TRUNG TM O TO AN NINH MNG ATHENA ----------------------oOo---------------------

H THNG PHT HIN V PHNG CHNG XM NHP

INTRUSION DETECTION AND PREVENTION SYSTEM

Thc hin :

Nguyn Thnh Danh inh Cng Chinh Lp Security +

I. Tng quan v IDS/IPS 1. Khi nim v IDS/IPS a. nh ngha : Intrusion Detection system ( IDS ) l mt h thng gim st hot ng trn h thng mng v phn tch tm ra cc du hiu vi phm n cc quy nh bo mt my tnh, chnh sch s dng v cc tiu chun an ton thng tin. Cc du hiu ny xut pht t rt nhiu nguyn nhn khc nhau, nh ly nhim malwares, hackers xm nhp tri php, ngi dung cui truy nhp vo cc ti nguyn khng c php truy cp..v.v Intrusion Prevention system ( IPS ) l mt h thng bao gm c chc nng pht hin xm nhp ( Intrusion Detection ID ) v kh nng ngn chn cc xm nhp tri php da trn s kt hp vi cc thnh phn khc nh Antivirus, Firewall hoc s dng cc tnh nng ngn chn tch hp. 2. Chc nng ca IDS/IPS a. Cc ng dng c bn ca h IDS/IPS : (1) Nhn din cc nguy c c th xy ra (2) Ghi nhn thng tin, log phc v cho vic kim sot nguy c (3) Nhn din cc hot ng thm d h thng (4) Nhn din cc yu khuyt ca chnh sch bo mt (5) Ngn chn vi phm chnh sch bo mt b. Cc tnh nng chnh ca h IDS/IPS (1) Lu gi thng tin lin quan n cc i tng quan st (2) Cnh bo nhng s kin quan trng lin quan n i tng quan st (3) Ngn chn cc tn cng ( IPS ) (4) Xut bo co 3. Kin trc ca h IDS/IPS a. Cc phng php nhn din Cc h thng IDS/IPS thng dng nhiu phng php nhn din khc nhau, ring r hoc tch hp nhm m rng v tng cng chnh xc nhn din. C th chia lm cc phng php nhn din chnh sau: (1) Nhn din da vo du hiu ( Signature-base detection ): s dng phng php so snh cc du hiu ca i tng quan st vi cc du hiu ca cc mi nguy hi bit. Phng php ny c hiu qu vi cc mi nguy hi bit nhng hu nh khng c hiu qu hoc hiu qu rt t i vi cc mi nguy hi cha bit,cc mi nguy hi s dng k thut ln trnh ( evasion techniques ), hoc cc bin th. Signature-based khng th theo vt v nhn din trng thi ca cc truyn thng phc tp. (2) Nhn din bt thng ( Abnormaly-base detection ): so snh nh ngha ca nhng hot ng bnh thng v i tng quan st nhm xc nh cc lch. Mt h IDS/IPS s dng phng php Anormaly-base detection c cc profiles c trng cho cc hnh vi c coi l bnh thng, c pht trin bng cch gim st cc c im ca hot ng tiu biu trong mt khong thi gian. Sau khi xy dng c tp cc profile ny , h IDS/IPS s dng phng php thng k so snh cc c im ca cc hot ng hin ti vi cc ngng nh bi profile tng ng pht hin ra nhng bt thng. Profile s dng bi phng php ny c 2 loi l static v dynamic. Static profile 1

khng thay i cho n khi c ti to, chnh v vy dn dn n s tr nn khng chnh xc, v cn phi c ti to nh k. Dynamic profile c t ng iu chnh mi khi c cc s kin b sung c quan st, nhng chnh iu ny cng lm cho n tr nn d b nh hng bi cc php th dung k thut giu ( evasion techniques ) u im chnh ca phng php ny l n rt c hiu qu trong vic pht hin ra cc mi nguy hi cha c bit n.

S khc bit gia phng php Abnormaly-base v Signature-base (3) Phn tch trng thi giao thc ( Stateful protocol analysis ) : Phn tch trng thi protocol l qu trnh so snh cc profile nh trc ca hot ng ca mi giao thc c coi l bnh thng vi i tng quan st t xc nh lch. Khc vi phng php Anomaly-base detection, phn tch trng thi protocol da trn tp cc profile tng qut cung cp bi nh sn xut theo quy nh 1 protocol nn lm v khng nn lm g. "Stateful" trong phn tch trng thi protocol c ngha l IDS/IPS c kh nng hiu v theo di tnh trng ca mng, vn chuyn, v cc giao thc ng dng c trng thi. Nhc im ca phng php ny l chim nhiu ti nguyn do s phc tp trong vic phn tch v theo di nhiu phin ng thi. Mt vn nghim trng l phng php phn tch trng thi protocol khng th pht hin cc cuc tn cng khi chng khng vi phm cc c tnh ca tp cc hnh vi chp nhn ca giao thc. b. C s h tng ca IDS/IPS Nhim v chnh ca h thng IDS/IPS l phng th my tnh bng cch pht hin mt cuc tn cng v c th y li n. Pht hin v tn cng th ch ph thuc vo s lng v loi hnh ng thch hp.

Intrusion detection system activities

Cng tc phng chng xm nhp i hi mt s kt hp tt c la chn ca "mi v by" nhm iu tra cc mi e da, nhim v chuyn hng s ch ca k xm nhp t cc h thng cn bo v sang cc h thng gi lp l nhim v ca 1 dng IDS ring bit ( Honeypot IDS ),c hai h thng thc v gi lp c lin tc gim st v d liu thu c c kim tra cn thn (y l cng vic chnh ca mi h IDS/IPS ) pht hin cc cuc tn cng c th (xm nhp). Mt khi xm nhp mt c pht hin, h thng IDS/IPS pht cc cnh bo n ngi qun tr v s kin ny. Bc tip theo c thc hin, hoc bi cc qun tr vin hoc bi chnh h thng IDS/IPS , bng cch p dng cc bin php i ph (chm dt phin lm vic, sao lu h thng, nh tuyn cc kt ni n Honeypot IDS hoc s dng cc c s h tng php l v.v) ty thuc vo chnh sch an ninh ca mi t chc

Intrusion detection system infrastructure

H thng IDS/IPS l mt thnh phn ca chnh sch bo mt. Trong s cc nhim v IDS khc nhau, nhn dng k xm nhp l mt trong nhng nhim v c bn. N c th hu ch trong cc nghin cu gim nh s c v tin hnh ci t cc bn patches thch hp cho php pht hin cc cuc tn cng trong tng lai nhm vo mc tiu c th

c. Cu trc & kin trc ca h IDS/IPS (1) Cc thnh phn c bn (a) Sensor / Agent : gim st v phn tch cc hot ng. Sensor thng c dng cho dng Network-base IDS/IPS trong khi Agent thng c dng cho dng Host-base IDS/IPS (b) Management Server : l 1 thit b trung tm dng thu nhn cc thng tin t Sensor / Agent v qun l chng. 1 s Management Server c th thc hin vic phn tch cc thng tin s vic c cung cp bi Sensor / Agent v c th nhn dng c cc s kin ny d cc Sensor / Agent n l khng th nhn din. (c) Database server : dng lu tr cc thng tin t Sensor / Agent hay Management Server (d) Console : l 1 chng trnh cung cp giao din cho IDS/IPS users / Admins. C th ci t trn mt my tnh bnh thng dng phc v cho tc v qun tr, hoc gim st, phn tch. 3

(2) Kin trc ca h IDS/IPS Sensor l yu t ct li trong mt h thng IDS/IPS , n m c trch nhim pht hin cc xm nhp nh cha nhng c cu ra quyt nh i vi s xm nhp. Sensor nhn d liu th t ba ngun thng tin chnh : kin thc c bn ( knowledge base ) ca IDS, syslog v audit trail .Cc thng tin ny to c s cho qu trnh ra quyt nh sau ny

Mt v d v h IDS. Chiu rng mi tn l t l thun vi s lng thng tin di chuyn gia cc thnh phn ca h thng Sensor c tch hp vi cc thnh phn chu trch nhim thu thp d liu - mt event generator. Da vo cc chnh sch to s kin n xc nh ch lc thng tin thng bo s kin. Cc event generator (h iu hnh, mng, ng dng) to ra mt chnh sch nht qun tp cc s kin c th l log hoc audit ca cc s kin ca h thng, hoc cc gi tin. iu ny, thit lp cng vi cc thng tin chnh sch c th c lu tr hoc l trong h thng bo v hoc bn ngoi. Trong nhng trng hp nht nh, d liu khng c lu tr m c chuyn trc tip n cc phn tch ( thng thng p dng vi cc gi packet ).

Cc thnh phn chnh ca 1 h IDS/IPS 4

Cc h thng IDS/IPS c th c trin khai theo 2 hng l tp trung v phn tn. Mt v d c th cho hng trin khai tp trung l tch hp IDS/IPS cng vi cc thnh phn an ninh khc nh firewall. Trin khai phn tn ( distributed IDS ) bao gm nhiu h IDS/IPS trong 1 h thng mng ln, c kt ni vi nhau nhm nng cao kh nng nhn din chnh xc xm nhp v a ra phn ng thch hp II. Phn loi IDS/IPS

Phn loi cc h IDS/IPS 1. Host-based IDS/IPS

M hnh v tr ca HIDS/IPS trong 1 h thng mng 5

c trin khai trn tng host,thng thng l 1 software hoc 1 agent, mc tiu l gim st cc tnh cht c bn, cc s kin lin quan n cc thnh phn ny nhm nhn din cc hot ng kh nghi. Host-based IDS/IPS thng c trin khai trn cc host c tnh cht quan trng ( public servers, sensitive data servers ), hoc 1 dch v quan trng ( trng hp c bit ny c gi l application-based IDS/IPS ). Qu trnh trin khai cc agent HIDS/IPS thng n gin do chng l mt phn mm c ci t trc tip ln host. Application-based agent thng c trin khai thng hng ngay pha trc host m chng bo v.

M hnh trin khai Host-based IDS/IPS agent Mt trong nhng lu quan trng trong vic trin khai h thng Host-based IDS/IPS l cn nhc gia vic ci t agent ln host hay s dng agent-based appliances. Trn phng din pht hin v ngn chn xm nhp, vic ci t agent ln host c khuyn khch v agent tng tc trc tip vi cc c tnh ca host v qua c th pht hin v ngn chn 1 cch hiu qu hn. Tuy nhin, do agent thng ch tng thch vi 1 s h iu hnh nht nh nn trong trng hp ny ngi ta s dng thit b. Mt l do khc s dng thit b l vic ci t agent ln host c th nh hng n performance ca host. H thng HIDS/IPS cung cp cc kh nng bo mt sau: (1) Kh nng ghi log. (2) Kh nng pht hin (a) Phn tch m ( phn tch hnh vi m, nhn din buffer-overflow, gim st hm gi h thng, gim st danh sch ng dng v hm th vin ) (b) Phn tch v lc lu lng mng (c) Gim st filesystem ( kim tra tnh ton vn,thuc tnh,truy cp ca file ) (d) Phn tch log (e) Gim st cu hnh mng 6

(3) Kh nng ngn chn (a) Phn tch m: ngn chn thc thi m c (b) Phn tch v lc lu lng mng: ngn chn truy cp, lu m c, chn cc dch v hoc giao thc khng c php (c) Gim st filesystem: ngn chn vic truy cp, thay i filesystem (4) Cc kh nng bo v khc: ngn chn truy cp n cc removeable-media, cng c bo mt cho host, gim st trng thi cc tin trnh Cc sn phm i din : Tripware, OSSEC, BroIDS, ISS, Samhain, Prelude-LML,Snort 2. Network-bases IDS/IPS

M hnh v tr ca NIDS/IPS trong 1 h thng mng Thng dng gim st, phn tch hot ng h thng mng trong 1 segment, phn tch mng, cc giao thc ng dng t nhn din cc hot ng kh nghi. Thng c trin khai cc bin mng ( network border ). H thng NIDS/IPS thng c trin khai trong 1 on / mng con ring phc v cho mc ch qun tr h thng ( management network ), trong trng hp khng c mng qun tr ring th 1 mng ring o ( VLAN ) l cn thit bo v cc kt ni gia cc h NIDS/IPS. Bn cnh vic la chn v tr mng ph hp cho cc thnh phn ca h NIDS/IPS, la chn v tr ph hp cho cc Sensor cng l 1 vn quan trng nh hng n kh nng detection ca h NIDS/IPS. Trong h NIDS/IPS, cc Sensor thng gp 2 dng l tch hp phn cng ( appliance-based ) v phn mm ( software-only ). Ngi ta thng s dng 2 kiu trin khai sau: Thng hng ( Inline ): 1 Sensor thng hng c t sao cho cc lu lng trn mng m n gim st i xuyn 7

qua n ging nh trong trng hp ca firewall. Thc t l 1 s Sensor thng hng c s dng nh 1 loi lai gia firewall v NIDS/IPS, mt s khc l NIDS thun ty. ng c chnh ca vic trin khai Sensor kiu thng hng l n c th dng cc tn cng bng vic chn lu lng mng ( blocking network traffic ). Sensor thng hng thng c trin khai ti v tr tng t vi firewall v cc thit b bo mt khc: ranh gii gia cc mng.

M hnh trin khai Sensor kiu thng hng Sensor thng hng cn c th c trin khai ti cc vng mng km bo mt hn hoc pha trc cc thit b bo mt hoc firewall bo v v gim ti cho cc thit b ny. Th ng ( Passive ): Sensor kiu th ng c trin khai sao cho n c th gim st 1 bn sao ca cc lu lng trn mng. Thng c trin khai gim st cc v tr quan trng trong mng nh ranh gii gia cc mng, cc on mng quan trng v d nh Server farm hoc DMZ. Sensor th ng c th gim st lu lng mng qua nhiu cch nh Spanning port ( hoc Mirror port ), Network tap hoc IDS loadbalancer.

M hnh trin khai Sensor kiu th ng 8

H thng NIDS/IPS cung cp cc kh nng v bo mt sau: (1) Kh nng thu thp thng tin (a) Nhn dng host (b) Nhn dng h iu hnh (c) Nhn dng ng dng (d) Nhn dng c im mng (2) Kh nng ghi log (3) Kh nng nhn din (a) Hot ng thm d v tn cng trn cc lp ng dng,vn chuyn v mng (b) Cc dch v ng dng khng mong i ( unexpected application services ) (c) Vi phm chnh sch ( policy violations ) (4) Kh nng ngn chn (a) Kiu th ng: ngt phin TCP hin ti (b) Kiu thng hng: thc hin tc v firewall thng hng, iu tit bng thng s dng, loi b cc ni dung gy hi (c) Ngoi ra chc nng ngn chn cn c th thay i cu hnh ca 1 s thit b bo mt cng nh thc thi cc ng dng th 3 hoc cc script. Lu khi trin khai NIDS/IPS: khi trin khai cc h NIDS/IPS, 1 trong nhng im cn lu l phi trin khai cc Sensor dng n ( Stealth mode ). Trong dng ny, cc interface ca Sensor khng c gn a ch IP ( tr interface qun l ) trnh vic khi to kt ni t cc host khc nhm n Sensor khi s pht hin ca k tn cng. im yu ca h thng NIDS/IPS chnh l vic n rt d b nh hng bi nhiu loi tn cng lin quan n khi lng lu lng mng ln ( large volume of network traffic ) v kin trc Single-point of Failure khi trin khai Sensor kiu thng hng. So snh gia HIDS va NIDS
Chc nng Bo v vi mng Bo v khng mng D qun tr linh hot Gi Trin khai o to s dng Cost of Ownership Bng thng mng Tng chi ph mng Spanning port Database update Tng thch Registry scan Logging Cnh bo Packet rejection Yu cu kin thc ring Qun l tp trung Nguy c b v hiu ha Multiple LAN detection HIDS **** **** **** **** *** **** **** *** 0 1 **** ** **** *** *** *** *** * **** NIDS **** **** ** * **** ** ** 2 2 **** ** **** *** *** **** **** **** **** ** Ghi ch C hai loi u c kh nng bo v trong mng NIDS ch hot ng trong mi trng mng NIDS km linh hot v lin quan n h tng mng Chn HIDS c li hn nu ng yu cu bo v C HIDS v NIDS u d trin khai NIDS cn o to nhiu hn c th s dng Chi ph cho HIDS r hn vi thi gian s dng di NIDS chim bng thng mng , HIDS th khng NIDS chim gp i chi ph mng NIDS cn c spanning port qut network traffic HIDS lun t ng cp nht cho clients NIDS c s tng thch vi cc nn tng khc nhau HIDS c kh nng qut registry Ch NIDS mi c chc nng loi b packet NIDS yu cu nhiu kin thc ci t v vn hnh tt NIDS c tnh qun l tp trung cao hn NIDS c nguy c cao v l Singe-point-of-Failure HIDS c kh nng detect trn nhiu on mng hn NIDS

Trong thc t, NIDS/IPS thng c s dng ti bin mng nhm pht hin cc du hiu tn cng v hn ch cc tn cng ny mc network. i vi nhng my ch hoc my client quan trng, vic b sung HIDS cho cc my ny l cn thit tng cng kh nng bo mt khi kt hp vi cc h NIDS trong cng h thng. Cc sn phm i din : Snort, ISS, Juniper IDS, Tipping Point IDS, Trustware ipAgent, Cisco IPS, Reflex Security 3. Wireless IDS/IPS Thng c trin khai trong tm ph sng wireless ca h thng nhm gim st,phn tch cc protocol wireess nhn din cc hot ng kh nghi. S khc bit ln nht gia NIDS/IPS v Wireless IDS/IPS nm vic NIDS/IPS c th gim st tt c cc packet trong mng th Wireless IDS/IPS gim st bng cch ly mu lu lng mng. Sensor trong h thng Wireless IDS/IPS s dng 1 k thut gi l qut knh ( channel scanning ), ngha l thng xuyn i knh gim st. h tr cho vic gim st hiu qu, cc Sensor c th c trang b nhiu antenna thu pht cng sut cao. Wireless Sensor thng gp di 3 hnh thc l Chuyn bit ( Dedicated ) : thng dng th ng, c vn hnh di dng gim st tn s pht ( radio frequency monitoring mode ), c trin khai theo 2 dng l c nh ( thit b ) v di ng ( phn mm hoc thit b ). Tch hp trong Access Point Tch hp trong Wireless switch

M hnh trin khai Wireless IDS/IPS 10

Vn v tr trin khai Wireless IDS/IPS l 1 vn c bn, khc bit hon ton so vi cc loi Sensor trong cc h thng NIDS/IPS hay HIDS/IPS do c th ca mng Wireless. Thng thng cc Wireless IDS/IPS thng c trin khai cc khu vc m ca h thng mng ( khu vc khch, cng cng ), cc v tr c th gim st ton b vng sng ca mng Wireless, hay c trin khai gim st trn 1 s bng tn v knh xc nh. H thng NIDS/IPS cung cp cc kh nng v bo mt sau: (1) Kh nng bo mt (2) Kh nng thu thp thng tin (a) nhn din thit b Wireless (b) nhn din mng Wireless (3) Kh nng ghi log (4) Kh nng nhn din (a) nhn din cc mng v thit b Wireless tri php (b) nhn din cc thit b Wireless km bo mt (c) nhn din cc mu s dng bt thng (d) nhn din cc hot ng ca wireless scanner (e) nhn din cc tn cng t chi dch v DoS qua c ch phn tch trng thi giao thc ( Stateful protocol analysis ) v nhn din bt thng ( Abnormaly detection) (f) nhn din cc tn cng ng gi v Man-in-the-Middle. H thng Wireless IDS/IPS c kh nng xc nh v tr vt l ca mi e da c nhn din bng phng php o tam gic ( triangulation ) da vo mc tn hiu t mi e da n Sensor v t tnh ra c v tr tng i ca mi e da i vi mi Sensor. (5) Kh nng ngn chn ( ngt kt ni wireless, tc ng n switch chn kt ni t Access Point hoc Station nghi ng l ngun tn cng ). Tuy nhin, cng nh mng Wireless, Wireless IDS/IPS cng rt nhy cm vi cc dng tn cng t chi dch v cng nh cc tn cng s dng k thut ln trnh ( evasion techniques ). Cc sn phm i din : WIDZ, AirMagnet, AirDefense, Snort-Wireless 4. Network behavior Analysis system ( NBAS ) L 1 dng NIDS/IPS c trin khai trong h thng mng nhm nhn din cc threats to ra cc lung traffic bt thng trong h thng ( DDoS, malwares ). Thng c dng gim st lung traffic trong h thng ni b cng nh c th gim st lung traffic gia h thng trong v cc h thng ngoi.

11

M hnh trin khai NBAS Khc bit gia NBAS v NIDS/IPS ch NBAS phn tch lu lng mng hoc cc thng k trn lu lng mng nhn din cc lung lu lng bt thng. H thng NBAS c th c trin khai di 2 dng l th ng v thng hng. Vi kiu trin khai th ng, c trin khai ti cc v tr cn gim st nh ranh gii mng, cc on mng quan trng. Vi kiu thng hng, tng t nh NIDS/IPS, c th trin khai st vi firewall bin, thng l pha trc gim thiu s lng cc tn cng n c th lm qu ti firewall bin. 5. Honeypot IDS

M hnh v tr ca Honeypot IDS trong 1 h thng mng 12

L 1 dng IDS da trn phng php mi & by, to ra cc h thng gi lp tng t cc h thng chnh nhm chuyn hng tn cng ca attacker vo h thng gi lp ny t quan st du vt v truy vt tn cng. III. Ci t v cu hnh th nghim IDS/IPS vi Snort 1. Gii thiu chung v Snort Snort c pht trin nm 1998 bi Sourcefire v CTO Martin Roesch, l 1 phn mm min ph m ngun m c kh nng pht hin v phng chng xm nhp tri php vo h thng mng c kh nng phn tch thi gian thc lu lng mng, v ghi log gi tin trn nn mng IP. Ban u c gi cng ngh pht hin v phng chng xm nhp hng nh, Snort dn pht trin v tr thnh tiu chun trong vic pht hin v phng chng xm nhp. Vi hn 3,7 triu lt ti v v hn 250 ngn ngi dng ng k, Snort tr thnh cng ngh pht hin v phng chng xm nhp c s dng rng ri nht hin nay. Snort c th thc hin phn tch giao thc v tm kim ni dung, t c th pht hin rt nhiu kiu thm d v tn cng nh buffer-overflow, stealth ports scanning, tn cng CGI, OS fingerprint, thm d SMB..v.v. c th lm c iu ny, Snort dng 1 loi ngn ng m t cc quy tc giao thng mng m n s thu thp hoc b qua, cng nh s dng c ch pht hin xm nhp theo kin trc modular plug-ins. N cng c kh nng cnh bo tc thi, kt hp vi cc c ch cnh bo syslog, tp tin ngi dng ch nh, Unix socket hoc Winpopup message. Snort c th s dng vi 3 kiu chnh : - Packet sniffer nh tcpdump - Packet logger - H thng pht hin v phng chng xm nhp hon chnh. 2. Chun b mi trng ( system prerequisites ) H iu hnh : Ubuntu Linux 9 Cc gi phn mm h tr : MySQL Libnet 1.0.2a Libpcap 0.8 BASE 1.4.4 Barnyard2 Apache 3. Ci t Snort ( Installing Snort ) Sau khi ci t xong h iu hnh,gi s ta to 1 user tn l ids_usr v login. M CLI, login as root user Sudo bash Vic ng nhp root user nhm mc ch thun li cho qu trnh ci t, khng phi dng lnh sudo, cng nh d dng truy cp cc th mc h thng. 13

Ci t cc gi phn mm h tr : mysql-client-5.0 mysql-server-5.0 libpcap0.8-dev libmysqlclient15-dev bison flex apache2 libapache2-mod-php5 php5-gd php5-mysql libtool libpcre3-dev php-pear ssh

M CLI, dng lnh : Apt-get install <package> Trong package l cc gi phn mm bn trn. Download cc gi phn mm sau Download libnet-1.0.2a.tar.gz from http://www.filewatcher.com/m/libnet1.0.2a.tar.gz.140191.0.0.html. B.A.S.E ( Basic Analysis and Security Engine ) cung cp giao din Web cho vic truy vn v phn tch cc cnh bo t Snort. Download B.A.S.E 1.4.4 ti : http://sourceforge.net/projects/secureideas/files/ ADOdb l 1 tin ch tru tng ha c s d liu, cho php nhiu kiu tng tc gia PHP v c s d liu. Download ADOdb 5.10 ti : http://sourceforge.net/projects/adodb/files/ ng k lm thnh vin ca Snort, sau download gi rules cho Snort y : http://www.snort.org/snort-rules . Lu l c 2 gi rules, 1 gi dnh cho ngi dng tr tin ( Subscription release ) v 1 gi min ph cho ngi dng ng k ( registered-user release ). im khc bit duy nht l gi min ph s c cung cp sau gi tr ph 30 ngy.

Gi d cc gi phn mm c ti v v lu ti desktop. Ci t Libnet cd /usr/local tar zxvf /home/ids_usr/Desktop/libnet-1.0.2a.tar.gz cd Libnet-1.0.2a ./configure && make && make install 14

Ci t Snort Sudo apt-get install snort-mysql Ghi ch: 1. Trong qu trnh ci t Snort bng lnh apt-get install, lu khi qu trnh ci t MySQL xut hin, ta phi ghi nh mt khu root ca database 2. Ngoi phng php install Snort bng apt-get install, ta c th download phin bn mi nht ca Snort ti : http://www.snort.org/downloads ( phin bn mi nht l 2.8.5.1 ) , sau bin dch : cd /usr/local tar zxvf /home/ids_usr/Desktop/snort-2.8.5.1.tar.gz cd snort-2.8.5.1 ./configure --enable-targetbased && make && make install

Tuy nhin, trong thc t , tc gi gp vn vi Snort ci t theo kiu bin dch m ngun khi thc thi Snort phn sau xut hin thng bo mysql support is not compiled in this build of snort Chun b mi trng lm vic cho Snort mkdir /etc/snort mkdir /var/log/snort mkdir /usr/local/lib/snort_dynamicrules cd /etc/snort tar zxvf /home/ids_usr/Desktop/snortrules-snapshot-CURRENT_s.tar.gz -C /etc/snort cp /etc/snort/etc/* /etc/snort groupadd snort useradd -g snort snort chown snort:snort /var/log/snort touch /var/log/snort/alert chown snort:snort /var/log/snort/alert chmod 600 /var/log/snort/alert cp /etc/snort/so_rules/precompiled/Ubuntu-6.01.1/i386/2.8.4/*.so /usr/local/lib/snort_dynamicrules cp R /usr/lib/snort_* /usr/local/lib

Cu hnh MySQL MySQL c dng nh C s d liu cho Snort. Mc d n khng cn thit chy Snort nhng n lm cho vic truy vn cc s kin mt cch d dng hn v cn thit B.A.S.E c th hot ng.

15

mysql p <nhp DB root password> create database snort; grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost; SET PASSWORD FOR snort@localhost=PASSWORD(password); exit cd /usr/local/snort-2.8.5.1/schemas mysql -p < create_mysql snort

Kim tra li cu hnh c s d liu chc chn c s d liu cho Snort c config ng mysql p < nhp DB root password > Show tables; Xut hin 4 hng d liu ( row ) Use snort; Show tables; Xut hin 16 hng d liu ( row )

Chnh sa file snort.conf Snort.conf quy nh cch thc Snort s thc thi 1 khi c chy. cu hnh nng cao s cp n vic chnh sa file snort.conf mt cch c th hn. y ta ch chnh sa 1 s tnh nng n gin Gedit /etc/snort/snort.conf Tm dng RULE_PATH v i thnh /etc/snort/rules Tm dng output log_unified v thm dng sau y pha di n : output log_unified2: filename snort.log, limit 128 Lu : unified2 ch ra format cho file log l version 2, dng kt hp vi Barnyard2. Tm dng output database: v thm dng sau y pha di n : output database: alert, mysql, user=snort password=< password> dbname=snort host=localhost

Cu hnh giao din Web vi ADOdb v B.A.S.E Ta s ln lt gii nn ADObd, B.A.S.E vo th mc Webroot, sau tin hnh cu hnh cho ADOdb v B.A.S.E cd /var/www pear channel-update pear.php.net pear install Mail pear install Mail_Mime pear install Image_Canvas-0.3.2 pear install Image_Graph-0.7.2 tar zxvf /home/ids_usr/Desktop/adodb510.tgz 16

tar zxvf /home/ids_usr/Desktop/base-1.4.4.tar.gz gedit /etc/php5/apache2/php.ini Tm dng error_reporting. Kim tra xem n c c thit lp : error_reporting = E_ALL & ~E_NOTICE hay khng Tm Dynamic Extensions. Thm dng ny vo bn trong mc : extension=mysql.so extension=gd.so gedit /etc/apache2/apache2.conf Ti cui file,thm dng servername <your servername.domain> /etc/init.d/apache2 restart

M trnh duyt, ti thanh a ch, nhp vo a ch : http://localhost/base-1.4.4 Click continue ng dn n th mc cha ADOdb l /var/www/adodb Database Name=snort, Database Host=localhost, Database User=snort, Database Password=password Admin User Name=snort, Password=<password>, Full Name=snort Click Create BASE AG. Sau khi kt thc, nu c li khng ghi c file ta copy ni dung, sau dng gedit to file v paste ni dung va copy vo. Gedit /var/www/base-1.4.4/base-conf.php Paste v Save Cu hnh Barnyard2 Barnyard c vit nhm mc ch m nhn cc tc v x l xut Snort c th dnh nhiu ti nguyn hn cho vic x l cc gi tin. cd /usr/local tar zxvf /home/ids_usr/Desktop/barnyard2-1.7.tar.gz cd barnyard2-1.7 ./configure --with-mysql && make && make install cp /usr/local/barnyard2-1.7/etc/barnyard2.conf /etc/snort gedit /etc/snort/barnyard2.conf Tm thor v thay th bng localhost Kim tra config interface chc chn ang s dng interface eth0 Tm dng output database v thay bng : output database: alert, mysql, user=snort password=<password> dbname=snort host=localhost

17

Khi ng Snort v hon tt cu hnh Barnyard snort -c /etc/snort/snort/conf -i eth0 Open a second CLI. Mkdir /var/log/barnyard2 ls -la /var/log/snort. 10 ch s sau file snort.log sau cng gedit /var/log/snort/barnyard.waldo thm ni dung sau ri lu v ng file : /var/log/snort snort.log <10 ch s pha trn> 0 khi ng barnyard: /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -G /etc/snort/gen-msg.map -S /etc/snort/sid-msg.map -d /var/log/snort f snort.log -w /var/log/snort/barnyard.waldo

4. Th nghim ( post-installed testing )

Khi ng Snort & Barnyard2

snort -c /etc/snort/snort/conf -i eth0 /usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort f snort.log -w /var/log/snort/barnyard.waldo

18

S dng GFI qut th

Truy cp B.A.S.E xem cnh bo

19

Xem theo danh sch Alerts

Xem theo categories

20

Xem chi tit 1 cnh bo

Hin th th

IV. Cu hnh Snort nng cao 1. Cc tin ch Trong phn ny, ta xem qua mt s tin ch ca Snort, vi mc ch gii thiu cc tnh nng c th tch hp nhm c ci nhn tng th v Snort nh l 1 h NIDS/IPS a nng. V mc ch , cc tin ch s c gii thiu khi qut m khng i su vo chi tit cho tng tin ch. a. T ng cp nht Snort rule vi Oinkmaster Oinkmaster l 1 Perl script gip cp nht v qun l cc rule ca Snort, bao gm cc rule chnh thc ( official VRT rule ), cc rule c pht trin bi cng ng s dng Snort ( community rule ) , cc rule c pht trin bi nh cung cp th 3. 21

(1) Ci t Oinkmaster Download Oinkmaster ti : http://oinkmaster.sourceforge.net/download.shtml M CLI : - tar zxvf /home/ids_usr/Desktop/oinkmaster-2.0.tar.gz - cd /home/ids_usr/Desktop/oinkmaster-2.0 - cp oinkmaster.pl /usr/local/bin - cp oinkmaster.conf /usr/local/etc - cp oinkmaster.1 /usr/local/man/man1 (2) ng k account ti Snort.org sau vo Get Rules, chn Get Oink Code https://www.snort.org/account/oinkcode (3) Sa file Oinkmaster.conf - gedit oinkmaster.conf - tm url = v sa thnh : http://www.snort.org/pubbin/oinkmaster.cgi/5a08f649c16a278e1012e1c/snortrules-snapshot-2.8.tar.gz ( v d oinkcode ca ta l 5a08f649c16a278e1012e1c , v Snort l ver. 2.8 ) (4) khi ng Oinkmaster oinkmaster.pl -o /etc/snort/rules b. Qun tr Alert / Sensor : Snort consoles Trong phn ny, ta xem qua 1 s console qun tr Snort, mt s chuyn phn tch cc thng tin c Snort thu thp, mt s bao gm c chc nng cp nht rule, chnh sa cu hnh rule. Cc console c xem xt gii thiu : - SnortSnaft - Cerebus - ACID ( v phin bn mi c dng bn trn l B.A.S.E ) - SnortCenter o SnortSnarf : L mt Perl script thu thp cc thng tin t Snort v hin th di dng HTML c th duyt mt cch d dng.

22

u im : Min ph, n gin v cung cp 1 ci nhn tng th v tnh trng. Nhc im : Chm khi phi phn tch cc file cnh bo dung lng ln, to ra nhiu file HTML. Rt tic l SnortSnarf khng cn c tip tc pht trin v h tr o Cerebus : L mt cng c c pht trin bi Drados Ruiu, cho php duyt, tng hp, qun l cc cnh bo t Snort. im mnh nht ca Cerebus chnh l vic cho php tng hp bo co t nhiu file cnh bo, iu ny cho php Admin ca cc mng ln c ci nhn tng qut, v d dng hn khi phi lm vic vi s lng ln cc cnh bo Cerebus c th download ti : http://www.dragos.com/cerebus/download.html

u im : Nhanh, tng thch nhiu nn tng khc nhau ( *nix, Win32 ), l cng c tt cho vic tng hp v phn loi cnh bo Nhc im : L phn mm Shareware, khng c chc nng qun l, i hi phi c k nng nht nh s dng o B.A.S.E Cung cp giao din cui dng Web cho php truy vn v phn tch cc cnh bo c thu thp bi Snort. ( Xem thm trong phn Demo ) u im : c h tr t cng ng Snort vi ti liu y , tng thch vi database v cung cp giao din cui hon chnh cho Snort Khuyt im: Do hot ng trn nn Web nn tng attack-surface

23

o SnortCenter SnoftCenter l 1 cng c qun l kin trc client-server, hot ng trn nn web gip cu hnh Snort v update cc rule. C th ni, SnortCenter cung cp 1 phng thc qun l Snort ( cu hnh, cp nht Snort ) 1 cch trc quan, n gin v bo mt. Cc tnh nng chnh: T ng cp nht cc rule ca Snort Stop-Start Snort To v chnh sa rule To Snort template Tng thch vi cc nn tng khc nhau Tng thch vi SnortSam Kin trc client-server 1-nhiu Tng thch c s d liu

24

c. IPS plugins (1) Snort Inline Snort Inline l mt gi sa i khc ca Snort, cho php kim tra cc gi tin t iptables , phn tch v sau dng cc rule mi nh drop,sdrop,reject thng bo cho iptables thc hin cc tc v tip theo nh hy,loi b,sa hoc cho php gi tin i qua da trn cc rule ca Snort. Snort Inline c th c ci t bng 2 cch : - dng ./configure --enable-inline khi bin dch m ngun ca Snort - download gi ci t hon chnh ti http://snort-inline.sourceforge.net/ Nh ni trn, Snort Inline lm vic cng vi Iptables cung cp 1 gii php NIDS/IPS tng th nn khi trin khai phi trin khai c Iptables, iu ny c th gy ra kh khn nu nh h thng trin khai s dng 1 loi firewall khc. (2) SnortSam SnortSam l 1 agent c tnh nng tng t Snort Inline, khi Snort pht hin ra 1 vi phm, n cung cp cnh bo tng ng vi cc iu kin block cho trc n 1 hoc nhiu SnortSam agent c ci t tch hp trn firewall hoc c kt ni n firewall, Agent ny s yu cu firewall block kt ni. SnortSam ang c pht trin v ngy cng tng thch nhiu vi cc chng loi firewall t cc hng khc nhau nh Checkpoint, Cisco, Juniper, xBSD ipfw, *nix IPTables, MS ISA Server SnortSam c th download ti : http://www.snortsam.net/ 2. Snort switches USAGE: snort [-options] <filter options> Options:
-A -b -B <mask> -c <rules> -C -d -D -e -f -F <bpf> -g <gname> -G <0xid> -h <hn> -H -i <if> -I -k <mode> -K <mode> -l <ld> -L <file> Set alert mode: fast, full, console, test or none (alert file alerts only) "unsock" enables UNIX socket logging (experimental). Log packets in tcpdump format (much faster!) Obfuscated IP addresses in alerts and packet dumps using CIDR mask Use Rules File <rules> Print out payloads with character data only (no hex) Dump the Application Layer Run Snort in background (daemon) mode Display the second layer header info Turn off fflush() calls after binary log writes Read BPF filters from file <bpf> Run snort gid as <gname> group (or gid) after initialization Log Identifier (to uniquely id events for multiple snorts) Home network = <hn> Make hash tables deterministic. Listen on interface <if> Add Interface name to alert output Checksum mode (all,noip,notcp,noudp,noicmp,none) Logging mode (pcap[default],ascii,none) Log to directory <ld> Log to this tcpdump file

25

-M -m <umask> -n <cnt> -N -o -O -p -P <snap> -q -r <tf> -R <id> -s -S <n=v> -t <dir> -T -u <uname> -U -v -V -w -X -x -y -Z <file> -?

Log messages to syslog (not alerts) Set umask = <umask> Exit after receiving <cnt> packets Turn off logging (alerts still work) Change the rule testing order to Pass|Alert|Log Obfuscate the logged IP addresses Disable promiscuous mode sniffing Set explicit snaplen of packet (default: 1514) Quiet. Don't show banner and status report Read and process tcpdump file <tf> Include 'id' in snort_intf<id>.pid file name Log alert messages to syslog Set rules file variable n equal to value v Chroots process to <dir> after initialization Test and report on the current Snort configuration Run snort uid as <uname> user (or uid) after initialization Use UTC for timestamps Be verbose Show version number Dump 802.11 management and control frames Dump the raw packet data starting at the link layer Exit if Snort configuration problems occur Include year in timestamp in the alert and log files Set the performonitor preprocessor file path and name Show this information

3. Snort rule Marty Roesch, tc gi ca Snort, ngay t u chn cch to ra mt c php n gin v c tnh m rng vit rule, iu ny cho php ngi dng Snort trn ton th gii to ra mt trong nhng tp du hiu nhn dng ( signature ) ton din nht c sn cho mi h IDS. Mi rule c th c sa i ring bit , lm cho rule c sa i ngy cng c st vi c s h tng mng Snort ang bo v. Ngoi ra, cc rule c th c t to ra t u v hon ton s dng c vi Snort iu ny ho php ngi dng ty chnh to ra cc quy tc lm cho Snort tr thnh mt ng dng bo mt tht s thc dng. Khi xy dng mt rule cho Snort, phi nh rng ta ang thc s to ra mt du hiu nhn bit cho 1 lu thng mng, mc tiu ca du hiu nhn bit ny l lm sao c th pht hin ra 1 kiu lu thng ring bng cch so snh cc lu thng khc vi n, chnh v vy, phi nh rng lun c 1 khong cch nht nh gia du hiu ta mun rule kch hot v thc t a. Cc thnh phn chnh (1) Rule Header Rule Header quy nh loi cnh bo, loi giao thc ( protocol ), a ch IP, Ports c gim st trong du hiu nhn dng ( signature ). C php :
rule_action protocol source_address_range source_port_range direction_operator destination_address_range destination_port_range

26

(a) Rule Action : Thng s u tin quy nh Snort s lm g khi cc gi tin ph hp vi rule.C 3 la chn : (i) Alert (ii) Log (iii) Pass (iv) Drop ( action ring, mi ca Snort Inline ) (b) Protocol: Snort h tr 3 loi giao thc ti Rule Header l TCP,UDP v ICMP (c) Director operator Ch nh cho Snort bit hng s p dng. c 2 loi l -> v < > (d) Source and Destination IP Address Snort h tr khai bo a ch theo nhiu dng : 1 vng a ch vi netmask, hn hp va vng va a ch, khai bo qua bin ( ex: $EXTERNAL_NET.. ), hoc kiu loi tr vi du ! ( ex: ! 192.168.1.1/24 ) (e) Source and Destination Ports Snort h tr khai bo dng 1 port, 1 di port hoc loi tr (2) Rule Option Rule Option chnh l phn du hiu nhn bit ( signature ) v c quy nh u tin. Phn du hiu ny c ch nh bi mt hay nhiu t kha la chn. Nhng t kha la chn ny dng xy dng nn du hiu nhn bit cho lu thng mng m ta mun Snort gim st. Cc t kha la chn ny c phn lm 8 loi sau : (a) Cc t kha la chn lin quan n ni dung ( Content-related ) T kha la chn quan trng nht lien quan n vic kim tra ni dung. Dng gim st 1 mu t trng trong phn ti ca gi tin ( packets payload ) Cc t kha la chn lin quan n ni dung chim khong 75% trong b rule ca Snort, tuy nhin vic s dng chng cn rt cn thn v chng thng chim nhiu ti nguyn. V vy, ngi ta thng hn ch vng tm kim trong payload ca gi tin bng cch gii hn tm kim bng cc t kha offset, depth, flow. Bao gm cc t kha sau : - Content - Uricontent - Content-list - Nocase - Offset - Depth - Regex

27

(b) Cc t kha la chn lin quan n phin lm vic ( Session-related ) - Flow gm cc flow : to_client, to_server, from_client, from_server ngoi ra c th p dng rule cho cc trng thi ring ca phin lm vic TCP bng 2 thng s : established, stateless. - Session (c) Cc t kha la chn lin quan n IP ( IP-related ) Dng kim tra cc thng s cha trong IP Header . Bao gm : - Ttl - Tos - Id - Ipopts ( eol, sec, nop, ts, satid, rr, lsrr, ssrr ) - Fragbits ( M-More Fragments, D- Dont Fragment, R-Reserved Bit ), +,-,! ) - Dsize - Ip_proto : quy nh cc loi giao thc 0 1 2 6 8 12 17 22 Sameip Fragoffset IP ICMP GGP TCP EGP PUP UDP IDP

(d) Cc t kha la chn lin quan n TCP ( TCP-related ) Flags ( TCP flags ) F S A R P U 0 1 2 Seq Ack FIN SYN ACK Reset Push Urgent No TCP Flags set Reserved-Bit #1 Reserved-Bit #2

28

(e) Cc t kha la chn lin quan n ICMP ( ICMP-related ) Itype

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19-29 30 31 32 33 34 35 36 37-255 Echo reply Unassigned Unassigned Destination unreachable Source quench Redirect Alternate host address Unassigned Echo Router advertisement Router selection Time Exceeded Parameter problem Timestamp Timestamp reply Information request Information reply Address mask request Address mask reply Reserved (for robustness experiment) Traceroute Datagram conversion error Mobile host redirect IPv6 where-are-you IPv6 I-am-here Mobile registration request Mobile registration reply Reserved

Icode
Destination unreachable 0Net unreachable 1Host unreachable 2Protocol unreachable 3Port unreachable 4Fragmentation needed and DF bit set 5Source route failed 6Destination network unknown 7Destination host unknown 8Source host isolated 9Communication with destination network is administratively prohibited 10Communication with destination host is administratively prohibited 11Destination network unreachable for TOS 12Destination host unreachable for TOS Redirect 0Redirect datagram for the network 1Redirect datagram for the host

29

2Redirect datagram for the TOS and network 3Redirect datagram for the TOS and host Alternate host address Time Exceeded Parameter problem 0Alternate address for host 0Time to live exceeded in transit 1Fragment reassembly time exceeded 0Pointer indicates the error 1Missing a required option 2Bad length

Icmp_id Icmp_seq

(f) Snort Response Option keywords Quy nh hnh vi ca Snort khi pht hin 1 rule ph hp - Msg - Logto - Resp ( dng cho module Flexible Response FlexResp Snort ) - React ( block, warn, msg, proxy ) - Tag ( type, count, metric, direction ) (g) Meta Option keywords - Reference bugtraq http://www.securityfocus.com/bid/ cve http://cve.mitre.org/cgi-bin/cvename.cgi?name= arachnids http://www.whitehats.com/info/IDS mcafee http://vil.nai.com/vil/dispVirus.asp?virus_k= url http:// - Sid
<100 cha dng, dng ring s dng sau 100-1000000 dng cho cc rule chun ca Snort >1000000 dng cho cc rule t to

Rev Classtype Priority

(h) Cc t kha la chn khc (i) Rpc (ii) Rawbytes b. Vit mi v thay i Snort rule (1) Cc phng php chnh - Chnh sa rule c sn - To 1 rule t cc kin thc h thng mng - To 1 rule bng vic phn tch lu thng mng

30

(2) Mt v d c bn trong vic vit v chnh sa Snort rule c th vit hoc sa 1 Snort rule c hiu qu v ch kch hot ng vi lu thng mng m ta mun, vic nghin cu v pht hin ra cc thuc tnh ring ca lu thng l cc k quan trng. Mt thuc tnh c th cha c t c lu thng nhng tp cc thuc tnh phi l mt c t y c th phn bit. Ta ly 1 v d vi lu thng mng ca tn cng Cross-site scripting ( XSS ) Cross-site Scripting l mt kiu tn cng n cc Website cho php cc m c c nhng vo cc trang Web c to ng. Nu Website khng kim tra cc tc v nhp t ngi dng, k tn cng c th chn nhng on m lm cho ng dng Web hot ng 1 cc bt thng. XSS thng dng nh cp cookies ( dng xc thc ), truy cp cc phn khng c php truy cp, hay tn cng ng dng Web. im chnh ca tn cng XSS l 1 scripting tag c chn vo 1 trang c th. y chnh l im mu cht m ta c th dng vit 1 rule. Cc tag thng c chn vo l <SCRIPT> , <OBJECT>, <APPLET>, <EMBED> Gi s ta chn lc tag <SCRIPT> Trc tin ta to 1 rule kch hot khi lu thng mng c cha <SCRIPT> trong ni dung : alert tcp any any -> any any (content:<SCRIPT>; msg:WEB-MISC XSS attempt;) Khi xy ra tn cng XSS, rule s c kch hot. Tuy nhin n cng s kch hot vi cc lu thng mng bnh thng nh khi 1 ngi dng gi 1 email vi JavaScript to ra 1 sai tch cc ( false positive ). trnh vic ny, ta phi sa rule ch kch hot vi cc lu thng Web alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (content:<SCRIPT>; msg:WEB-MISC XSS attempt;) Thay i nh trn c th pht hin ra cc lu thng c cha <SCRIPT> trong ni dung lin quan n cc phin HTTP. N c kch hot khi lu thng t mng ngoi ( $EXTERNAL_NET ) gi ti my ch Web ( $HTTP_SERVERS ) trn port m dch v HTTP chy ( $HTTP_PORTS ). Tuy nhin, khi np rule ny, ta vn s thy cc cnh bo sai tch cc c to ra mi khi 1 trang c yu cu c cha JavaScript. Nh vy ta phi tinh chnh li rule v tm kim nhng thuc tnh ring bit ca lu thng XSS Tn cng XSS xy ra khi ngi dng chn tag <SCRIPT> trong 1 yu cu gi n Server, nu Server gi tag <SCRIPT> trong 1 phn hi th n thng l 1 lu thng bnh thng. Nh vy ta c th tinh chnh rule nh sau : alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:WEBMISC XSS attempt; flow:to_server,established; content:<SCRIPT>;)

31

 y ta s dng t kha la chn flow trong mc TCP-related, dng kh nng ti to lung TCP ca Snort nhn din hng ca lung lu thng. 2 option to_server v established ch nh rule p dng cho cc phin kt ni t ngi dng ti Server. y chnh l c trng ca tn cng XSS. Nh vy ta c 1 rule nhn din c c trng ca lung lu thng trong tn cng XSS, trnh vic k tn cng c th trnh c bng k thut ln trnh ( Evasion techniques ) nh thay <SCRIPT> bng cc kiu case-sensitive nh <ScRiPT>, <script>, .v.v ta c th dng thm t kha la chn nocase ( not case-sensitive ) ca mc Content-related, v quy nh mc u tin : alert $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:WEBMISC XSS attempt; flow:to_server,established; content:<SCRIPT>; nocase; ) n y th vic to 1 rule pht hin tn cng XSS hon tt.

----------------------o00-----------------------

V. References:
1. 2. 3. 4. 5. 6. 7. 8. Intrusion Detection Systems (IDS) WindowsSecurity.com Guide to Intrusion Detection and Prevention Systems (IDPS) US National Institute of Standard and Technology Intrusion Detection with Snort - Jack Koziol. Sams Publishing 2003 Managing Security with Snort and IDS Tools Kerry J. Cox & Christopher Gerg . OReilly 2004 Snort, Snort Inline, SnortSam, SnortCenter, Cerebus, B.A.S.E, Oinkmaster official documents Snort 2.8.4.1 Ubuntu 9 Installation guide Nick Moore , Jun 2009 , nmoore@sourcefire.com Snort GUIs: A.C.I.D, Snort Center,and Beyond - Mike Poor, mike@digitalguardian.net Various sources over Internet

32