H thng pht hin xm nhp (1)

Tequila (VietHacker.org Translator Group Leader)

Compose by hieupc (PDF)
H thng pht hin xm nhp (IDSs) cung cp thm cho vic bo v an ton thng tin mng mt mc
cao hn. N c nh gi gi tr khng ging nh firewall v VPN l ngn nga cc cuc tn cng m
IDSs cung cp s bo v bng cch trang b cho bn thng tin v cuc tn cng. Bi vy, 1 IDS c th tho
mn nhu cu v an ton h thng ca bn bng cch cnh bo cho bn v kh nng cc cuc tn cng (v
thnh thong th ngoi nhng thng bo chnh xc th chng cng a ra mt s cnh bo cha ng.
Nhn chung, IDSs khng t ng cm cc cuc tn cng hoc l ngn chn nhng k khai thc 1 cch
thnh cng, tuy nhin, mt s pht trin mi nht ca IDS l h thng ngn chn xm nhp (the
intrusion prevention systems) c thc hin nhiu vai tr hn v c th ngn chn cc cuc tn cng
khi
n
xy
ra.
nh ngha 1 IDS kh hn l chng ta tng. u tin, IDS c nhn nhn nh l mt ci chung bo
trm m c th thng bo cho bn bit khi no th bn b tn cng. Tuy nhin, nhng h thng IDS hin i
th phc tp hn nhiu v t ngi c th ng rng n c mc ging nh mt ci chung bo trm
truyn thng ng tin cy. Nu s ging nhau l cng c s dng, th mt h thng IDS trng ging nh
nhng chic camera chng trm hn l 1 ci chung, nhng ngi c trch nhim c th quan st chng
v
p
tr
cho
nhng
e
do
xm
nhp.
Thc t th dng nh IDS ch ni cho chng ta bit rng mng ang b nguy him. V iu quan trng
nhn ra l mt vi cuc tn cng vo mng thnh cng nu h thng khng c IDS. V nh chng ta
thy, mt mng c th tr thnh thin ng cho cc hacker trong hng nm m ch nhn ca n vn
khng
h
hay
bit.
Gi tr chnh ca 1 h thng pht hin xm nhp theo quan im ca chng ti l n bit c chuyn g
s xy ra. Phi, 1 h thng IDS c th gip chng ta ngn nga cc s kin khi n cha xy ra, cung cp
cc gii php cho mng v host, v thm ch cng c th hot ng nh mt ci chung bo ng (vi
nhng gii hn tng ng). Tuy nhin, chc nng chnh ca n l thng bo cho bn bit v cc s kin c
lin quan n an ninh h thng ang sp sa xy ra bn trong mng v h thng m bn kim sot.
Trong chng ny s cho chng ta ci nhn tng quan v IDS bao gm c nhng im mnh v im yu
ca chng. Chng ta s cp n c network IDS (nhiu khi c cp n nh 1 sniffer) v c host
IDS
(phn
tch
log,
kim
tra
tch
hp
v
nhiu
th
khc)
.
S khc nhau ch yu gia network IDS v host IDS l d liu m n tm kim. NIDS nhn vo ton
cnh cc chuyn dch trn mng, trong khi host IDS th quan st cc host, h iu hnh v cc ng dng.
Trong thc t, n c chia ct ra nhiu lnh vc khc nhau, chng hn nh host IDS ngn chn cc truy
cp c hi cho mng, cn NIDS th c gng on xem ci g xy ra bn trong host.C mt vi gii hn
khng
r
nt
lm
nh
cng
ngh

pht
trin
tip
theo.
Vy nhng thun tin ca Host-base IDS l g? S khc nhau c bn gia chng l trong khi NIDS pht
hin ra cc cuc tn cng tim nng (nhng th s c chuyn ti ch) th host IDS li pht hin ra
nhng cuc tn cng m thnh cng, c kt qu. Bi vy c th ni rng NIDS mang tnh tin phong
hn. Tuy nhin, 1 host IDS s hiu qu hn i vi trong cc mi trng c tc chuyn dch ln, m ho
v c chuyn mch - y l nhng mi trng m NIDS rt kh hot ng. HIDS c th thch bi rt
nhiu nhng hnh ng c mc phi by cao ca k tn cng v thc s nng tm x l ca chng.
Mt khc th NIDS li l 1 phn rt tuyt cho mi trng tng hp nh ton b mng. V th, NIDS c th
to nn mt s quan st c ngha n cc phn ca v tn cng c lin quan n nhiu host. N c
th thch trong mi trng mng c chuyn mch tc cao, mi trng m ho v cc giao thc ng
dng hin i phc tp, bi vy nn cc kt qu bo sai cng ht c kh nng xy ra.
Bi vy, chng ti khuyn cc bn nn la chn cng ngh IDS v bi vy cung cp cho chng ta la chn
b sung chng vo mng ca bn nh phn tch Bayesian. Chng ti cng quan tm n vic nhng thay
i tng lai trong cng ngh IDS c th mang li. Cui cng chng ti s miu t mt cch y vic b
sung m ngun trn Linux.

19.1 V d v IDS
Phn ny s miu t mt vi h thng IDS bao gm gim st logfile, qut cc du hiu v pht hin cc du
hiu bt thng.
19.1.1 Host IDSs
Host-based network IDSs c th c phn chia lng lo thnh cc kim sot log, kim tra tch hp v
cc module nhn ca h thng. Nhng phn sao s miu t tng phn ca chng vi cc v d c th.
19.1.1.1 Gim st Logfile :
Mt IDS n gin nht l thit b gim st logfile (logfile monitors), thit b ny s c gng pht hin nhng
s xm nhp bng cch phn tch cc log s kin ca h thng. V d nh, mt thit b gim st logfile s
tm kim nhng logfile ghi nhn nhng truy cp Apache truy cp ti Apache tm ra c im ca yu
cu /cgi-bin/ . Cng ngh ny b gii hn bi v n ch tm kim trong cc s kin c log - l nhng th
m k tn cng rt d thay th. Thm vo , h thng c th b qua cc s kin h thng cp thp m
ch ghi li cc hot ng cp cao.V d nh, HIDS s b qua nu k tn cng ch c ni dung file nh file
/etc/passwd chng hn. iu ny s xy ra nu bn khng t file vo ch bo v ca h thng.
Gim st Logfile l mt v d chnh cho cc h thng IDS da trn host bi chng thc hin chc nng
gim st ca chng trn ch 1 my. Tuy nhin, mt h thng gim st host logfile hon ton c th gim st
trn nhiu host, thm ch trn 1 loggging server tch hp. S pht trin ca nn tng host a li mt s
thun tin cho vic gim st vi cc cng c h thng c xy dng, bi v host IDSs c knh chuyn dch
tng hp an ton ti 1 server trung tm, khng ging nh nhng syslog thng thng khc. N cng cho
php tch hp nhng logs m khng bnh thng tch hp trong 1 my n (chng hn nh log s kin
ca Windows.
Mt khc, NIDS thng qut ton mng trn mc gi tin, trc tip t ng truyn ging nh nhng
sniffer. Bi vy NIDS c th phi hp vi rt nhiu host c d liu chuyn qua. Ging nh nhng g chng
ta thy trong chng ny, mi mt loi u c tc dng v thun tin ca chng trong nhng trng hp
khc nhau.
Thit b gim st logfile ni ting l swatch (http://www.oit.ucsb.edu/~eta/swatch/), l ni tt ca "Simple
Watcher." Trong khi hu ht cc phn mm phn tch log ch qut log theo nh k, th swatch qut tt c
cc u vo log v to bo co cnh bo theo thi gian thc. Nhng cng c khc nh logwatch (c tch
hp cng vi Red Hat Linux th rt tt cho cc thao tc ngoi. Tuy nhin, mc d swatch i cng vi nhiu
bc c lin quan th n vn i hi nhiu tnh nng ng v cu hnh khc vi nhng cng c khc.
Sau y chng ta s miu t vic ci t swatch. Cng c ny kh l n nh, do m dng nh khng
thay i nhiu trong tng lai. Trc khi ci t swatch, bn cn download v ci t Perl modules cn thit
cho n. ci t nhng module ny, u tin hy download phin bn mi nht ca swatch v chy cc
bc sau:
perl Makefile.PL
make
make test
make install
make realclean
swatch s dng din dch thng thng tm n nhng dng lnh thch hp. Mt khi m n tm ng
phn cn thit, n lin hnh ng, chng hn nh biu din ra mn hnh, email 1 cnh bo hoc l lm theo
hnh ng c ngi s dng nh ra t trc.

Tip
sau
l
1
watchfor /[dD]enied|/DEN.*ED/

script

cu

hnh

swatch

gin:

echo bold
bell 3
mail
exec "/etc/call_pager 5551234 08"
Trong v d ny, swatch tm n dng c cha t denied, c th l Denied hoc bt c t no c bt u
bng den v kt thc vi ed. Khi m tm thy, n bi en dng tm thy v chuyn ti thit b u cui
ng thi rung chung 3 ln. Sau , swatch gi mail ti ngi s dng swatch (l ngi c quyn truy cp
ti cc logfile c gim st thng thng c gii hn cho root) vi 1 cnh bo v thc thi chng
trnh /etc/call_pager vi cc la chn oc a ra .
Gim st logfile c th c coi nh 1 h thng pht hin xm nhp theo mt cch c bit. Logs cng
cha rt nhiu thng tin khng trc tip ln quan n s xm nhp (ch l nhng thng tin m NIDS nghe
trm c trn ng truyn). Logs c th c coi nh mt ci b ln cha thng tin, mt s thng tin
bnh thng (nh thng tin v kt ni ca ngi chu trch nhim, thng tin cu hnh li daemon) v
nhng thng tin ng ng chng hn nh thng tin v ng nhp t 1 IP ng, truy cp root mt cch k
l v rt nhiu nhng thng tin (malicious) chng hn nh RPC buffer overflow c ghi nhn t
rpc.statd. Xem xt v chn lc ton b nhng thng tin ch d hn 1 cht so vi lng nghe trn mng v
tm kim nhng cuc tn cng vo web hoc l cc gi tin d hnh.
Nu tt c cc ng dng u c mt h thng log an ton m tt c cc s kin xu u c ghi nhn v
ng gi, nhng ngui phn tch log c th khng cn n 1 h thng pht hin xm nhp. Trong thc t,
nu mt s kin c th c ch ra trong 1 file log hon chnh th n c th l 1 s xm nhp. Tuy nhin,
trong i thc th vic tm kim tng phn trong logs i khi cng gi tr nh vic tm kim tng phn trn
ng dn.
Thc t th vic i km phn tch log h thng vi NIDS log l mt t im rt c ch i vi ngi phn
tch log. Ngi phn tch s nhn thy c nhiu hn l ch nhn trn ng dn v to ra cc chc nng
ca meta IDS. V d nh, gii php qun l nh netForensics cho php phn tch log qua cc thit b, bnh
thng ha v lin kt chng (bng cc phn da trn rule) sau phn tch cc s kin c tng
hp.
19.1.1.2 Gim st tnh ton vn :
Mt cng c gim st tnh ton vn s nhin vo cc cu trc ch yu ca h thng tm s thay i. V d
nh, 1 gim st ton vn s s dng 1file h thng hoc mt kha registry nh "bait" ghi li cc thay
i bi 1 k xm nhp. Mc d chng c gii hn, gim st ton vn c th thm vo cc lp bo v cho 1
h thng pht hin xm nhp.
Gim st ton vn ph bin nht l Tripwire (http://www.tripwire.com). Tripwire c sn cho Windows v
Unix,
v
n
ch
c
th
gim
st
1
s
cc
thuc
tnh
nh:

Vic
thm,
xa,
sa
i
File

C
File
(i.e.,
hidden,
read-only,
archive,
etc.)

Thi
gian
truy
cp
cui
cng

Thi
gian
ghi
cui
cng

Thi
gian
thay
i

Kch
thc
File

Kim
tra
Hash
Kh nng ca Tripwire l rt ln trn Unix v Windows bi v cc thuc tnh khc nhau ca cc h thng
file. Tripwire c th c thay i ph hp vi cc c im ring bit ca mng ca bn, v nhiu
Tripwire agents c th tp trung mt cch an ton cc d liu. Trong thc t, bn c th s dng Tripwire
gim st bt k 1 thay i no trn h thng ca bn. Bi vy, n l mt cng c rt mnh trong IDS

arsenal ca bn. Rt nhiu nhng cng c khc (tt c u l min ph v l cc phn mm m ngun m)
c vit p ng nhng cng vic tng t nh th. AIDE l 1 v d . AIDE
(http://www.cs.tut.fi/~rammer/aide.html) l mt clone ni ting ca Tripwire.
Mu cht s dng kim tra ton vn h thng cho 1 thit b pht hin xm nhp l xc nh ranh gii
an ton. c thit lp ging nh 1 base line ch c th c thit lp trc khi h thng c kt ni vi
mng. Nu khng c trng thi an ton th cng c ny s b gii hn rt nhiu, bi v nhng k tn cng c
th gii thiu nhng thay i ca h vi h thng trc khi cng c kim tra trn vn hot ng ln u
tin.
Trong khi hu nh tt c mi cng c u yu cu mt trng thi baseline trc khi b tn cng th mt vi
cng c li da trn hiu bit ca chng v cc mi nguy him. Mt v d l cng c chkrootkit
(http://www.chkrootkit.org). N tm kim nhng du hin xm nhp ph bin m thung hin hin trn cc
h thng b tn thng.
Kim tra ton vn cung cp mt gi tr ln nht nu chng c c mt vi thng tin hng dn. Trc ht,
n phi c pht trin trn mt h thng hon ton sch s sao cho n khng phi ghi nhn cc trng thi
d dang hoc b tn thng nh thng thng. V d, Tripwire nn c ci t trn mt h thng khi n
cn nguyn bn t nh sn xut vi nhng ng dng cn thit nht, trc khi n kt ni ti mng.
Bi vy, kin v vic lu tr d liu v trng thi tt trn cc bn ghi c t trn cc thit b lu tr ch
c nh CDROMs l mt kin rt hay. Chng ta s lun c 1 bn copy y so snh khi cn phi gii
quyt vn . Tui nhin, mc d c tt c nhng bin php phng nga th hacker vn c th vt qua
c tt c h thng nh th.
19.1.2 Network IDSs
Network IDSs c th c phn chia thnh 2 loi: h thng da trn cc du hiu v h thng da trn
nhng s vic bt thng. Khng ging nh h thng da trn du hiu, h thng sau l 1 s pha ln gia
nhng cng ngh khc nhau v gn nh nhau. Thm vo , nhng NIDSs lai to u nhm ti vic
lm cu ni cho nhng thiu st bng cch s dng nhng mnh li c s dng trong mi loi NIDSs.
Trong thc t, tt c nhng h thng NIDSs thng mi hin i u s dng loi NIDS da trn nhng s
vic bt thng pht trin NIDS da trn du hiu. V d nh ISS RealSecure, Cisco IDS, and Enterasys
Dragon.
19.1.2.1 Signature matchers
Ging nh nhng phn mm qut virus truyn thng da trn ch k hex, phn ln cc IDS u c gng
pht hin ra cc cuc tn cng da trn c s d liu v du hiu ca tn cng. Khi 1 hacker tm cch khai
thc l hng bit th IDS c gng a li vo c s d liu ca mnh. V d nh Snort
(http://www.Snort.org), mt IDS da trn du hiu min ph c pht trin trn c Unix v Windows.
Bi v n l mt phn mm m ngun m nn Snort c tim nng pht trin c s d liu ch k nhanh
hn bt k mt cng c c s hu no khc. Cc du hiu ca Snort c s dng trong tt c mi th t
cc firewall thng mi n cc phn mm middleware nh Hogwash. Snort bao gm 1 b gii m cc gi
tin, 1 thit b pht hin, v 1 h thng nh logging v cnh b. Snort l 1 IDS trng thi , c ngha rng n c
th tp hp li v ghi nhn cc tn cng da trn phn on TCP.
Mt vi bn c c th gp nhiu khi nim 1 firewall a trng thi hoc firewall khng trng thi nhiu
hn l 1 h thng pht hin xm nhp. Tuy nhin, c 2 khi nim u nh nhau. Firewalls khng trng thi
(v NIDSs) lm vic vi cc gi tin ring r trong khi 1 firewall trng thi li cn nhc n cc trng thi kt
ni. V d n gin nht nh sau: Nu 1 k tn cng chia nh cc gi tin, th IDS khng trng thi s b l
n (bi v 1 du hiu khng bao gi xut hin trong 1 gi tin), tuy nhin n li b thit b IDS trng thi pht
hin c bi v n thu thp cc phn ng nghi khng ch da trn 1 gi tin m trn c dng d liu trong
qu trnh kt ni.
Tuy nhin, nhng NIDs trng thi cng khng trnh khi vic b l nhng du hiu xm nhp. Trong
chng
ny
chng
ti
s
cung
cp
1
vi
v
d.
V d c bn nht cho du hiu pht hin ca IDS lin quan n 1 cuc tn cng web l da trn li
CGI scripts. Mt cng c pht hin li ca hacker thng xuyn bao gm vic qut li CGI pht hin

nhng web server c li CGI . V d nh, mt li rt ni ting phf cho php 1 k tn cng c th quay li bao
nhiu file thay th cho cc ti liu html. Cuc tn cng n ch n gin s dng 1 script CGI ngho nn
truy cp n cc file v cc th mc c cho php trn web server . pht hin c tn cng da trn
li phf , cng c qut NIDS phi tm trn tt c gi tin nhng phn ca chui sau:
GET
/cgi-bin/phf?
Network IDSs s tm kim trong tt c cc du hiu tn ti tm cc chui tm kim trong cc gi tin
mng.
V
d,
du
hiu
Snort
sau
s
thch
hp
vi
chui
trn:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf
access";flow:to_server,established; uricontent:"/phf"; nocase; reference:bugtraq,629;
reference:arachnids,128; reference:cve,CVE-1999-0067; classtype:web-applicationactivity;
sid:886;
v
cnh
bo
s
Chng ta s cp y n s pht trin ca Snort NIDS sau.

rev:8;)
gi

19.1.2.2 Pht hin nhng du hiu bt thng:

Pht hin nhng du hiu bt thng lin quan n vic thit lp 1 nn mng c bn ca nhng hot ng
bnh thng ca h thng hoc l cc hnh vi trn mng, v sau cnh bo chng ta khi nhng s trch
hng xut hin. Lu lng trn mng thay i mt cch khng ng k, chng hn nh thay i trong
thit k hng IDS theo nh dng host base nhiu hn l NIDS, Tuy nhin, mt s mmng li c
nhng cu trc tht khc thng c bit l nhng mng qun i hoc nhng mng giao tip tnh bo.
Mt khc, nhng hnh ng xy ra trong mt server rt ln c th khng th kim sot ht c, do m
mng tr nn rt hn lon. Nn lu rng, thnh thong chng ta mun tch ri nhng NIDS da trn
nhng s kin bt thng thnh nhng s kin chuyn ng bt thng (b trch hng t 1 miu t
chuyn ng bit) v giao thc s kin bt thng (trch hng t cc chun giao thc mng) .
Nh chng ta s thy sau y trong chng ny, pht hin nhng s kin bt thng cung cp 1 nhy
cao nhng li t c trng. Sau y, chng ta s cp n nhng cng c hu ch nht.
19.2 Bayesian Analysis
Nhng IDS nguyn bn rt khng thun tin v hacker lun tm thy nhng l hng mi m khng th tm
thy trong c s d liu cc du hin, hn na, ging nh nhng chng trnh qut virus, vic cp nht
nhng du hiu mi vo c s d liu l mt vn ng quan tm. Hn th, NIDS li lun c k vng
c th ng u vi nhng gii tn ln. Bi th nn trng thi tn ti trong 1 mng c tc ng truyn
cao tr thnh 1 vn ng quan tm v b nh v gi thnh tin trnh
Nhiu hn th, vic gim st nhng mng ln "switched networks" l mt vn t ng ny sinh vi cc
switch trn mng b rt ngn cc cm bin IDS. Ngi ta c gng x l vn ny bng cch tch hp IDS
trong switch hoc km IDS vo cc cng gim st switch. Tuy nhin, gii php ny c rt nhiu vn
khng th gii quyt c, chng hn nh to ra hng lot b nhng kt ni hng gigabit i hi pht trin
nhiu IDSs trong 1 cu hnh cn bng load phc tp bi v 1 IDS t n khng c kh nng i u vi vic
ti trng.
Mt gii hn khc ca IDS l n c nhng l hng rt ln c th b tn cng hoc lng trnh c. V d
nh, tn cng t chi dch v nh SYN floods hoc tn cng smurf c th lm t lit IDS rt d dng.
Tng t nh th th vic tc qut chm cc IP address c th lm hng rt nhiu IDSs.
Phn ny s gii thiu thuc tnh thng k ca cc bc chn on kim tra v nhng nhng gi ca
chng cho vic bin dch kt qu th nghim. Chng ta s dng mt cng thc thng k c bit vi ci
tn nh l Bayes, nh l miu t mi quan h m tn ti trong mt chui nhng thuc tnh n gin v c
iu kin. Khng gi gn trong nhng php tnh ton hc chi tit m c th c c t hng trm quyn
sch thng k khc, chng ti cn cp n cc thc thi thc tca "Bayesian analysis" khi c p dng
cho IDSs. hiu c khi nim v thc thi thc t ca n s cho php bn hiu r hn v lm th no
thit lp nhng IDS khc nhau ti nhng im khc nhau trn mng ca bn.

S tip cn ti vic sp xp cc cm ng pht trin t chn on ca Bayesian dy cho sinh vin y khoa
bi 1 trong nhng tc gi ca ebook ny
19.2.1 Nhng thuc tnh chng li nhy cm
Cn nhc mt IDS thng dng bo co gim st c trnh by ti Figure 19-1. Mt ct gi l xm nhp, i
din cho nhng xm nhp ang xut hin. Du (+) c ngha l n thc s l 1 cuc xm nhp, cn (-) c
ngha l n cha phi l 1 cuc xm nhp. Ct khc, gi l phn hi t IDS, miu t suy ngh ca IDS khi
n pht hin ra 1 cuc xm nhp, du (+) c ngha l IDS coi l 1 cuc xm nhp, cn du (-) c ngha l
IDS khng nh gi n l 1 cuc xm nhp. Ging nh trong cuc sng tht, th n cng ch ra rng IDS
khng phi lc no cng ng. Bn c th s dng nhng im ri ca mi mt gc phn t trong bng 2 x
2 gip chng ta hiu v thuc tnh thng k ca 1 IDA.
Figure 19-1. IDS response matrix
TP
=
Xc
nhn
ng
(xm
FP
=
Xc
nhn
FN
=
Ph
nhn
sai
TN = Ph nhn ng (pht hin ng ton vn)

nhp
sai
(b

c
pht
hin
(cnh
bo
nh
xm

ng)
nhm)
nhp)

19.2.1.1 nhy
nhy c nh ngha l 1 xc nhn ng (phn b ca xm nhp c pht hin bi IDS). V phng
din
ton
hc,

nhy
c
biu
din
nh
sau:
True
positives
/
(true
positives
+
false
negatives)
Xc nhn ng / (xc nhn ng + Ph nhn sai)
T l ph nhn sai bng 1 tr i nhy. nhy ca 1 IDS c c nhiu hn bao nhiu th nhng xm
nhp khng c pht hin gim i by nhiu.
IDSs nhy rt c ch trong vic ch ra nhng cuc tn cng trn cc khu vc ca mng m n rt d pht
hin ra hoc khng bao gi b b st. Kim tra tnh nhy hu hiu nhiu hn cho vic kim tra khi bn cn
loi tr nhng g c th l i din t xa cho 1 cuc xm nhp. Trong s nhng IDS c nhy cao th kt
qu ph nhn c nhiu gi tr vn c hn l cc kt qu khng nh.
V d, bn cn 1 IDS nhy gim st thit b host trong 1 LAN c bo v bi firewall v router nh hnh
Figure 19-2, Khu vc 2 i din cho loi thit b ny. Ti thi im b m ti nng, chng ta khng nn c
bt k 1 xm nhp no. N rt quan trng c nhy cao gim st khng b st th g. Cc c
trng t quan trng hn bi v ti thi im trn mng, tt c nhng hot ng bt thng u c th
c khai thc. IDS khng cn s phn bit bi v nhng x l ca con ngi u bt buc phi khai thc
mi
mt
cnh
bo.
Figure 19-2. Network segmentation for Bayesian optimization of IDS placement
19.2.1.2 Tnh xc nh:
V
mt
ton
hc,
tnh
xc
True
negatives
/
(true
Ph nhn ng / ( ph nhn ng + xc nhn sai)

nh
c
negatives

biu
+

din
false

nh

sau:
positives)

Ph nhn ng i din cho nhng trung hp khi IDS bo co ng khng c xm nhp. Xc nhn sai
xut hin khi mt IDS bo co sai v 1 xm nhp m trong thc t l khng xy ra. Xc nhn sai c xc
nh bng 1 tr i c tnh.
1 IDS xc nh c tin ch tt nht cho ngi qun tr h thng. i vi nhng chng trnh , gi tr xc
nhn l c ch hn gi tr ph nhn. Nhng kim tra tnh xc nh rt hiu qu trong khi nhng kt qu xc
nhn sai l rt khng khip.

Chn la mt IDS vi t l c tnh cao cho mt khu vc ca mng m ti t ng chn on l mt s

ch trch. V d, khu vc 1 trong Figure 19-2 i din cho 1 firewall hp tc i mt vi cc him ha t
internet. Trong trng hp ny, bi v nhng cuc tn cng c th tr thnh tai ha nu khng c pht
hin sm. Ti thi im ny trn mng, chng ta khng quan tm nhiu n tng th nhy bi v chng
ta ch i mt cuc tn cng nhiu hn l gim st ton b chuyn dch trn mng tm ra nhng hot
ng bt thng.
19.2.1.3 chnh xc:
Thng thng, s cn bng gia nhy v tnh xc nh da trn nhy v tnh xc nh chng thay i
lin tc da trn 1 im thay i t ngt. Nhng im thay i cho nhng du hiu bt thng ny c th
c la chn 1 cch ty tin hoc d dt . Tuy nhin, c rt nhiu tnh hung c th xy ra khi chng ta
mun tiu nhiu tin hn cho 1 thit b c c nhy cao ln tnh xc nh cao. Tnh chnh xc l mt khi
nim m bao quanh c 2 c tnh xc nh v nhy. Tnh chnh xc l 1 t l cn xng ca tt c cc kt
qu ca IDS (c xc nhn v ph nhn) rng chng l chnh xc.
V d nh, chng ta cn tnh chnh xc cao trong khu vc ca mng nh khu vc 3 trong Figure 19-2. Trong
trng hp ny, web server ca chng ta t di s tn cng, v n c th gy nn s lng tng ngay lp
tc cho chng ta v thm ch gy thit hi v mt ti chnh nu chng b tn thng. Chng ta cn thc thi
bt k mt hnh ng bt thng no v thc hin mt cch t ng bi v lu lng chuyn dch trn
mng l rt ln. Trong thc t, t c nhy cao nht v tnh xc nh cao nht, chng ta cn phi
hp gia cc lp trong IDS.
ng cc c im thc thi nhn c (ROC) l 1 phng php biu din ha mi quan h gia
nhy v tnh xc nh. Mt cung nh ROC cc xc nhn ng ( nhy) t l vi t l xc nhn sai (bng 1
tr i t l xc nhn ng). th ny phc v ging nh l 1 nomogram (Figure 19-3), i din ha (t
trng ca thng k) m gip bn c th nhanh chng so snh cht lng gia 2 h thng.
Sau khi chn 1 im gii hn mong mun, nhy v tnh chnh xc ca IDS c th xc nh c ngay
trn th. ng vng cung tng quan vi chnh xc hoc cht lng ca IDS. ng thng chy
ln v sang phi 45 ch ra 1 IDS khng hu dng. Mt khc, mt IDS m ng ROC c tucked trong
1 gc trn tri th c thng tin tt nht. V mt nh lng, khu vc di ng vng lin kt trc tip vi

chnh
xc
ca
IDS
Trong hnh Figure 19-3, IDS B chnh xc nhiu hn IDS C v IDS A c chnh xc cao nht.
Figure 19-3. Sample ROC curve
19.2.2 Gi tr xc nhn v khng nh d bo trc:
V mt l thuyt, nhy v tnh xc nh l nhng thuc tnh ca IDS. Nhng thuc tnh ny l c lp i
vi nhng mng c gim st. Bi vy, nhy v tnh xc nh ch cho chng ta cch m IDS thao tc,
nhng n khng ch cho chng ta IDS thao tc trong tng ng cnh ca nhng phn mng no.
Gi tr Predictive l nhng d bo trong thc t tng hp t tt c cc d liu c sn. Gi tr d bo kt hp
gia prior probability vi kt qu ca IDS yield post-test probability, biu th nh d bo xc nhn v ph
nhn.
S kt hp combination constitutes a practical application of Bayess theorem, which is a formula used in
classic
probability
theory.
Thng tin da trn cuc tn cng prevalence trong mng ca bn c iu chnh bi kt qu ca IDS
sinh ra mt prediction. Tt c cc nh qun tr mng u thc thi nhng phn tch intuitively but
imprecisely. V d, nu bn bit rng slow ping sweeps have recently become prevalent against your
network, bn c th s dng thng tin ny nh gi tr d liu cho IDS ca bn.
Bi v nhng predictors u lin kt v mt ton hc, nn chng phi c chyn i thnh nhng s l.
Sau , chng c cp n nh nhng likelihood ratios (LRs) hoc nhng odds ratios (ORs) v c th
kt
hp
c
trong
nhng
php
ton
n
gin.

19.2.3

Likelihood

Ratios

Cc gi tr nhy, tnh xc nh v gi tr d bo predictive values are all stated in terms of probability: the
estimated proportion of time that intrusions occur. Mt khi nim hu hiu khc l odds ((i.e., the ratio of
two probabilities, ranging from zero [never] to infinity [always]). For example, the odds of 1 are equivalent to
a 50% probability of an intrusion (i.e., just as likely to have occurred as not to have occurred). The
mathematical
relation
between
these
concepts
can
be
expressed
as
follows:
Odds
=
probability
/
(1
probability)
Probability
=
odds
/
(1
+
odds)
LRs and ORs are examples of odds. LRs yield a more sophisticated prediction because they employ all
available
data.
The LR for a positive IDS result is defined as the probability of a positive result in the presence of a true
attack, divided by the probability of a positive result in a network not under attack (true-positive rate/falsepositive rate). The LR for a negative IDS result is defined as the probability of a negative result in the
absence of a true attack, divided by the probability of a negative result in a network that is under attack
(true-negative
rate/false-negative
rate).
LRs enable more information to be extracted from a test than is allowed by simple sensitivity and specificity.
When working with LRs and other odds, the post-test probability is obtained by multiplying together all the
LRs. The final ratio can also be converted from odds to probability to yield a post-test probability.
By applying these statistical methods, we can make informed choices about deploying IDSs throughout a
network. Although currently fraught with inaccuracy, the field of intrusion detection is still nascent, and new
and exciting developments are happening every day. As time goes on, use of the scientific method will
improve this inexact and complex technology. By understanding the sensitivity and specificity of an IDS, we
can learn its value and when to utilize it. In addition, increasing the use of likelihood ratios makes the data
that
we
receive
from
our
IDSs
more
meaningful.
( sao li c on cha dch ny?? Chc l ng qun , chiu v check li ).
19.3 Tn cng thng qua IDSs
gip bn xy dng chin lc an ninh, phn ny s ch cho bn thy nhng hacker thng khai thc li
trong IDS nh th no.
19.3.1 Phn on (Fragmentation)
Phn on hoc chia nh cc gi tin l 1 trong nhng cch tn cng chng li h thng pht hin xm nhp
ca mng, v n thng (stump) tt c nhng NIDSs thng mi c thit k cch y vi nm. Bng
cch ct cc gi tin thnh nhng mu nh, cc hacker c th lm fool IDS. Mt IDS trng thi dch ngc
cc gi tin phn tch, nhng khi lng nhng gi tin tng ln, tin trnh cng tiu th ht nhiu ngun lc
hn v tr nn bt u thiu chnh xc. V dng nh c 1 gi tr xc nh con s nhng phn on m 1
IDS c th x l, nu vt qu con s There is a seemingly infinite number of fragmentation tricks that
one can employ, leading either to evasion or to overloading the NIDSs anti-evasion capabilities.
19.3.2 Gi mo - snoofing
Ngoi phng php phn on d liu, cn c th gi mo TCP sequence number m NIDS nhn thy. V
d nh, nu gi tin tin kt ni SYN cng vi 1 s th t c chuyn, IDS s tr thnh 1 thit b
desynchronized t host bi v host drops nhng SYN khng c nh gi cao v khng c trng i,
trong khi IDS t thit lp li nhn s th t mi. Bi vy, IDS b qua dng d liu thc v n ang
ch 1 s th t mi m khng tn ti. Khi gi 1 gi tin RST vi a ch forged m chu trch nhim cho
forged SYN c th lm kt thc kt ni mi ny ti IDS.
Nhn chung, NIDS khng bit bng cch no my ch s dch nhng thng tin u vo. Bi vy, nhng
giao tip mng bt thng c th c thit lp c th nhn thy s khc bit t chnh IDS. Ch c a
ch ch thc s mi c th cho php tt c cc vn ca NIDS c gii quyt.
19.3.3 Thay i giao thc - Protocol Mutation
Whisker by RFP (c ti http://www.wiretrip.net) l mt cng c phn mm c thit k hack webserver
bng cch gi to 1 yu cu HTTP vt qua IDS. V d, 1 yu cu CGI c in s theo chun http sau:

GET
/cgi-bin/script.cgi
HTTP/1.0
Obfuscated HTTP requests can often fool IDSs that parse web traffic. V d, nu 1 IDS qut tm kim
nhng
xm
nhp
da
trn
phf:
/cgi-bin/phf
Chng ta c th thng xuyn to ra fool bng cch thm cc d liu m rng vo cc yu cu ca chng
ta.
Chng
ta
c
th
thay
i
yu
cu
nh
sau:
GET /cgi-bin/subdirectory/../script.cgi HTTP/1.0
Trong trng hp ny, chng ta yu cu th mc con v s dng /../ chuyn ti th mc m v thc
hin script ch. Cch thc sneaking ny trong cc back door c cp ti nh 1 th mc thay i v n
l 1 trong nhng cch khai thc ph bin nht vo thi im hin nay.
Whisker t ng to ra cc cch tn cng chng li IDS rt a dng. Kt qu l Whisker c bit n nh
l 1 cng c chng li IDS (AIDS). Whisker c chia nh thnh 2 phn, whisker (scanner) v libwhisker
(module Perl c s dng trong Whisker).
Nhng IDS hin i nh Snort c gng bnh thng ha mi truyn thng trn mng trc khi phn tch
thng qua nhng s s dng cc various preprocessors. K thut bnh thng ha i hi phi to c
cho vic truyn thng ging nh thm nguyn tc, (more uniform) v d nh, bng cch g b ambiguities
trong packet headers v payloads v bng cch hin th dng truyn thng n gin i chiu vi cc
mu xm nhp. Tuy nhin, con s nhng possible mutations ch l s t mt s bit c xc nh. Do ,
cuc ua v trang gia bn tn cng v bn phng th vn c tip tc.
19.3.4 Tn cng vo thit b kim tra tnh ton vn:
Nh cp trc y, nhng IDS l thit b kim tra tnh ton vn tnh ton gi tr checksum v tp hp
thng tin v cc file ch khi to. Sau , chng trnh s kim tra nhng s thay i, s dng ch
"check mode". Thm vo , ngi qun tr h thng c th cp nht nhng du hiu sau khi cu hnh li
h thng (ch "update mode". Ph thuc vo s thc thi ca host IDS m mi mt ch u c th b
tn cng.
Mt k tn cng c th t thay i phn mm host IDS, sau gi thng tin sai lch n bn iu khin
host IDS trung tm hoc c th lm cho h thng nhm ln gia nhng cng vic kim tra tnh ton vn.
ng thi, mt s chng trnh tn cng vo nhn cng c th b IDS b qua bi v chng c th t lm
ng i vi h thng v la di IDS thnh cng. Phn tch chi tit nhng cuc tn cng ca host IDS c
cp chi tit trong "Ups and Downs of UNIX/Linux Host-Based Security Solutions" (Section 19.7).
19.4 Tng lai ca IDSs
Nhng pht hin xm nhp cn l mi bt u, trong khi cc hacker ngy cng tin trin, IDSs bt buc
phi c gng i u vi cc cuc tn cng . Table 19-1 ch ra nhng him ha m tng lai s e
da
IDS
v
nhng
gii
php
tim
nng.
Table 19-1. Nhng gii php tim nng cho kh khn trong tng lai ca IDS
Vn

Gii
php
Encrypted
traffic
(IPSec)
Nhng
IDS
vo
trong
cc
stack
ca
host
Tc v phc tp ca cuc tn cng tng Ngn cm cc pht hin bt thng, nhng thit b nng v
NIDS,
v
i
chiu
thng
minh
Switched networks Gim st cc host ring r, nhng NIDS vo trong cc switch
Gia tng lng thng tin cn bin dch Hin th trc quan d liu, t ng cnh bo v lin kt
Nhng k thut evasion mi K thut bnh thng ha truyn thng mi v bo v host theo chiu su
K
thut
tn
cng
da
trn
nhn
mi
Thit
b
an
ton
cho
nhn
mi
Phn sau s kim tra n nhng s pht trin ca vn vo cc gii php d nh:
19.4.1 Embedded IDS
IPSec (vit tt ca IP Security) tr thnh 1 chun ph bin cho an ton d liu trn mng. Ipsec l mt b
nhng chun v an ton c thit k bi IETF nhm cung cp s bo v end-to-end cho cc d liu c

nhn. Vic thc thi cc chun ny cho php 1 thit b c th chuyn d liu trn 1 mng khng ng tin cy
nh Internet trong khi ngn chn cc k tn cng ph hng, n trm hoc spoofing giao tip ring bit ny.
Bng cch bo v an ton cho nhng gi tin ti lp mng, Ipsec cung cp cc dch v m ha trong sut i
vi cc ng dng cng nh bo v truy cp cho an ton mng. V d, Ipsec c th cung cp s an ton u
cui cho cc h thng cu hnh client-to-server, server-to-server, v client-to-client.
Tht khng may mn, Ipsec li l 1 con dao 2 li cho IDS. Mt mt, Ipsec cho php ngi s dng log an
ton vo mng ca h t nh s dng mng ring o, mt khc Ipsec m ha d liu trn ng truyn,
bi vy lm cho sniffing trong IDS lm vic km hiu qu. Nu hacker tn cng vo thit b ng nhp t xa
ca ngi s dng, h s c 1 tunnel an ton hack ton b mng. sa li ny ca Ipsec, nhng IDS
tng lai u cn phi nhng vo ti cc tng ca TCP/IP stack ti host. iu ny s cho php IDS qun l
cc d liu nh n cha b unencapsulated v thc thi n trong mi tng ca stack, phn tch nhng d liu
c m ha cp cao hn.
19.4.2 Ngn cm nhng du hiu bt thng c pht hin thy
Bi v nhng cuc tn cng vn tip din v ngy cng tc v phc tp, do IDSs cng ngy cng t
kh nng chng chi. Tr li cho tnh hung ny bng cch ngn cm nhng du hiu bt thng c
pht hin thy: tt c nhng du hiu bt thng, bt k chng l chnh hay ph, u c bo ng bng
xc nhn ng. Phng php ny i hi cc IDS phi c a v cc host ring r hn l chng
trong ton mng. Mt host ring r c th c nhiu mu thng tin c th d bo c hn l trn ton
mng. Mi mt host c ni n u c mt IDS pht hin bt k mt du hiu bt thng no. Sau
ngi qun tr c th a ra nhng quy lut (ngoi l) cho cc ty bin c th c chp nhn. Theo cch
ny, IDS gim st cc hot ng theo cch m firewall gim st truyn thng.
Vy lm nh th no chng ta c th thit k 1 IDS thc thi vic ngn nga cc hnh ng bt thng da
trn cc host? Chng ta s lm vic vi cc host ring r m c phn no c lai to gia firewall v
cc router, v chng ta c th iu khin IDS ca chng ta cho mi mt host l c nht. Bi v chng ta ch
lm vic trn cc host, do chng ta gi tin no nhn c l cho host xc nh no. Chng ta c th t
nhy ca chng ln cao tm kim bt c mt du hiu bt thng no.
V d, ti mc gi tin, cng c pht hin du hiu bt thng da trn host ca chng ta c th qut cc
gi tin nh khi chng c thc thi trn stack. Chng ta iu khin IDS gim st mi th :

Cc
du
hiu
khng
c
mong
ch

Xung
t
TCP/IP

Cc
gi
tin
c

ln
bt
thng

Gi
tr
TTL
thp

Gi
tr
checksum
sai
Hoc nhng xung t trong nhng giao thc khc
Tng t nh th, ti tng ng dng, chng ta
c nhng s thay i bt thng

Kch

ng

Kch

S
nhng

S
nhng

S
nhng
Kch thc ca file log

c th buc cng c pht hin du hiu bt thng qut tt

trong cc c im sau y ca h thng:
dng
CPU
hot
a
nhp
ngi
dng
hot
file
dch
v
ang
chy
ng
dng
ang
chy
cng
ang
m

Khi mt du hiu bt thng c pht hin, mt cnh bo s c chuyn ti trung tm iu kkhin.

Phng php ny c nhy cao, nhng tht khng may l n to ra rt nhiu vn cn phi gii quyt
v mt d liu. Chng ta s gii quyt vn ny sau.
19.4.3 Host- Versus Network-Based IDSs

S gia tng ca nhng mng switch lm cn tr 1 IDS trong vic gim st mng s dng ch pha tp,
phn tch giao thc th ng. N tr nn ngy cng kh gim st nhiu host cng lc bi v s gia tng
ca ng truyn, nhng mng o v nhng s rc ri khc. Thm vo , vic ng dng gia tng ca cc
the growing use of encrypted traffic foils passive analysis off the wire. Bi vy, IDS ang tr nn cc gim
st da trn host.
19.4.4 Visual Display of Data
Bi v ng truyn v hiu qu cc cuc tn cng ngy cng tng, nn vic to ra cc cnh bo chnh xc
ngy cng tr nn kh khn. Lng d liu cnh bo c to nn bi IDS cps th nhanh chng
overwhelm thao tc ca con ngi. Tht khng may, vic lc d liu cho con ngi thng s dng hn
ch nhng hiu qu ca n.
Mt gii php cho vn ny lin quan n k thut pht trin visualization ng thi c coi l hin th
geometric d liu. Con ngi hiu c geometric shapes intuitively, bi loi hin th ny thng l cch
d nht hin th mt ling d liu (massive). Khi mt theo tc cm thy 1 du hiu bt thng trong
mn hnh ha, n c th drill down mun hn gii quyt vn . V d, cho nhng ng dng bn
trong, Airscanner Corporation m ha iu khin linh hot ActiveX m mimics a real-time human
electrocardiogram (EKG). Tc v giai iu (mu sc hoc m thanh) ca dao ng "heartbeat" trn mn
hnh p tr li s thay i trn mng. Gim st ging nh nhng ngi y t trong bnh vin i vi
cardiac telemetry floor, Ngi qun tr mng Airscanner c th d dng gim st LAN bng cch n
mn hnh.
19.5 Nghin cu Snort IDS
Phn ny s trnh by 1 v d pht trin Snort IDS (http://www.Snort.org). Snort thng c gi l
"lightweight IDS," nhng n c tn gi ti thi im ch khng lin quan g n lightweight.. Snort ch
nn c gi l lightweight nu n cp n cng c pht hin hiu qu v dung lng nh cc du hiu
nh. N l 1 b dch IDS y m c th pht trin theo hng tc x l cao v cu hnh phn b m
c th t c n tc hng giga bit.
Thit b pht hin xm nhp c cp n trong phn ny xy dng trn h iu hnh Linux, c s d
liu MySQL v mt mi trng phn tch ACID. Tt c mi phin bn Linux nh Red Hat hoc Debian u
c th s dng. Bn nn xy dng 1 h thng Linux nh nht t scratch (ging nh nhng nh bn phn
mm IDS thng mi bn IDS da trn Unix). i vi vic pht trin nhng mng nh, bn nn t b
nhng bin Linux qu canned. H thng phi c nh gn nht v nhiu tnh nng (tt c nhng phn
mm khng cn thit u nn g b).
Bn nn c t nht 2 card mng trn my tnh pht trin Snort. Bi v giao din sniffing ( pht hin nhng
cuc tn cng) v giao din qun l (s dng qun l d liu cc s kin nhy cm, cp nht cc quy
nh v nhng thay i cu hnh) phi c t ring r. L do chnh l giao din sniffing khng c a
ch IP. Trong mi trng Linux, rt l d kch hot mt giao din mng m khng cn a ch IP m ch
cn s dng lnh nh ifconfig eth1 up. Mc d khng cung cp 1 bin php an ton tng th (bng nh
ngha), nhng bin php ny tt hn l s dng mt giao din thng thng pht hin xm nhp.
Snort v c s d liu c th c ci t trn 1 my, tuy nhin trong trng hp tc truyn thng cao,
bn nn ci t c s d liu, Snort, v webserver trn nhng my tnh khc nhau. Tt nht l Snort trn 1
my,
cn
c
s
d
liu
v
webserver
trn
my
cn
li
Trong trng hp ci t trn nhiu my, cc thnh phn ca IDS c kt ni vi nhau qua mng v do
, cc bin php an ton phi c thc thi. bo v ng truyn gia thit b phn tch vi c s d
liu, chng ta phi s dng kt ni SSL. hn ch cc truy cp bp bn iu khin da trn ACID, chng
ta s s dng nhng c chun ca Apache webserver, phng php xc thc HTTP c bn qua
.htpasswd. Truyn thng gia cm bin snort vi c s d liu c th c tunneled qua SSL hoc SSH.
19.5.1 Ci t h thng:
u tin bn phi thit lp 1 Linux hardened. i vi Red Hat Linux, c th chn Custom Install t nhng
b ci t CD chnh thc hoc khng chnh thc, hoc thu gn cc ty chn ci t ca n bng cch g
b cc thnh phn ha . Phi chc chn rng tt c cc gi tin MySQL server (c sn trn Red Hat CDs)

c
ci
t.
#
rpm
-U
s quan tm n iu ny, c cung cp bi Linux CD.

Cu
lnh:
/mnt/cdrom/RedHat/RPMS/mysql*rpm

Trong trng hp mi trng Linux s dng l Red Hat, rt nhiu gi phn mm Snort RPM (Red Hat
Package Manager) c th download t website Snort.org . Bn cn gi Snort v Snort-mysql cho nhng ci
t trn. Ci t chng ln trn h thng ca bn. Nu RPM i hi s c lp, hy download gi ci t
thch
hp
cho
n
(c
th
s
cn
th
vin
libpcap)
.
Ci t thm phn mm quan st s kin ACID-IDS vo h thng. Trang ch ACID c cha tt c cc phn
mm v hng dn ci t (http://acidlab.sourceforge.net). Cc gi ci t ACID i hi phi c gii nn
1 th mc c th nhn thy c t webserver (v d trn Red Hat l /var/www/html). Bi vy ACID c th
c pht trin trn /var/www/html/acid. File cu hnh acid_conf.php l ni cha tt c cc sp t cu
hnh. Khng c iu khin truy cp no c thit lp bn trong, do bn cn phi to.htpasswd trong
/var/www/html/acid.
Nu trong la chn pht trin (chng hn nh ci t RedHat) khng c web server th 1 Apache web
server
cn
c
ci
t
trn
mi
trng

thng
qua
CD.
#
rpm
-U
/mnt/cdrom/RedHat/RPMS/apache*rpm
Sau khi tt c cc thnh phn c ci t, n lt chng ta thit lp cu hnh cho IDS. u tin, Snort
phi c cu hnh c th log vo c s d liu. Sau y l mt s ch dn lm iu :
1.
Khi
ng
c
s
d
liu
MySQL
:
#
/etc/init.d/mysql
start
2.
To
c
s
d
liu
Snort:
#
echo
"CREATE
DATABASE
Snort_db;"
|
mysql
-u
root
-p
3.
To
ngi
s
dng

s
dng
c
s
d
liu:
#
adduser
Snort
4. To cc quyn cho ngi s dng ny thm cc d liu cnh bo vo trong c s d liu:
# echo "grant INSERT,SELECT on Snort_db.* to Snort@localhost;" | mysql -u root -p
5. S dng cc script c sn trong ngun ca Snort (khng i km cng vi gi nh phn RPM) to cu
trc
d
liu:
#
cat
./contrib/create_mysql
|
mysql
Snort_db
6. Thay i file cu hnh Snort log vo c s d liu. Ni cch khc thay i /etc/Snort.conf nh sau::
output
database:
log,
mysql,
user=Snort
dbname=Snort_db
host=localhost
7. Thay i script khi to Snort (/etc/init.d/Snortd) snort thc hin lnh sau:
/usr/sbin/Snort
-D
-l
/var/log/Snort
-i
$INTERFACE
-c
/etc/Snort/Snort.conf
nh
v
tr

cc
log
ca
snort
c
th
c
nh
gi

y.
By
gi,
Snort
c
th
bt
u
bng
lnh:
# /etc/rc.d/init.d/Snortd start
IDS c cu hnh v c th log ti c s d liu. Hy kim tra chng nh sau:
1.
Kim
tra
rng
tin
trnh
ang
chy:
#
ps
ax|
grep
Snort
|
grep
-v
grep
Nu kt qu kh quan,bn s thy d liu tr v khng trng.
Trn
Linux,
# ps u `pidof Snort`

tn

ti

lnh

gin

tng

t:

2. Kim tra rng Snort pht hin thy tn cng trn lynx http://www.someLOCALwebserver.com/cmd.exe v
sau

chy
lnh:
#
tail
/var/log/Snort/alert
Nu c kt qu tt, bn s nhn thy 1 thng ip cnh bo ch rng c 1 tn cng IIS web. ng chy
bc kim tra ny thng qua 1 kt ni URL t xa m hy th n trn my cc b ca bn. Phi chc chn
rng cm bin c th cm nhn c cuc tn cng (kt ni ny c thit lp thng qua mng c gim
st bi Snort).
Phng php qut cng s dng nmap l 1 bc th Snort hiu qu, iu ny m bo cho vic pht hin
qut cng c bt v c cu hnh chnh xc. Trong thc t, c tn ti nhiu phng php kim tra 1
IDS. Nhiu ngi thch s dng nhng gi tin ICMP ln (c th thc hin bng 1 lnh ping n gin) hoc
l nhng phng php khc.

3.
Kim
tra
logging
c
s
#
echo
"SELECT
count(*)
FROM
event"
|
mysql
Snort_db
Nu tt, bn s nhn thy mt lng khc rng d liu c cha trong c s d liu.

d
-u

root

liu:
-p

19.5.2 Ci t cng c cnh bo:

By gi, hy thit lp cng c cnh bo qua ACID. ACID (Trung tm phn tch d liu xm nhp) l 1 ng
dng c xy dng trn PHP m cho php phn tch d liu Snort c cha trong c s d liu.
ACID phi c php truy cp vo c s d liu. S dng lnh sau thc hin iu ny:
# echo "grant CREATE,INSERT,SELECT,UPDATE,DELETE on Snort_db.* to acid@localhost;" |
mysql
-u
root
-p
an ton hn, nn s dng SSL quan st cnh bo. Hy pht trin cc gi SSL t a ci Red Hat:
#
rpm
-U
/mnt/cdrom/RedHat/RPMS/mod-ssl*rpm
v
khi
ng
li
Apache
thng
qua
/etc/init.d/httpd
restart.
an ton hn na, ch nhng kt ni SSH mi c php. Mt host firewall script for the iptables Linux
firewall c th c s dng ch cho php TCP port 443 (HTTPS) v khng cho php TCP port 80
(HTTP).
By gi, khi ng Apache web server v ch browser ti giao din qun l IP (hoc a ch 127.0.0.1 nu
chy trn local browser). a ch ng l: http://www.yourSnortServer.com/acid. Phn mm ACID s hng
dn bn la chn khi to ci t, cung cp cho bn theo nhng hng dn trn. ACID c th c s
dng quan st cc cnh bo ca Snort IDS trong nhng ch khc nhau, thc hin vic tm kim, v
truy cp gi tin payload y .
Nu ci t c s d liu khng ng, bn n gin ch cn chuyn tip nhng cnh bo ti syslog v sau
s dng cng c phn tch syslog gii quyt n. Nhng cng c nh Snortsnarf tn ti tng kt v
quan st cc s kin Snort.
19.5.3 iu chnh cc quy tc ca IDS :
Tho lun y v vic iu chnh cc quy tc ca IDS c a ra trong ct li ca chng ny. Tuy
nhin, mt khi chng ta tin ti vic khi to cc quy tc, chng ta s mt rt nhiu thi gian cho nhng
cnh bo, phn tch chng v theo gim bt cc quy tc. Cng on ny thch hp hn i vi vic pht
trin 1 NIDS ni b v mng nh. Mt gii php khc l thu hp cc b quy tc gim st ch nhng
dch v ang b nguy him. Cng vic ny tt hn khi ci t DMZ vi an ton cao trong cc thit b
u c thng k mt cch cn thn v vng chc. Trong trng hp ny, cnh bo CodeRed s gia tng
mt cch tuyt i bi v Unix web server s khng b tn thng bi nhng e da tm thng .