Professional Documents
Culture Documents
pht
trin
tip
theo.
Vy nhng thun tin ca Host-base IDS l g? S khc nhau c bn gia chng l trong khi NIDS pht
hin ra cc cuc tn cng tim nng (nhng th s c chuyn ti ch) th host IDS li pht hin ra
nhng cuc tn cng m thnh cng, c kt qu. Bi vy c th ni rng NIDS mang tnh tin phong
hn. Tuy nhin, 1 host IDS s hiu qu hn i vi trong cc mi trng c tc chuyn dch ln, m ho
v c chuyn mch - y l nhng mi trng m NIDS rt kh hot ng. HIDS c th thch bi rt
nhiu nhng hnh ng c mc phi by cao ca k tn cng v thc s nng tm x l ca chng.
Mt khc th NIDS li l 1 phn rt tuyt cho mi trng tng hp nh ton b mng. V th, NIDS c th
to nn mt s quan st c ngha n cc phn ca v tn cng c lin quan n nhiu host. N c
th thch trong mi trng mng c chuyn mch tc cao, mi trng m ho v cc giao thc ng
dng hin i phc tp, bi vy nn cc kt qu bo sai cng ht c kh nng xy ra.
Bi vy, chng ti khuyn cc bn nn la chn cng ngh IDS v bi vy cung cp cho chng ta la chn
b sung chng vo mng ca bn nh phn tch Bayesian. Chng ti cng quan tm n vic nhng thay
i tng lai trong cng ngh IDS c th mang li. Cui cng chng ti s miu t mt cch y vic b
sung m ngun trn Linux.
19.1 V d v IDS
Phn ny s miu t mt vi h thng IDS bao gm gim st logfile, qut cc du hiu v pht hin cc du
hiu bt thng.
19.1.1 Host IDSs
Host-based network IDSs c th c phn chia lng lo thnh cc kim sot log, kim tra tch hp v
cc module nhn ca h thng. Nhng phn sao s miu t tng phn ca chng vi cc v d c th.
19.1.1.1 Gim st Logfile :
Mt IDS n gin nht l thit b gim st logfile (logfile monitors), thit b ny s c gng pht hin nhng
s xm nhp bng cch phn tch cc log s kin ca h thng. V d nh, mt thit b gim st logfile s
tm kim nhng logfile ghi nhn nhng truy cp Apache truy cp ti Apache tm ra c im ca yu
cu /cgi-bin/ . Cng ngh ny b gii hn bi v n ch tm kim trong cc s kin c log - l nhng th
m k tn cng rt d thay th. Thm vo , h thng c th b qua cc s kin h thng cp thp m
ch ghi li cc hot ng cp cao.V d nh, HIDS s b qua nu k tn cng ch c ni dung file nh file
/etc/passwd chng hn. iu ny s xy ra nu bn khng t file vo ch bo v ca h thng.
Gim st Logfile l mt v d chnh cho cc h thng IDS da trn host bi chng thc hin chc nng
gim st ca chng trn ch 1 my. Tuy nhin, mt h thng gim st host logfile hon ton c th gim st
trn nhiu host, thm ch trn 1 loggging server tch hp. S pht trin ca nn tng host a li mt s
thun tin cho vic gim st vi cc cng c h thng c xy dng, bi v host IDSs c knh chuyn dch
tng hp an ton ti 1 server trung tm, khng ging nh nhng syslog thng thng khc. N cng cho
php tch hp nhng logs m khng bnh thng tch hp trong 1 my n (chng hn nh log s kin
ca Windows.
Mt khc, NIDS thng qut ton mng trn mc gi tin, trc tip t ng truyn ging nh nhng
sniffer. Bi vy NIDS c th phi hp vi rt nhiu host c d liu chuyn qua. Ging nh nhng g chng
ta thy trong chng ny, mi mt loi u c tc dng v thun tin ca chng trong nhng trng hp
khc nhau.
Thit b gim st logfile ni ting l swatch (http://www.oit.ucsb.edu/~eta/swatch/), l ni tt ca "Simple
Watcher." Trong khi hu ht cc phn mm phn tch log ch qut log theo nh k, th swatch qut tt c
cc u vo log v to bo co cnh bo theo thi gian thc. Nhng cng c khc nh logwatch (c tch
hp cng vi Red Hat Linux th rt tt cho cc thao tc ngoi. Tuy nhin, mc d swatch i cng vi nhiu
bc c lin quan th n vn i hi nhiu tnh nng ng v cu hnh khc vi nhng cng c khc.
Sau y chng ta s miu t vic ci t swatch. Cng c ny kh l n nh, do m dng nh khng
thay i nhiu trong tng lai. Trc khi ci t swatch, bn cn download v ci t Perl modules cn thit
cho n. ci t nhng module ny, u tin hy download phin bn mi nht ca swatch v chy cc
bc sau:
perl Makefile.PL
make
make test
make install
make realclean
swatch s dng din dch thng thng tm n nhng dng lnh thch hp. Mt khi m n tm ng
phn cn thit, n lin hnh ng, chng hn nh biu din ra mn hnh, email 1 cnh bo hoc l lm theo
hnh ng c ngi s dng nh ra t trc.
Tip
sau
l
1
watchfor /[dD]enied|/DEN.*ED/
script
cu
hnh
swatch
gin:
echo bold
bell 3
mail
exec "/etc/call_pager 5551234 08"
Trong v d ny, swatch tm n dng c cha t denied, c th l Denied hoc bt c t no c bt u
bng den v kt thc vi ed. Khi m tm thy, n bi en dng tm thy v chuyn ti thit b u cui
ng thi rung chung 3 ln. Sau , swatch gi mail ti ngi s dng swatch (l ngi c quyn truy cp
ti cc logfile c gim st thng thng c gii hn cho root) vi 1 cnh bo v thc thi chng
trnh /etc/call_pager vi cc la chn oc a ra .
Gim st logfile c th c coi nh 1 h thng pht hin xm nhp theo mt cch c bit. Logs cng
cha rt nhiu thng tin khng trc tip ln quan n s xm nhp (ch l nhng thng tin m NIDS nghe
trm c trn ng truyn). Logs c th c coi nh mt ci b ln cha thng tin, mt s thng tin
bnh thng (nh thng tin v kt ni ca ngi chu trch nhim, thng tin cu hnh li daemon) v
nhng thng tin ng ng chng hn nh thng tin v ng nhp t 1 IP ng, truy cp root mt cch k
l v rt nhiu nhng thng tin (malicious) chng hn nh RPC buffer overflow c ghi nhn t
rpc.statd. Xem xt v chn lc ton b nhng thng tin ch d hn 1 cht so vi lng nghe trn mng v
tm kim nhng cuc tn cng vo web hoc l cc gi tin d hnh.
Nu tt c cc ng dng u c mt h thng log an ton m tt c cc s kin xu u c ghi nhn v
ng gi, nhng ngui phn tch log c th khng cn n 1 h thng pht hin xm nhp. Trong thc t,
nu mt s kin c th c ch ra trong 1 file log hon chnh th n c th l 1 s xm nhp. Tuy nhin,
trong i thc th vic tm kim tng phn trong logs i khi cng gi tr nh vic tm kim tng phn trn
ng dn.
Thc t th vic i km phn tch log h thng vi NIDS log l mt t im rt c ch i vi ngi phn
tch log. Ngi phn tch s nhn thy c nhiu hn l ch nhn trn ng dn v to ra cc chc nng
ca meta IDS. V d nh, gii php qun l nh netForensics cho php phn tch log qua cc thit b, bnh
thng ha v lin kt chng (bng cc phn da trn rule) sau phn tch cc s kin c tng
hp.
19.1.1.2 Gim st tnh ton vn :
Mt cng c gim st tnh ton vn s nhin vo cc cu trc ch yu ca h thng tm s thay i. V d
nh, 1 gim st ton vn s s dng 1file h thng hoc mt kha registry nh "bait" ghi li cc thay
i bi 1 k xm nhp. Mc d chng c gii hn, gim st ton vn c th thm vo cc lp bo v cho 1
h thng pht hin xm nhp.
Gim st ton vn ph bin nht l Tripwire (http://www.tripwire.com). Tripwire c sn cho Windows v
Unix,
v
n
ch
c
th
gim
st
1
s
cc
thuc
tnh
nh:
Vic
thm,
xa,
sa
i
File
C
File
(i.e.,
hidden,
read-only,
archive,
etc.)
Thi
gian
truy
cp
cui
cng
Thi
gian
ghi
cui
cng
Thi
gian
thay
i
Kch
thc
File
Kim
tra
Hash
Kh nng ca Tripwire l rt ln trn Unix v Windows bi v cc thuc tnh khc nhau ca cc h thng
file. Tripwire c th c thay i ph hp vi cc c im ring bit ca mng ca bn, v nhiu
Tripwire agents c th tp trung mt cch an ton cc d liu. Trong thc t, bn c th s dng Tripwire
gim st bt k 1 thay i no trn h thng ca bn. Bi vy, n l mt cng c rt mnh trong IDS
arsenal ca bn. Rt nhiu nhng cng c khc (tt c u l min ph v l cc phn mm m ngun m)
c vit p ng nhng cng vic tng t nh th. AIDE l 1 v d . AIDE
(http://www.cs.tut.fi/~rammer/aide.html) l mt clone ni ting ca Tripwire.
Mu cht s dng kim tra ton vn h thng cho 1 thit b pht hin xm nhp l xc nh ranh gii
an ton. c thit lp ging nh 1 base line ch c th c thit lp trc khi h thng c kt ni vi
mng. Nu khng c trng thi an ton th cng c ny s b gii hn rt nhiu, bi v nhng k tn cng c
th gii thiu nhng thay i ca h vi h thng trc khi cng c kim tra trn vn hot ng ln u
tin.
Trong khi hu nh tt c mi cng c u yu cu mt trng thi baseline trc khi b tn cng th mt vi
cng c li da trn hiu bit ca chng v cc mi nguy him. Mt v d l cng c chkrootkit
(http://www.chkrootkit.org). N tm kim nhng du hin xm nhp ph bin m thung hin hin trn cc
h thng b tn thng.
Kim tra ton vn cung cp mt gi tr ln nht nu chng c c mt vi thng tin hng dn. Trc ht,
n phi c pht trin trn mt h thng hon ton sch s sao cho n khng phi ghi nhn cc trng thi
d dang hoc b tn thng nh thng thng. V d, Tripwire nn c ci t trn mt h thng khi n
cn nguyn bn t nh sn xut vi nhng ng dng cn thit nht, trc khi n kt ni ti mng.
Bi vy, kin v vic lu tr d liu v trng thi tt trn cc bn ghi c t trn cc thit b lu tr ch
c nh CDROMs l mt kin rt hay. Chng ta s lun c 1 bn copy y so snh khi cn phi gii
quyt vn . Tui nhin, mc d c tt c nhng bin php phng nga th hacker vn c th vt qua
c tt c h thng nh th.
19.1.2 Network IDSs
Network IDSs c th c phn chia thnh 2 loi: h thng da trn cc du hiu v h thng da trn
nhng s vic bt thng. Khng ging nh h thng da trn du hiu, h thng sau l 1 s pha ln gia
nhng cng ngh khc nhau v gn nh nhau. Thm vo , nhng NIDSs lai to u nhm ti vic
lm cu ni cho nhng thiu st bng cch s dng nhng mnh li c s dng trong mi loi NIDSs.
Trong thc t, tt c nhng h thng NIDSs thng mi hin i u s dng loi NIDS da trn nhng s
vic bt thng pht trin NIDS da trn du hiu. V d nh ISS RealSecure, Cisco IDS, and Enterasys
Dragon.
19.1.2.1 Signature matchers
Ging nh nhng phn mm qut virus truyn thng da trn ch k hex, phn ln cc IDS u c gng
pht hin ra cc cuc tn cng da trn c s d liu v du hiu ca tn cng. Khi 1 hacker tm cch khai
thc l hng bit th IDS c gng a li vo c s d liu ca mnh. V d nh Snort
(http://www.Snort.org), mt IDS da trn du hiu min ph c pht trin trn c Unix v Windows.
Bi v n l mt phn mm m ngun m nn Snort c tim nng pht trin c s d liu ch k nhanh
hn bt k mt cng c c s hu no khc. Cc du hiu ca Snort c s dng trong tt c mi th t
cc firewall thng mi n cc phn mm middleware nh Hogwash. Snort bao gm 1 b gii m cc gi
tin, 1 thit b pht hin, v 1 h thng nh logging v cnh b. Snort l 1 IDS trng thi , c ngha rng n c
th tp hp li v ghi nhn cc tn cng da trn phn on TCP.
Mt vi bn c c th gp nhiu khi nim 1 firewall a trng thi hoc firewall khng trng thi nhiu
hn l 1 h thng pht hin xm nhp. Tuy nhin, c 2 khi nim u nh nhau. Firewalls khng trng thi
(v NIDSs) lm vic vi cc gi tin ring r trong khi 1 firewall trng thi li cn nhc n cc trng thi kt
ni. V d n gin nht nh sau: Nu 1 k tn cng chia nh cc gi tin, th IDS khng trng thi s b l
n (bi v 1 du hiu khng bao gi xut hin trong 1 gi tin), tuy nhin n li b thit b IDS trng thi pht
hin c bi v n thu thp cc phn ng nghi khng ch da trn 1 gi tin m trn c dng d liu trong
qu trnh kt ni.
Tuy nhin, nhng NIDs trng thi cng khng trnh khi vic b l nhng du hiu xm nhp. Trong
chng
ny
chng
ti
s
cung
cp
1
vi
v
d.
V d c bn nht cho du hiu pht hin ca IDS lin quan n 1 cuc tn cng web l da trn li
CGI scripts. Mt cng c pht hin li ca hacker thng xuyn bao gm vic qut li CGI pht hin
nhng web server c li CGI . V d nh, mt li rt ni ting phf cho php 1 k tn cng c th quay li bao
nhiu file thay th cho cc ti liu html. Cuc tn cng n ch n gin s dng 1 script CGI ngho nn
truy cp n cc file v cc th mc c cho php trn web server . pht hin c tn cng da trn
li phf , cng c qut NIDS phi tm trn tt c gi tin nhng phn ca chui sau:
GET
/cgi-bin/phf?
Network IDSs s tm kim trong tt c cc du hiu tn ti tm cc chui tm kim trong cc gi tin
mng.
V
d,
du
hiu
Snort
sau
s
thch
hp
vi
chui
trn:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf
access";flow:to_server,established; uricontent:"/phf"; nocase; reference:bugtraq,629;
reference:arachnids,128; reference:cve,CVE-1999-0067; classtype:web-applicationactivity;
sid:886;
v
cnh
bo
s
Chng ta s cp y n s pht trin ca Snort NIDS sau.
rev:8;)
gi
S tip cn ti vic sp xp cc cm ng pht trin t chn on ca Bayesian dy cho sinh vin y khoa
bi 1 trong nhng tc gi ca ebook ny
19.2.1 Nhng thuc tnh chng li nhy cm
Cn nhc mt IDS thng dng bo co gim st c trnh by ti Figure 19-1. Mt ct gi l xm nhp, i
din cho nhng xm nhp ang xut hin. Du (+) c ngha l n thc s l 1 cuc xm nhp, cn (-) c
ngha l n cha phi l 1 cuc xm nhp. Ct khc, gi l phn hi t IDS, miu t suy ngh ca IDS khi
n pht hin ra 1 cuc xm nhp, du (+) c ngha l IDS coi l 1 cuc xm nhp, cn du (-) c ngha l
IDS khng nh gi n l 1 cuc xm nhp. Ging nh trong cuc sng tht, th n cng ch ra rng IDS
khng phi lc no cng ng. Bn c th s dng nhng im ri ca mi mt gc phn t trong bng 2 x
2 gip chng ta hiu v thuc tnh thng k ca 1 IDA.
Figure 19-1. IDS response matrix
TP
=
Xc
nhn
ng
(xm
FP
=
Xc
nhn
FN
=
Ph
nhn
sai
TN = Ph nhn ng (pht hin ng ton vn)
nhp
sai
(b
c
pht
hin
(cnh
bo
nh
xm
ng)
nhm)
nhp)
19.2.1.1 nhy
nhy c nh ngha l 1 xc nhn ng (phn b ca xm nhp c pht hin bi IDS). V phng
din
ton
hc,
nhy
c
biu
din
nh
sau:
True
positives
/
(true
positives
+
false
negatives)
Xc nhn ng / (xc nhn ng + Ph nhn sai)
T l ph nhn sai bng 1 tr i nhy. nhy ca 1 IDS c c nhiu hn bao nhiu th nhng xm
nhp khng c pht hin gim i by nhiu.
IDSs nhy rt c ch trong vic ch ra nhng cuc tn cng trn cc khu vc ca mng m n rt d pht
hin ra hoc khng bao gi b b st. Kim tra tnh nhy hu hiu nhiu hn cho vic kim tra khi bn cn
loi tr nhng g c th l i din t xa cho 1 cuc xm nhp. Trong s nhng IDS c nhy cao th kt
qu ph nhn c nhiu gi tr vn c hn l cc kt qu khng nh.
V d, bn cn 1 IDS nhy gim st thit b host trong 1 LAN c bo v bi firewall v router nh hnh
Figure 19-2, Khu vc 2 i din cho loi thit b ny. Ti thi im b m ti nng, chng ta khng nn c
bt k 1 xm nhp no. N rt quan trng c nhy cao gim st khng b st th g. Cc c
trng t quan trng hn bi v ti thi im trn mng, tt c nhng hot ng bt thng u c th
c khai thc. IDS khng cn s phn bit bi v nhng x l ca con ngi u bt buc phi khai thc
mi
mt
cnh
bo.
Figure 19-2. Network segmentation for Bayesian optimization of IDS placement
19.2.1.2 Tnh xc nh:
V
mt
ton
hc,
tnh
xc
True
negatives
/
(true
Ph nhn ng / ( ph nhn ng + xc nhn sai)
nh
c
negatives
biu
+
din
false
nh
sau:
positives)
Ph nhn ng i din cho nhng trung hp khi IDS bo co ng khng c xm nhp. Xc nhn sai
xut hin khi mt IDS bo co sai v 1 xm nhp m trong thc t l khng xy ra. Xc nhn sai c xc
nh bng 1 tr i c tnh.
1 IDS xc nh c tin ch tt nht cho ngi qun tr h thng. i vi nhng chng trnh , gi tr xc
nhn l c ch hn gi tr ph nhn. Nhng kim tra tnh xc nh rt hiu qu trong khi nhng kt qu xc
nhn sai l rt khng khip.
chnh
xc
ca
IDS
Trong hnh Figure 19-3, IDS B chnh xc nhiu hn IDS C v IDS A c chnh xc cao nht.
Figure 19-3. Sample ROC curve
19.2.2 Gi tr xc nhn v khng nh d bo trc:
V mt l thuyt, nhy v tnh xc nh l nhng thuc tnh ca IDS. Nhng thuc tnh ny l c lp i
vi nhng mng c gim st. Bi vy, nhy v tnh xc nh ch cho chng ta cch m IDS thao tc,
nhng n khng ch cho chng ta IDS thao tc trong tng ng cnh ca nhng phn mng no.
Gi tr Predictive l nhng d bo trong thc t tng hp t tt c cc d liu c sn. Gi tr d bo kt hp
gia prior probability vi kt qu ca IDS yield post-test probability, biu th nh d bo xc nhn v ph
nhn.
S kt hp combination constitutes a practical application of Bayess theorem, which is a formula used in
classic
probability
theory.
Thng tin da trn cuc tn cng prevalence trong mng ca bn c iu chnh bi kt qu ca IDS
sinh ra mt prediction. Tt c cc nh qun tr mng u thc thi nhng phn tch intuitively but
imprecisely. V d, nu bn bit rng slow ping sweeps have recently become prevalent against your
network, bn c th s dng thng tin ny nh gi tr d liu cho IDS ca bn.
Bi v nhng predictors u lin kt v mt ton hc, nn chng phi c chyn i thnh nhng s l.
Sau , chng c cp n nh nhng likelihood ratios (LRs) hoc nhng odds ratios (ORs) v c th
kt
hp
c
trong
nhng
php
ton
n
gin.
19.2.3
Likelihood
Ratios
Cc gi tr nhy, tnh xc nh v gi tr d bo predictive values are all stated in terms of probability: the
estimated proportion of time that intrusions occur. Mt khi nim hu hiu khc l odds ((i.e., the ratio of
two probabilities, ranging from zero [never] to infinity [always]). For example, the odds of 1 are equivalent to
a 50% probability of an intrusion (i.e., just as likely to have occurred as not to have occurred). The
mathematical
relation
between
these
concepts
can
be
expressed
as
follows:
Odds
=
probability
/
(1
probability)
Probability
=
odds
/
(1
+
odds)
LRs and ORs are examples of odds. LRs yield a more sophisticated prediction because they employ all
available
data.
The LR for a positive IDS result is defined as the probability of a positive result in the presence of a true
attack, divided by the probability of a positive result in a network not under attack (true-positive rate/falsepositive rate). The LR for a negative IDS result is defined as the probability of a negative result in the
absence of a true attack, divided by the probability of a negative result in a network that is under attack
(true-negative
rate/false-negative
rate).
LRs enable more information to be extracted from a test than is allowed by simple sensitivity and specificity.
When working with LRs and other odds, the post-test probability is obtained by multiplying together all the
LRs. The final ratio can also be converted from odds to probability to yield a post-test probability.
By applying these statistical methods, we can make informed choices about deploying IDSs throughout a
network. Although currently fraught with inaccuracy, the field of intrusion detection is still nascent, and new
and exciting developments are happening every day. As time goes on, use of the scientific method will
improve this inexact and complex technology. By understanding the sensitivity and specificity of an IDS, we
can learn its value and when to utilize it. In addition, increasing the use of likelihood ratios makes the data
that
we
receive
from
our
IDSs
more
meaningful.
( sao li c on cha dch ny?? Chc l ng qun , chiu v check li ).
19.3 Tn cng thng qua IDSs
gip bn xy dng chin lc an ninh, phn ny s ch cho bn thy nhng hacker thng khai thc li
trong IDS nh th no.
19.3.1 Phn on (Fragmentation)
Phn on hoc chia nh cc gi tin l 1 trong nhng cch tn cng chng li h thng pht hin xm nhp
ca mng, v n thng (stump) tt c nhng NIDSs thng mi c thit k cch y vi nm. Bng
cch ct cc gi tin thnh nhng mu nh, cc hacker c th lm fool IDS. Mt IDS trng thi dch ngc
cc gi tin phn tch, nhng khi lng nhng gi tin tng ln, tin trnh cng tiu th ht nhiu ngun lc
hn v tr nn bt u thiu chnh xc. V dng nh c 1 gi tr xc nh con s nhng phn on m 1
IDS c th x l, nu vt qu con s There is a seemingly infinite number of fragmentation tricks that
one can employ, leading either to evasion or to overloading the NIDSs anti-evasion capabilities.
19.3.2 Gi mo - snoofing
Ngoi phng php phn on d liu, cn c th gi mo TCP sequence number m NIDS nhn thy. V
d nh, nu gi tin tin kt ni SYN cng vi 1 s th t c chuyn, IDS s tr thnh 1 thit b
desynchronized t host bi v host drops nhng SYN khng c nh gi cao v khng c trng i,
trong khi IDS t thit lp li nhn s th t mi. Bi vy, IDS b qua dng d liu thc v n ang
ch 1 s th t mi m khng tn ti. Khi gi 1 gi tin RST vi a ch forged m chu trch nhim cho
forged SYN c th lm kt thc kt ni mi ny ti IDS.
Nhn chung, NIDS khng bit bng cch no my ch s dch nhng thng tin u vo. Bi vy, nhng
giao tip mng bt thng c th c thit lp c th nhn thy s khc bit t chnh IDS. Ch c a
ch ch thc s mi c th cho php tt c cc vn ca NIDS c gii quyt.
19.3.3 Thay i giao thc - Protocol Mutation
Whisker by RFP (c ti http://www.wiretrip.net) l mt cng c phn mm c thit k hack webserver
bng cch gi to 1 yu cu HTTP vt qua IDS. V d, 1 yu cu CGI c in s theo chun http sau:
GET
/cgi-bin/script.cgi
HTTP/1.0
Obfuscated HTTP requests can often fool IDSs that parse web traffic. V d, nu 1 IDS qut tm kim
nhng
xm
nhp
da
trn
phf:
/cgi-bin/phf
Chng ta c th thng xuyn to ra fool bng cch thm cc d liu m rng vo cc yu cu ca chng
ta.
Chng
ta
c
th
thay
i
yu
cu
nh
sau:
GET /cgi-bin/subdirectory/../script.cgi HTTP/1.0
Trong trng hp ny, chng ta yu cu th mc con v s dng /../ chuyn ti th mc m v thc
hin script ch. Cch thc sneaking ny trong cc back door c cp ti nh 1 th mc thay i v n
l 1 trong nhng cch khai thc ph bin nht vo thi im hin nay.
Whisker t ng to ra cc cch tn cng chng li IDS rt a dng. Kt qu l Whisker c bit n nh
l 1 cng c chng li IDS (AIDS). Whisker c chia nh thnh 2 phn, whisker (scanner) v libwhisker
(module Perl c s dng trong Whisker).
Nhng IDS hin i nh Snort c gng bnh thng ha mi truyn thng trn mng trc khi phn tch
thng qua nhng s s dng cc various preprocessors. K thut bnh thng ha i hi phi to c
cho vic truyn thng ging nh thm nguyn tc, (more uniform) v d nh, bng cch g b ambiguities
trong packet headers v payloads v bng cch hin th dng truyn thng n gin i chiu vi cc
mu xm nhp. Tuy nhin, con s nhng possible mutations ch l s t mt s bit c xc nh. Do ,
cuc ua v trang gia bn tn cng v bn phng th vn c tip tc.
19.3.4 Tn cng vo thit b kim tra tnh ton vn:
Nh cp trc y, nhng IDS l thit b kim tra tnh ton vn tnh ton gi tr checksum v tp hp
thng tin v cc file ch khi to. Sau , chng trnh s kim tra nhng s thay i, s dng ch
"check mode". Thm vo , ngi qun tr h thng c th cp nht nhng du hiu sau khi cu hnh li
h thng (ch "update mode". Ph thuc vo s thc thi ca host IDS m mi mt ch u c th b
tn cng.
Mt k tn cng c th t thay i phn mm host IDS, sau gi thng tin sai lch n bn iu khin
host IDS trung tm hoc c th lm cho h thng nhm ln gia nhng cng vic kim tra tnh ton vn.
ng thi, mt s chng trnh tn cng vo nhn cng c th b IDS b qua bi v chng c th t lm
ng i vi h thng v la di IDS thnh cng. Phn tch chi tit nhng cuc tn cng ca host IDS c
cp chi tit trong "Ups and Downs of UNIX/Linux Host-Based Security Solutions" (Section 19.7).
19.4 Tng lai ca IDSs
Nhng pht hin xm nhp cn l mi bt u, trong khi cc hacker ngy cng tin trin, IDSs bt buc
phi c gng i u vi cc cuc tn cng . Table 19-1 ch ra nhng him ha m tng lai s e
da
IDS
v
nhng
gii
php
tim
nng.
Table 19-1. Nhng gii php tim nng cho kh khn trong tng lai ca IDS
Vn
Gii
php
Encrypted
traffic
(IPSec)
Nhng
IDS
vo
trong
cc
stack
ca
host
Tc v phc tp ca cuc tn cng tng Ngn cm cc pht hin bt thng, nhng thit b nng v
NIDS,
v
i
chiu
thng
minh
Switched networks Gim st cc host ring r, nhng NIDS vo trong cc switch
Gia tng lng thng tin cn bin dch Hin th trc quan d liu, t ng cnh bo v lin kt
Nhng k thut evasion mi K thut bnh thng ha truyn thng mi v bo v host theo chiu su
K
thut
tn
cng
da
trn
nhn
mi
Thit
b
an
ton
cho
nhn
mi
Phn sau s kim tra n nhng s pht trin ca vn vo cc gii php d nh:
19.4.1 Embedded IDS
IPSec (vit tt ca IP Security) tr thnh 1 chun ph bin cho an ton d liu trn mng. Ipsec l mt b
nhng chun v an ton c thit k bi IETF nhm cung cp s bo v end-to-end cho cc d liu c
nhn. Vic thc thi cc chun ny cho php 1 thit b c th chuyn d liu trn 1 mng khng ng tin cy
nh Internet trong khi ngn chn cc k tn cng ph hng, n trm hoc spoofing giao tip ring bit ny.
Bng cch bo v an ton cho nhng gi tin ti lp mng, Ipsec cung cp cc dch v m ha trong sut i
vi cc ng dng cng nh bo v truy cp cho an ton mng. V d, Ipsec c th cung cp s an ton u
cui cho cc h thng cu hnh client-to-server, server-to-server, v client-to-client.
Tht khng may mn, Ipsec li l 1 con dao 2 li cho IDS. Mt mt, Ipsec cho php ngi s dng log an
ton vo mng ca h t nh s dng mng ring o, mt khc Ipsec m ha d liu trn ng truyn,
bi vy lm cho sniffing trong IDS lm vic km hiu qu. Nu hacker tn cng vo thit b ng nhp t xa
ca ngi s dng, h s c 1 tunnel an ton hack ton b mng. sa li ny ca Ipsec, nhng IDS
tng lai u cn phi nhng vo ti cc tng ca TCP/IP stack ti host. iu ny s cho php IDS qun l
cc d liu nh n cha b unencapsulated v thc thi n trong mi tng ca stack, phn tch nhng d liu
c m ha cp cao hn.
19.4.2 Ngn cm nhng du hiu bt thng c pht hin thy
Bi v nhng cuc tn cng vn tip din v ngy cng tc v phc tp, do IDSs cng ngy cng t
kh nng chng chi. Tr li cho tnh hung ny bng cch ngn cm nhng du hiu bt thng c
pht hin thy: tt c nhng du hiu bt thng, bt k chng l chnh hay ph, u c bo ng bng
xc nhn ng. Phng php ny i hi cc IDS phi c a v cc host ring r hn l chng
trong ton mng. Mt host ring r c th c nhiu mu thng tin c th d bo c hn l trn ton
mng. Mi mt host c ni n u c mt IDS pht hin bt k mt du hiu bt thng no. Sau
ngi qun tr c th a ra nhng quy lut (ngoi l) cho cc ty bin c th c chp nhn. Theo cch
ny, IDS gim st cc hot ng theo cch m firewall gim st truyn thng.
Vy lm nh th no chng ta c th thit k 1 IDS thc thi vic ngn nga cc hnh ng bt thng da
trn cc host? Chng ta s lm vic vi cc host ring r m c phn no c lai to gia firewall v
cc router, v chng ta c th iu khin IDS ca chng ta cho mi mt host l c nht. Bi v chng ta ch
lm vic trn cc host, do chng ta gi tin no nhn c l cho host xc nh no. Chng ta c th t
nhy ca chng ln cao tm kim bt c mt du hiu bt thng no.
V d, ti mc gi tin, cng c pht hin du hiu bt thng da trn host ca chng ta c th qut cc
gi tin nh khi chng c thc thi trn stack. Chng ta iu khin IDS gim st mi th :
Cc
du
hiu
khng
c
mong
ch
Xung
t
TCP/IP
Cc
gi
tin
c
ln
bt
thng
Gi
tr
TTL
thp
Gi
tr
checksum
sai
Hoc nhng xung t trong nhng giao thc khc
Tng t nh th, ti tng ng dng, chng ta
c nhng s thay i bt thng
Kch
ng
Kch
S
nhng
S
nhng
S
nhng
Kch thc ca file log
S gia tng ca nhng mng switch lm cn tr 1 IDS trong vic gim st mng s dng ch pha tp,
phn tch giao thc th ng. N tr nn ngy cng kh gim st nhiu host cng lc bi v s gia tng
ca ng truyn, nhng mng o v nhng s rc ri khc. Thm vo , vic ng dng gia tng ca cc
the growing use of encrypted traffic foils passive analysis off the wire. Bi vy, IDS ang tr nn cc gim
st da trn host.
19.4.4 Visual Display of Data
Bi v ng truyn v hiu qu cc cuc tn cng ngy cng tng, nn vic to ra cc cnh bo chnh xc
ngy cng tr nn kh khn. Lng d liu cnh bo c to nn bi IDS cps th nhanh chng
overwhelm thao tc ca con ngi. Tht khng may, vic lc d liu cho con ngi thng s dng hn
ch nhng hiu qu ca n.
Mt gii php cho vn ny lin quan n k thut pht trin visualization ng thi c coi l hin th
geometric d liu. Con ngi hiu c geometric shapes intuitively, bi loi hin th ny thng l cch
d nht hin th mt ling d liu (massive). Khi mt theo tc cm thy 1 du hiu bt thng trong
mn hnh ha, n c th drill down mun hn gii quyt vn . V d, cho nhng ng dng bn
trong, Airscanner Corporation m ha iu khin linh hot ActiveX m mimics a real-time human
electrocardiogram (EKG). Tc v giai iu (mu sc hoc m thanh) ca dao ng "heartbeat" trn mn
hnh p tr li s thay i trn mng. Gim st ging nh nhng ngi y t trong bnh vin i vi
cardiac telemetry floor, Ngi qun tr mng Airscanner c th d dng gim st LAN bng cch n
mn hnh.
19.5 Nghin cu Snort IDS
Phn ny s trnh by 1 v d pht trin Snort IDS (http://www.Snort.org). Snort thng c gi l
"lightweight IDS," nhng n c tn gi ti thi im ch khng lin quan g n lightweight.. Snort ch
nn c gi l lightweight nu n cp n cng c pht hin hiu qu v dung lng nh cc du hiu
nh. N l 1 b dch IDS y m c th pht trin theo hng tc x l cao v cu hnh phn b m
c th t c n tc hng giga bit.
Thit b pht hin xm nhp c cp n trong phn ny xy dng trn h iu hnh Linux, c s d
liu MySQL v mt mi trng phn tch ACID. Tt c mi phin bn Linux nh Red Hat hoc Debian u
c th s dng. Bn nn xy dng 1 h thng Linux nh nht t scratch (ging nh nhng nh bn phn
mm IDS thng mi bn IDS da trn Unix). i vi vic pht trin nhng mng nh, bn nn t b
nhng bin Linux qu canned. H thng phi c nh gn nht v nhiu tnh nng (tt c nhng phn
mm khng cn thit u nn g b).
Bn nn c t nht 2 card mng trn my tnh pht trin Snort. Bi v giao din sniffing ( pht hin nhng
cuc tn cng) v giao din qun l (s dng qun l d liu cc s kin nhy cm, cp nht cc quy
nh v nhng thay i cu hnh) phi c t ring r. L do chnh l giao din sniffing khng c a
ch IP. Trong mi trng Linux, rt l d kch hot mt giao din mng m khng cn a ch IP m ch
cn s dng lnh nh ifconfig eth1 up. Mc d khng cung cp 1 bin php an ton tng th (bng nh
ngha), nhng bin php ny tt hn l s dng mt giao din thng thng pht hin xm nhp.
Snort v c s d liu c th c ci t trn 1 my, tuy nhin trong trng hp tc truyn thng cao,
bn nn ci t c s d liu, Snort, v webserver trn nhng my tnh khc nhau. Tt nht l Snort trn 1
my,
cn
c
s
d
liu
v
webserver
trn
my
cn
li
Trong trng hp ci t trn nhiu my, cc thnh phn ca IDS c kt ni vi nhau qua mng v do
, cc bin php an ton phi c thc thi. bo v ng truyn gia thit b phn tch vi c s d
liu, chng ta phi s dng kt ni SSL. hn ch cc truy cp bp bn iu khin da trn ACID, chng
ta s s dng nhng c chun ca Apache webserver, phng php xc thc HTTP c bn qua
.htpasswd. Truyn thng gia cm bin snort vi c s d liu c th c tunneled qua SSL hoc SSH.
19.5.1 Ci t h thng:
u tin bn phi thit lp 1 Linux hardened. i vi Red Hat Linux, c th chn Custom Install t nhng
b ci t CD chnh thc hoc khng chnh thc, hoc thu gn cc ty chn ci t ca n bng cch g
b cc thnh phn ha . Phi chc chn rng tt c cc gi tin MySQL server (c sn trn Red Hat CDs)
c
ci
t.
#
rpm
-U
s quan tm n iu ny, c cung cp bi Linux CD.
Cu
lnh:
/mnt/cdrom/RedHat/RPMS/mysql*rpm
Trong trng hp mi trng Linux s dng l Red Hat, rt nhiu gi phn mm Snort RPM (Red Hat
Package Manager) c th download t website Snort.org . Bn cn gi Snort v Snort-mysql cho nhng ci
t trn. Ci t chng ln trn h thng ca bn. Nu RPM i hi s c lp, hy download gi ci t
thch
hp
cho
n
(c
th
s
cn
th
vin
libpcap)
.
Ci t thm phn mm quan st s kin ACID-IDS vo h thng. Trang ch ACID c cha tt c cc phn
mm v hng dn ci t (http://acidlab.sourceforge.net). Cc gi ci t ACID i hi phi c gii nn
1 th mc c th nhn thy c t webserver (v d trn Red Hat l /var/www/html). Bi vy ACID c th
c pht trin trn /var/www/html/acid. File cu hnh acid_conf.php l ni cha tt c cc sp t cu
hnh. Khng c iu khin truy cp no c thit lp bn trong, do bn cn phi to.htpasswd trong
/var/www/html/acid.
Nu trong la chn pht trin (chng hn nh ci t RedHat) khng c web server th 1 Apache web
server
cn
c
ci
t
trn
mi
trng
thng
qua
CD.
#
rpm
-U
/mnt/cdrom/RedHat/RPMS/apache*rpm
Sau khi tt c cc thnh phn c ci t, n lt chng ta thit lp cu hnh cho IDS. u tin, Snort
phi c cu hnh c th log vo c s d liu. Sau y l mt s ch dn lm iu :
1.
Khi
ng
c
s
d
liu
MySQL
:
#
/etc/init.d/mysql
start
2.
To
c
s
d
liu
Snort:
#
echo
"CREATE
DATABASE
Snort_db;"
|
mysql
-u
root
-p
3.
To
ngi
s
dng
s
dng
c
s
d
liu:
#
adduser
Snort
4. To cc quyn cho ngi s dng ny thm cc d liu cnh bo vo trong c s d liu:
# echo "grant INSERT,SELECT on Snort_db.* to Snort@localhost;" | mysql -u root -p
5. S dng cc script c sn trong ngun ca Snort (khng i km cng vi gi nh phn RPM) to cu
trc
d
liu:
#
cat
./contrib/create_mysql
|
mysql
Snort_db
6. Thay i file cu hnh Snort log vo c s d liu. Ni cch khc thay i /etc/Snort.conf nh sau::
output
database:
log,
mysql,
user=Snort
dbname=Snort_db
host=localhost
7. Thay i script khi to Snort (/etc/init.d/Snortd) snort thc hin lnh sau:
/usr/sbin/Snort
-D
-l
/var/log/Snort
-i
$INTERFACE
-c
/etc/Snort/Snort.conf
nh
v
tr
cc
log
ca
snort
c
th
c
nh
gi
y.
By
gi,
Snort
c
th
bt
u
bng
lnh:
# /etc/rc.d/init.d/Snortd start
IDS c cu hnh v c th log ti c s d liu. Hy kim tra chng nh sau:
1.
Kim
tra
rng
tin
trnh
ang
chy:
#
ps
ax|
grep
Snort
|
grep
-v
grep
Nu kt qu kh quan,bn s thy d liu tr v khng trng.
Trn
Linux,
# ps u `pidof Snort`
tn
ti
lnh
gin
tng
t:
2. Kim tra rng Snort pht hin thy tn cng trn lynx http://www.someLOCALwebserver.com/cmd.exe v
sau
chy
lnh:
#
tail
/var/log/Snort/alert
Nu c kt qu tt, bn s nhn thy 1 thng ip cnh bo ch rng c 1 tn cng IIS web. ng chy
bc kim tra ny thng qua 1 kt ni URL t xa m hy th n trn my cc b ca bn. Phi chc chn
rng cm bin c th cm nhn c cuc tn cng (kt ni ny c thit lp thng qua mng c gim
st bi Snort).
Phng php qut cng s dng nmap l 1 bc th Snort hiu qu, iu ny m bo cho vic pht hin
qut cng c bt v c cu hnh chnh xc. Trong thc t, c tn ti nhiu phng php kim tra 1
IDS. Nhiu ngi thch s dng nhng gi tin ICMP ln (c th thc hin bng 1 lnh ping n gin) hoc
l nhng phng php khc.
3.
Kim
tra
logging
c
s
#
echo
"SELECT
count(*)
FROM
event"
|
mysql
Snort_db
Nu tt, bn s nhn thy mt lng khc rng d liu c cha trong c s d liu.
d
-u
root
liu:
-p