.3. KT HP GIA SNORT-INLINE V IPTABLES
2.3.1. Snort-inline
Snort inline v c bn l mt phin bn sa i ca snort chp nhn cc gi
tin t iptables v IPFW qua libipq (linux) hoc lm chch hng cc socket
(FreeBSD). N nhn c cc gi tin c gi t netfilter firewall vi s tr gip
ca th vin libipq, so snh chng vi cc du hiu xm nhp ca snort v s drop
chng nu ging vi rule. Sau cng gi chng li netfilter ni m snort-inline drop
cc gi tin.
2.3.2. Snort-inline v Iptables
Netfilter l mt module ca kernel linux c sn cc phin bn kernel 2.4
tr i. N cung cp 3 chc nng chnh:
Packet filtering: Accept hay drop cc gi tin.
NAT : Thay i a ch ngun/ ch ca a ch IP ca cc gi tin.
Packet mangling : nh dng cc gi tin.
IPtables l mt cng c cn thit cu hnh netfilter, n cn phi c chy
bi quyn root.
Sau , nu mt gi tin ph hp vi du hiu tn cng ca Snort_inline, n
c gn th libipq v gi tr li Netfilter ni m n c drop.
Snort_inline c hai ch : Drop mode v Replace mode.
a. Drop mode:
Mt packet c drop khi n ph hp vi cc du hiu tn cng. C 3 ty chn
trong ch ny:
drop: Drop mt gi tin, gi mt thit lp n my ch, ghi li s kin.
sdrop: Drop mt gi tin m khng gi thit lp n my ch.
ignore: Drop mt packet, gi mt thit lp n my ch, khng ghi li s
kin.
Vn nh Qun-0021
Trang 53
b. Replace mode:
Packet b sa i nu n ph hp vi du hiu tn cng.
Hnh 2-10. Snort-inline v netfilter
Vn nh Qun-0021
Trang 54
CHNG 3
TRIN KHAI H THNG IPS VI SNORT-INLINE V IPTABLES
Trong chng ny chng ta tin hnh trin khai mt h thng IPS trn thc
t s dng snort_inline v iptables firewall ca Linux tin hnh ngn chn cc
hot ng tri php n h thng mng c IPS bo v.
3.1. M HNH TRIN KHAI
Hnh 3-1. M hnh trin khai IPS vi snort-inline v iptables

3.1.1. M t yu cu
3.1.1.1. Yu cu my ch:
Ci t h iu hnh linux, c th l CentOS.
Ci t snort-inline v cc cng c h tr, bt chc nng firewall iptables ca
h thng xy dng mt h thng IPS.
My ch v IPS System ci chung trn host c Server c a ch IP tnh l
192.168.2.2
3.1.1.2. Yu cu my hacker:
My tn cng vo h thng chy h iu hnh Linux-Backtrack4. y l mt
h iu hnh vi rt nhiu cng c bo mt c h tr.
Cu hnh a ch IP tnh l 192.168.2.3
Vn nh Qun-0021
Trang 55
3.2. CI T SNORT
3.2.1. Ci t cc gi h tr
u tin cn ci cc gi phn mm h tr sau:
httpd
httpd-devel
mysql
mysql-sever
mysql-devel
php
php-mysql
php-mbstring
php-mcryp
iptables
iptables-devel
libnet
Pcre
pcre-devel
gcc
Trong ca s dng lnh dng lnh sau ci t:

root@localhost# yum install <tn gi>
3.2.2. Cu hnh mysql v ci phpmyadmin

3.2.2.1. Cu hnh mysql
[root@localhost]# chkconfig --levels 235 mysqld on
[root@localhost]# /etc/init.d/mysqld start
[root@localhost]# mysqladmin -u root password mysqlpassword
3.2.2.2. Ci t phpmypadmin
phpmyadmin dng qun l mysql
[root@localhost]# wget http://packages.sw.be/rpmforgerelease/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
[root@localhost]# rpm -Uvh rpmforge-release-0.3.61.el5.rf.i386.rpm
[root@localhost]# yum install phpmyadmin
[root@localhost]# vi /etc/httpd/conf.d/phpmyadmin.conf
#
# Web application to manage MySQL
#
#<Directory "/usr/share/phpmyadmin">
# Order Deny,Allow
# Deny from all
# Allow from 127.0.0.1
#</Directory>
Alias /phpmyadmin /usr/share/phpmyadmin
Alias /phpMyAdmin /usr/share/phpmyadmin
Alias /mysqladmin /usr/share/phpmyadmin
Vn nh Qun-0021
Trang 56
[root@localhost]# vi /usr/share/phpmyadmin/config.inc.php
Thay $cfg['Servers'][$i]['auth_type'] = 'cookie';

Bng $cfg['Servers'][$i]['auth_type'] = 'http';
3.2.3. Ci t Snort_inline
Download snort_inline ti a ch:
[root@localhost#wget http://sourceforge.net/projects/snortinline/files/snort_inline%20source%20%282.8.x%29/snort_inline2.8.2.1-RC1/snort_inline-2.8.2.1-RC1.tar.gz/download
[root@localhost]# tar xvfz snort_inline-2.8.2.1-RC1.tar.gz
[root@localhost]# mkdir /etc/snort_inline
[root@localhost]# mkdir /etc/snort_inline/rules/
[root@localhost]# cp snort_inline-2.8.2.1-RC1/etc/*
/etc/snort_inline/
[root@localhost]# cp /root/snort_inline02.8.2.1RC1/etc/reference.config /etc/snort_inline/rules
[root@localhost]# cp /root/snort_inline02.8.2.1RC1/etc/classification.config /etc/snort_inline/rules
[root@localhost]# vi /etc/snort_inline/snort_inline.conf
Tm dng
# var RULE_PATH /etc/snort_inline/drop-rules
Thay th thnh
# var RULE_PATH /etc/snort_inline/rules
output
database:
log,
mysql,
user=snort
password=12345
dbname=snort host=localhost
[root@localhost]# cd snort_inline-2.8.2.1
./configure with-mysql --enable-dynamicplugin
./make && make install
Nh vy, ci t xong. Copy rule vo th mc /etc/snort_inline/rules

3.2.4. Ci t, cu hnh ACIDBase qun l Snort
Cn phi m bo ci t cc phm mm sau:
Snort_inline.
Apache.
PHP.
MySQL.
Vn nh Qun-0021
Trang 57
Adodb (download ti a ch http://sourceforge.net/projects/adodb/files/ sau

gii nn copy vo th mc /var/www/html/)
Bc 1: To c s d liu trong mysql
To c s d liu vi tn snort, to 6 bng sau: acid_event, acid_ag,
acid_ag_alert, acid_ip_cache, base_roles, base_users. Cc bng ny i km theo
bng phn phi ACIDBase.
Bc 2: chnh sa ni dung file base_conf.php
ng dn n th mc ci t Base: $BASE_urlpath = '/base';
ng dn n th mc adodb: $DBlib_path = '/var/www/html/adodb';
C s d liu s dng: $DBtype = 'mysql';

Khai bo tn c s d liu, ti khon ng nhp, mt khu
$alert_dbname
= 'snort';
$alert_host
= 'localhost';
$alert_port
= '';
$alert_user
= 'snort';
$alert_password = '12345';
3.2.5. To file khi ng Snort_inline cng vi h iu hnh

To mt file snortd trong th mc /etc/init.d/ vi ni dung sau
#!/bin/bash
#
# snort_inline
start(){
# Start daemons.
echo "Starting ip_queue module:"
lsmod | grep ip_queue >/dev/null || /sbin/modprobe ip_queue;
#
echo "Starting iptables rules:"
# iptables traffic sent to the QUEUE:
# accept internal localhost connections
iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# send all the incoming, outgoing and forwarding traffic to the QUEUE
iptables -A INPUT -j QUEUE
iptables -A FORWARD -j QUEUE
iptables -A OUTPUT -j QUEUE
# Start Snort_inline
echo "Starting snort_inline: "
/usr/local/bin/snort_inline -c /etc/snort_inline/snort_inline.conf -Q -D -v \
-l /var/log/snort_inline
# -Q -> process the queued traffic
# -D -> run as a daemon
# -v -> verbose
# -l -> log path
# -c -> config path
}
stop() {
Vn nh Qun-0021
Trang 58
# Stop daemons.
# Stop Snort_Inline
# echo "Shutting down snort_inline: "
killall snort_inline
# Remove all the iptables rules and
# set the default Netfilter policies to accept
echo "Removing iptables rules:"
iptables -F
# -F -> flush iptables
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# -P -> default policy
}
restart(){
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
*)
echo $"Usage: $0 {start|stop|restart|}"
exit 1
esac
Sau copy file ny vo th mc ./root/sbin/

3.2.6. To rule cho Snort_inline
To rule lu ti /root/etc/snort_inline/rules
Ta to 2 rule nh sau:
Rule 1:
alert
icmp
any
any
192.168.2.2/24
80
(msg:
ping;
ttl:128;sid:1000001;)
Rule trn c ngha l h thng s a ra cnh bo khi c bt k my no ping

n my ch c a ch 192.168.2.2. Gi tr ttl=128 y l gi tr mc nh ca gi
icmp.
Vn nh Qun-0021
Trang 59
Rule th 2:
drop icmp any any 192.168.1.9/24 80 (msg: Drop Ping;
ttl:100;sid:1000002;)
Rule ny c ngha l IPS s ngt kt ni n server nu c bt k my no s

dng lnh ping vi gi icmp c gi tr ttl=100.
3.3. DEMO KT QU
Trc tin ta ch chy rule th 1, t my hacker ta tin s dng lnh ping n
a ch sever. Kt qu thu c nh sau:
Bc 1: Ti my hacker
Hnh 3-2. T my hacker ping vi gi tr ttl=100 n my ch

Kt qu: Khi chng ta s nhn li c tn hiu reply t my server.
Vn nh Qun-0021
Trang 60
Bc 2: Ti my server
Ta truy cp vo ACIDBase xem log c ghi li:
Hnh 3-3. Cc file log c ghi li ti server
Vn nh Qun-0021
Trang 61
Bc 3: Ta tin hnh dng lnh ping vi gi tr tll=100.
Hnh 3-4. T my hacker tin hnh ping n my server

Kt qu: Server khng reply li, my hacker khng th kt ni n IPS Server.
Vn nh Qun-0021
Trang 62
Bc 4: Ta truy cp vo Acid base xem log
Hnh 3-5. Cc file log c h thng IPS ghi li
Vn nh Qun-0021
Trang 63
KT LUN V HNG M
KT LUN
V mt l thuyt lun vn nu c nhng vn c bn nht ca mt h
thng pht hin xm nhp v h thng ngn chn xm nhp. Bn cnh a ra
c gii php xy dng mt h thng IPS trn thc t c trin khai rt hiu
qu v c nh gi cao.
xy dng thnh cng mt h thng IPS trn thc t v hot ng ng
vi cc yu cu t ra.
Hn ch ca ti l ch trin khai h thng trn mt phn on mng nh,
nn cha nh gi c ht hiu xut ca h thng v cc vn h thng IPS s
gp phi khi trin khai trn thc t
HNG M
ng dng trin khai h thng IPS vi Snort v iptables trn thc t nh
gi ht hiu nng cng nh cc vn s gp phi. T c bin php khc
phc, hon thin hn cho h thng.
ng dng Snort xy dng cc h thng IDS, IPS ln c th t ti cc ISP
hn ch cc hot ng tn cng mng cho mt mng ln. Xy dng v pht trin
h thng IPS phn tn.
Vn nh Qun-0021
Trang 64
TI LIU THAM KHO

1. Ting vit
[1]
Trn Vn Kh Firewall trong linux bng iptables. i Hc Duy Tn, 2008.
2. Ting Anh
[1]
Rafeeq Ur Rehman Intrusion Detection Systems with Snort. Prentice Hall PTR,
2003
[2]
Jay Beale and Snort Development Team Snort 2.1 Instrusion Detection Second
edition. Syngress Publishing, Inc, 2004

[3]
The snort project - Snort Users Manual. Sourcefire Inc, 2009
[4]
Red Hat Product Documentation Team - Red Hat Enterprice Linux 4: Security
Guide. Red Hat Inc, 2008
3. Trang web tham kho

[1]
http://www.windowsecurity.com/articles/Intrusion_Detection_Systems_IDS_Part_I__netw
ork_intrusions_attack_symptoms_IDS_tasks_and_IDS_architecture.html
[2]
http://www.windowsecurity.com/articles/IDS-Part2-Classification-methods-
techniques.html
[3]
http://www.windowsecurity.com/articles/Hids_vs_Nids_Part2.html
[4]
http://www.openmaniak.com/inline_final.php
[5]
http://www.focus.com/fyi/it-security/ids-vs-ips/
[6]
http://linuxgazette.net/117/savage.html
[8]
http://snort.org
[9]
http://sourcefire.com
[10] http://hvaonline.net
Vn nh Qun-0021
Trang 65

He Thong Phat Hien Va Ngan Chan Xam Nhap Snort Iptable

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

He Thong Phat Hien Va Ngan Chan Xam Nhap Snort Iptable

Uploaded by

Copyright:

Available Formats

H Thng Pht Hin V Ngn Chn

Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H thng pht hin xm nhp ra i cch y khong 25 nm v n tr

1.1. H THNG PHT HIN XM NHP

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

bao gm cc log n gin hoc cc vn bn. Cn phi xy dng mt s hnh

Hnh 1-1. Kin trc ca mt h thng pht hin xm nhp

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

, c s d liu gi cc tham s cu hnh, gm c cc ch truyn thng vi

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

Hnh 1-2. Gii php kin trc a tc nhn

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

NIDS i hi phi lun c cp nht cc du hiu tn cng mi nht

Mt cch m hacker c gng che y cho hot ng ca h khi gp cc h

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

Hnh 1-3. Network-based IDS

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

Hnh 1-4. Host-based IDS

Bo v trong mng LAN

Bo v ngoi mng LAN

D dng cho vic qun tr

Tnh linh hot

C hai u bo v khi user hot ng

khi trong mng LAN

D dng trong vic b

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

o to ngn hn cn thit ****

NIDS s dng bng tn LAN rng,

HIDS nng cp tt c cc client vi

Ch qut thanh ghi cc

cng m bo lu lng LAN ca

Kh nng thch nghi trong

cp nht kp thi cc file mu

Chu k nng cp cho cc

Chc nng cnh bo

cnh bo cho tng c nhn v qun tr

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

ci t v s dng NIDS i vi ton

mm l d hn phn cng. HIDS c

th c nng cp thng qua script

Cc nt pht hin nhiu

nhiu on mng ton din hn

1.2. H THNG NGN CHN XM NHP

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

1.2.2.1 Module phn tch gi tin

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

Pht hin mc ngng:

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

ny ty theo h thng m c cc chc nng khc nhau. Di y l mt s k thut

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

nhanh, chnh xc, a ra cc thng bo hp l, phn tch c ton b thng lng,

Hnh 1-5. Promiscous mode IPS

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

1.2.3.2. In-line mode IPS

Hnh 1-6. Inline mode IPS

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

1.2.4. Cng ngh ngn chn xm nhp ca IPS

Hnh 1-7. Signature-based IPS

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables

hot ng n gin tm s tng xng i vi bt k du hiu no c nh

H Thng Pht Hin V Ngn Chn Xm Nhp Vi Snort v IPTables