Snort l mt h thng pht hin xm nhp mng (NIDS) m ngun m min ph.

NIDS
l mt kiu ca h thng pht hin xm nhp (IDS), c s dng qut d liu di
chuyn trn mng. Cng c cc h thng pht hin xm nhp host-based, c ci t
trn mt host c th v ch pht hin cc s tn cng nhm n host . Mc d tt c
cc phng php pht hin xm nhp vn cn mi nhng Snort c nh gi l h
thng tt nht hin nay.
Mt h thng c xy dng c th c biu din nh sau:

Hnh 1 : S khi ca mt h thng pht hin xm nhp bao gm Snort, MySQL,

Apache, ACID, PHP, th vin GD v PHPLOT.
Theo hnh trn, d liu c thu thp v phn tch bi Snort. Sau , Snort lu tr d liu
trong c s d liu MySQL bng cch dng output plug-in. Web server Apache vi
ACID, PHP, th vin GD v PHPLOT s biu din d liu ny trn trnh duyt khi mt
ngi dng kt ni n server. Ngi dng c to nhiu kiu truy vn khc nhau phn
tch d liu.
Snort ch yu l mt IDS da trn lut, tuy nhin cc input plug-in cng tn ti pht
hin s bt thng trong cc header ca giao thc.
Snort s dng cc lut c lu tr trong cc file text, c th c chnh sa bi ngi
qun tr. Cc lut c nhm thnh cc kiu. Cc lut thuc v mi loi c lu trong
cc file khc nhau. File cu hnh chnh ca Snort l snort.conf. Snort c nhng lut ny
vo lc khi to v xy dng cu trc d liu cung cp cc lut bt gi d liu. Tm
ra cc du hiu v s dng chng trong cc lut l mt vn i hi s tinh t, v bn
cng s dng nhiu lut th nng lc x l cng c i hi thu thp d liu trong
thc t. Snort c mt tp hp cc lut c nh ngha trc pht hin cc hnh ng
xm nhp v bn cng c th thm vo cc lut ca chnh bn. Bn cng c th xa mt
vi lut c to trc trnh vic bo ng sai.
Ging nh virut, hu ht cc hnh vi xm nhp u c mt vi du hiu. Thng tin v cc
du hiu ny c s dng to ra cc lut ca Snort. Bn c th s dng honey post
bit k xm nhp ang lm g v thng tin v cc cng c v k thut ca chng. Ngoi
ra, c cc s s d liu v cc im yu m k xm nhp mun khai thc. Nhng cch tn
cng bit ny cng c th c s dng nh l cc du hiu pht hin mt ngi
no mun tn cng h thng ca bn.Cc du hiu c th tn ti trong header ca cc
gi tin. H thng pht hin xm nhp da trn Snort th da trn cc lut. Cc lut ca
Snort c th c s dng kim tra nhiu phn khc nhau ca gi tin.
Mt lut c th c s dng to ra mt thng ip cnh bo, ghi li mt thng
ip...,hoc trong Snort l pass gi tin. Hu ht cc lut ca Snort c vit theo tng
dng n. Tuy nhin, bn cng c th m rng cc lut thnh nhiu dng bng cch s

dng k t gch cho ngc ti cui dng. Cc lut thng c t trong file cu hnh,
thng l snort.conf. Bn cng c th s dng nhiu file bng cch gom chng li trong
mt file cu hnh chnh.
Lut d u tin
Tht ra, y c th l lut t nht tng c vit, nhng n kim tra rt tt nu Snort
ang hot ng tt v c th to ra cc cnh bo.
Alert ip any any any any (msg : IP Packet detected)
Bn c th dng lut ny vo cui mi file snort.conf khi bn ci t Snort ln u tin.
Lut ny s to ra cnh bo cho mi gi tin Ip bt c. N s lm y khng gian a
mt cch nhanh chng nu nh bn vn n . Lut ny d v n khng truyn t
bt k thng tin g.Ti sao ta s dng lut ny? c th l ln u tin bn kim tra
m bo Snort c ci t ng. Trong cc ln tip theo, bn s thy thng tin v cc
phn khc nhau ca lut Snort.
Lut k tip to ra cnh bo cho tt c cc gi tin ICMP.
Alert icmp any any any any (msg : ICMP Packet found)
Cu trc ca mt lut
Tt c cc lut Snort u c hai phn chnh : header v options

Phn header cha cc thng tin v hnh ng m lut s thc hin. N

cng cha cc tiu chun v vic so snh mt lut trn mt gi tin.
Phn option thng cha mt thng ip cnh bo v thng tin v
phn no ca gi tin c s dng to ra cnh bo. Mt lut c th
pht hin mt hoc nhiu kiu xm nhp.
Header ca lut Snort
Cu trc tng qut ca phn header nh sau

Trong :
Action : xc nh kiu hnh ng c thc hin khi mt tiu chun c so trng v
mt lut ging vi gi tin d liu. Hnh ng in hnh l vic to ra cc cnh bo hoc
ghi li cc thng ip log
Protocol : c s dng p dng lut trn gi tin cho mt giao thc c th. Phn
protocol c s dng p dng lut trn cc gi tin ch i vi mt giao thc c th.
y l tiu chun u tin c cp trong lut. Mt vi giao thc c s dng nh l
IP, ICMP, UDP...
Address : xc nh i ch ngun v a ch ch. a ch c th l ca mt host, nhiu

host hoc l a ch mng. Lu rng trong mt lut s c 2 a ch : a ch ngun v a

ch ch.
Port : c p dng trong trng hp TCP hay UDP, xc nh cng ngun v ch ca
mt gi tin m lut c p dng. Trong trng hp giao thc lp mng l IP v ICMP,
s port l khng c ngha.
Direction : ca lut xc nh a ch v cng no c s dng nh l ngun hay l
ch.
V d, xt mt lut sau y. Lut ny s to ra mt thng ip cnh bo bt c khi no n
pht hin mt gi tin ping ICMP (ICMP ECHO REQUEST) vi TTL l 100, nh sau :
alert icmp any any -> any any (msg: "Ping with TTL=100"; \
ttl: 100
Phn trc du ngoc n l header ca lut, phn trong du ngoc n l phn option.
Phn header cha cc thng tin nh sau:
Rule action (Phn thc thi ca lut): trong lut ny, kiu thc thi ca lut l alert,
ngha l mt cnh bo s c to ra khi trng vi mt du hiu xn. Nh rng gi tin s
c ghi log mt cch mc nh khi cnh bo c to ra. Ph thuc vo phn action,
phn option ca lut c th cha cc tiu chun thm vo trong lut.
Protocol (Giao thc) : trong lut ny, giao thc l ICMP, ngha l lut ny ch c p
dng trn cc gi tin ICMP. Trong b phn pht hin ca Snort, nu giao thc ca mt
gi tin khng phi l ICMP, phn cn li ca gi tin s khng c quan tm tit kim
thi gian CPU. Phn protocol ng mt vai tr qian trng khi bn mun p dng lut
Snort ch trn nhng gi tin vi nhng kiu c th.
a ch ngun v cng ngun : trong v d ny, c hai phn ny u l any, ngha l
lut c p dng cho tt c cc gi tin n t mt ngun bt k. D nhin s cng khng
lin quan g n gi tin ICMP. S cng ch lin quan khi giao thc c s dng l TCP
hoc UDP.
Direction : Trong trng hp ny direction c thit lp l t tri qua phi s dng k
hiu ->. iu ny ch ra rng s a ch v cng pha bn tri l ngun v pha bn
phi l ca ch. N cng c ngha l lut ny s c p dng trn cc gi tin di chuyn
t ngun ti ch. Bn cng c th s dng k hiu <- o li ngha ca ngun v
ch. Lu rng k hiu <> cng c th c s dng p dng lut trn c hai hng.
a ch ch v cng ch : trong v d ny, c hai phn ny u l any, ngha l lut
c p dng cho tt c cc gi tin n t mt ch bt k. Phn direction trong lut ny
khng ng mt vai tr g c v lut c p dng trn tt c cc gi tin ICMP di chuyn
theo bt k hng no, v t kha any c phn ngun v ch.
Rule Options
Rule option theo sau rule header v c ng gi trong du ngoc
n. C th c mt hoc nhiu option, c cch nhau bi du phy.
Nu bn s dng nhiu option, nhng option hnh thnh php logic
AND. Mt action trong rule header ch c thc hin khi tt c cc
option u ng. Tt c cc option c nh ngha bng cc t kha.

Mt vi option cng cha cc tham s. Thng thng, mt option c

th c 2 phn : t kha v i s. Cc i s c phn bit vi t kha
bng du hai chm. V d:
msg: "Detected confidential";
Trong option ny th msg l t kha v "Detected confidential" l i s
ca t kha
Phn tip theo l cc t kha c s dng trong phn option ca lut
Snort.

ack
ack: < number>;
TCP header cha mt trng Acknowledgement Number di 32 bit. Trng ny ch ra
rng sequence number k tip ca ngi gi c mong i. Trng ny ch c ngha
khi c flag trong trng TCP c thit lp.
classtype
config classification: name,description,priority
name : tn c s dng cho vic phn loi. Tn c s dng vi t kha classtype
trong lut Snort.
Description : m t ngn v kiu phn loi
Priority : th t u tin mc nh cho s phn loi, c th c chnh sa bng t kha
priority. Priority cng thp th u tin cng cao.
Cc lut c th c phn loi v xp th t u tin vo trong mt nhm. c th hiu
hn v t kha classtype, hy xem file classification.config trong snort.conf Mi dng
trong s c c php nh sau :
content
content: <straight text>; content: <hex data>;
Mt c tnh quan trng ca Snort l kh nng tm thy mt mu d liu trong mt gi
tin. Mu c th tn ti di dng mt chui ASCII hoc l cc k t thp lc phn.
Ging nh virut, nhng k xm nhp cng c cc du hiu v t kha content c th
tm ra cc du hiu trong cc gi tin. V Snort phin bn 1.x khng h tr cc giao thc
lp ng dng nn t kha ny, cng vi t kha offset, cng c th c s dng xem

xt header ca lp ng dng.
offset
offset: < value>;
T kha offset c s dng kt hp vi t kha content. S dng t kha ny, bn c
th bt u tm kim t mt v tr xc nh so vi v tr bt u ca gi tin. S dng mt
con s nh l i s ca t kha ny.
depth
depth: < value>;
T kha depth cng c s dng kt hp vi t kha content xc nh gii hn trn
ca vic so snh mu. S dng t kha ny, bn c th xc nh mt v tr so vi v tr bt
u. D liu sau v tr ny s khng c tm kim so mu. Nu bn dng c hai t
kha offset v depth th bn c th xc nh mt khong d liu thc hin vic so snh
mu.
nocase
nocase;
T kha nocase c s dng kt hp vi t kha content. N khng c i s. Mc ch
ca n l thc hin vic tm kim trong trng hp v tnh.
content-list
content_list: < filename>;
T kha content-list c s dng vi tn ca mt file nh l i s ca t kha ny. File
ny s cha mt danh sch cc chui s c tm kim trong mt gi tin. Mi chui c
t trn cc dng khc nhau ca file.
dsize
dsize: [<|>] < number>;
T kha dsize c s dng tm chiu di mt phn d liu ca gi tin. Nhiu cch
tn cng s dng l hng trn b m bng cch gi cc gi tin c kch thc ln. S
dng t kha ny, bn c th tm thy cc gi tin c chiu di d liu ln hoc nh hn
mt s xc nh.
flags
flags: < flags>;
T kha flags c s dng tm ra bit flag no c thit lp trong header TCP ca
gi tin. Mi flag c th c s dng nh mt i s ca t kha flags trong lut Snort.
Nhng bit flag ny c s dng bi nhiu cc cng c bo mt vi nhiu mc ch
trong c vic qut cc cng nh nmap (http://www.nmap.org).
fragbits
fragbits: < flag_settings>;

S dng t kha ny, bn c th tm ra nhng bit RB (Reserved Bit), DF(Don't Fragment

Bit), MF(More Fragments Bit) trong header IP c c bt ln hay khng.
icmp_id
icmp_id: < number>;
Option icmp_id c s dng pht hin mt ID c th c s dng vi mt gi tin
ICMP.
icmp_seq
icmp_seq: < hex_value>;
Option icmp_seq ging nh t kha icmp_id.
itype
itype: < number>;
Header ICMP nm sau header IP v cha trng type. T kha itype c s dng
pht hin cc cch tn cng s dng trng type trong header ICMP ca gi tin.
icode
icode: < number>;
Trong gi tin ICMP, header ICMP i sau header IP. N cha mt trng code. T kha
icode c s dng pht hin trng code trong header gi tin ICMP.
id
id: < number>;
T kha id c s dng i chiu trng fragment ID ca header gi tin IP. Mc
ch ca n l pht hin cc cch tn cng s dng mt s ID c nh.
ipopts
ipopts: < ip_option>;
Header IPv4c bn di 20 byte. Bn c th thm cc ty chn vo header ny cui.
Chiu di ca phn ty chn ny c th ln n 40 byte. Cc ty chn c s dng cho
cc mc ch khc nhau, bao gm:
Record Route (rr)
Time Stamps (ts)
Loose Source Routing (lsrr)
Strict Source Routing (ssrr)
ip_proto
ip_proto: [!] < name or number>;
T kha ip_proto s dng plug-in IP Proto xc nh s giao thc trong header IP. T
kha ny cn mt con s giao thc l i s. Bn cng c th s dng tn giao thc nu
n c th phn gii bng file /etc/protocols.
logto
logto: < file_name>;
T kha logto c s dng ghi log cc gi tin vo mt file c bit.
msg

msg: < sample message>;

T kha msg c s dng thm mt chui k t vo vic ghi log v cnh bo. Bn c
th thm mt thng ip trong hai du ngoc kp sau t kha ny.
priority
priority: < priority integer>;
T kha priority gn u tin cho mt lut.
react
react: <react_basic_modifier[, react_additional_modifier...]>;
T kha react c s dng vi mt lut kt thc mt phin, kha mt vi v tr hoc
dch v. Khng phi tt c cc option vi t kha ny hot ng. s dng t kha
react, bn nn bin dch Snort vi lnh --enable-flexresp trong script cu hnh.
reference
reference : <id system>,<id>;
T kha reference c th thm mt s tham kho n thng tin tn ti trn cc h thng
khc trn mng. N khng ng mt vai tr no trong c ch pht hin. C nhiu h
thng tham kho nh CVE v Bugtraq. Nhng h thng ny gi cc thng tin thm v
cc kiu tn cng c bit. Bng vic s dng t kha ny, bn c th kt ni n cc
thng tin thm trong thng ip cnh bo.
resp
T kha resp l mt t kha cc k quan trng. N c th c s dng nh bi cc
hnh vi ca hacker bng cch gi cc gi tin tr li cho mt host m to ra mt gi tin
tha lut. T kha ny cng c bit nh l Flexible Response (FlexResp) v c da
trn FlexResp plug-in. Plug-in nn c bin dch vo Snort, s dng lnh (--withflexresp)trong script cu hnh.
rev
rev: < revision integer>;
T kha rev c thm vo option ca lut Snort ch ra s revision ca lut. Nu bn
cp nht lut, bn c th s dng t kha ny phn bit gia cc phin bn. Cc
module output cng c th s dng con s ny nhn dng s revision.
rpc
rpc: < S ng dng
, S th tc
, S phin bn
>
T kha rpc c s dng pht hin cc yu cu RPC c bn. T kha ny chp nhn
3 s nh l i s :

sameip
sameip;
T kha sameip c s dng kim tra a ch ngun v ch c ging nhau hay
khng. N khng c i s.
seq
seq: <hex_value>;
T kha seq trong lut Snort c th c s dng kim tra s th t sequence ca gi
tin TCP.
flow
T kha flow c s dng p dng mt lut ln cc gi tin di chuyn theo mt hng
c th. Bn c th s dng cc option vi t kha xc nh hng. Cc option sau y
c th c s dng vi t kha ny :
to_client
to_server
from_client
from_server
session
session: [printable|all];
T kha c th c s dng gt b tt c d liu t mt phin TCP.
sid
sid: < snort rules id>;
S dng SID, cc cng c nh ACID c th biu din lut tht s to ra mt cnh bo c
th.
tag
tag: <type>, <count>, <metric>[, direction]
T kha tag l mt t kha rt quan trng khc c th c s dng ghi log cc d
liu thm vo t ( hoc n) mt host xm nhp khi mt lut c kch hot. D liu
thm vo c th c phn tch sau ny mt cch chi tit hn.
tos
tos: < number>;
T kha tos c s dng pht hin mt gi tr c th trong trng TOS (Type of
Service) ca header IP.
ttl

ttl: < number>;

T kha ttl c s dng pht hin gi tr Time to Live trong header IP ca gi tin. T
kha ny c th c s dng vi tt c cc kiu giao thc c xy dng trn IP nh
ICMP, UCP v TCP. S dng t kha ttl, bn c th tm ra nu c mt ngi c gng
traceroute mng ca bn. Vn duy nht l t kha cn mt gi tr TTL chnh xc.
uricontent
uricontent: [!] "content string";
T kha uricontent ging vi t kha content ngoi tr vic n c s dng tm mt
chui ch trong phn URI ca gi tin.