Professional Documents
Culture Documents
IDS Snort PDF
IDS Snort PDF
L C HIP
TRIN KHAI H THNG IDS - SNORT TRN H IU HNH LINUX
N TT NGHIP I HC
HNG YN - 2016
B GIO DC V O TO
TRNG I HC S PHM K THUT HNG YN
L C HIP
N TT NGHIP I HC
NGI HNG DN
V XUN THNG
HNG YN - 2016
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
MC LC
DANH SCH HNH V ............................................................................................5
DANH SCH T VIT TT ....................................................................................6
CHNG 1: TNG QUAN V TI ..................................................................7
1.1 L do chn ti ..............................................................................................7
1.2 Mc tiu ca ti ...........................................................................................8
1.3 Gii hn v phm vi ca ti .........................................................................9
1.4 Ni dung thc hin ...........................................................................................9
1.5 Phng n tip cn. ..........................................................................................9
CHNG 2: TM HIU V IDS SNORT TRN HH LINUX .......................10
2.1 Phn mm IDS Snort. ..................................................................................15
2.1.1 Gii thiu v Snort. ..................................................................................15
2.1.2 Cc trng thi ...........................................................................................16
2.2 Cc thnh phn ca Snort ...............................................................................17
2.2.1 B packet sniffer ......................................................................................18
2.2.2 B Preprocessor .......................................................................................18
2.2.3 B pht hin (detection engine) ...............................................................18
2.2.4 H thng ghi v cnh bo (Logging v alerting) .....................................20
2.2.5 Cu trc ca mt lut ...............................................................................21
CHNG 3: TRIN KHAI H THNG PHT HIN XM NHP SNORT
TRN CENTOS ........................................................................................................23
3.1 M t thc nghim .........................................................................................23
3.2 H tng mng thc nghim ............................................................................25
3.3 Cc bc ci t Snort trn h iu hnh CentOS .........................................25
3.3.1 Ci h iu hnh CentOS .........................................................................25
3.3.2 Ci t v cu hnh Snort .........................................................................25
3.3.3 Cu hnh MySQL server ..........................................................................28
3.3.4 Cu hnh Snort thc hin alert vo MySQL .......................................28
3.3.5 Ci t v cu hnh Basic Analysis and Sercurity Engine .......................29
3.4 Giao din h thng sau ci t .......................................................................30
3
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
4
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
DANH MC HNH V
Hnh 2-1: M hnh kin trc h thng pht hin xm nhp (IDS)............................11
Hnh 2-2: M hnh Network IDS ..............................................................................12
Hnh 2-3: M hnh Host IDS ....................................................................................13
Hnh 2-4: Qu trnh x l gi....................................................................................17
Hnh 2-5: B pht hin xm nhp .............................................................................19
Hnh 2-6: H thng ghi nhp file log v pht cnh bo ..........................................20
Hnh 3-1: Snort ang hot ng................................................................................30
Hnh 3-2: Giao din chnh ca Base .........................................................................32
Hnh 3-3: Snort pht hin Nmap ang scanport, truy cp ssh ..................................32
Hnh 3-4: Hin th cc a ch nghi vn ....................................................................33
Hnh 3-5: Xem ni dung mt packet ........................................................................33
Hnh 3-6: Thng k theo ngy, gi ..........................................................................34
Hnh 3-7: Thng k theo ngy .................................................................................35
Hnh 3-8: IDS Snort pht hin cc gi tin c gi vo h thng ...........................36
Hnh 3-9: M hnh thc nghim ...............................................................................38
5
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
DANH MC T VIT TT
Vit tt Ting Anh Ting Vit
Distributed Denial of
DdoS Tn cng t chi dch v
Service
DNS Domain Name System H thng tn min
DoS Denial-of-service Tn cng t chi dch v
FTP File Transfer Protocol Giao thc truyn d liu
h thng pht hin xm phm
Host Intrusion Detection
HIDS c ci t trn cc my tnh
System
(host)
Internet Control Message Giao thc x l cc thng bo
ICMP
Protocol trng thi cho IP
IDS Intrusion Detection System H thng pht hin xm nhp
IP Internet Protocol Giao thc Internet
IPS Intrusion Prention System H thng pht hin xm nhp
nh danh c gn cho thit
MAC Media Access Control
b mng
S dng d liu trn ton b
Network Intrusion
NIDS lu thng mng, pht hin
Detection System
xm nhp.
Open Systems
OSI M Hnh Mng OS
Interconnection
Simple Network Giao thc gim st v iu
SNMP
Management Protocol khin thit b mng
SMTP Simple Mail Transfer Giao thc truyn ti th tn n
Protoco gin
TCP Transport Control Protocol Giao thc iu khin truyn ti
Unified Threat Qun l thng nht cc mi
UTM
Management nguy him
6
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
7
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
8
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
9
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
10
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
2.2 Mt s nh ngha c bn
IDS
Intrusion Detection System (h thng pht hin xm nhp) hay IDS l phn
mm, phn cng hoc kt hp c hai, dng pht hin hnh ng ca k xm
nhp. Snort l mt IDS m ngun m sn c trn mng. Mt IDS c nhiu kh nng
khc nhau ty thuc vo phc tp ca cc thnh phn trong n. Nhiu cng ty
ng dng IDS kt hp phn cng v phn mm. Ni cch khc, mt IDS c th s
dng nhng cng ngh da trn cc du du hiu hocs bt thng hoc c hai.
Hnh 2-1: M hnh kin trc h thng pht hin xm nhp (IDS)
11
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
12
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
header, transport layer header (TCP, UDP) v/hoc application layer header hay
payload. Thng th IDS ph thuc vo signature tm nhng hnh vi xm nhp.
Mt vi sn phm IDS cn phi cp nht t nh cung cp nhng signature mi khi
c mt loi tn cng no ra i. Trong IDS khc, nh Snort, c th cp nht
signature ca ring mnh.
Alerts (cnh bo)
Alerts l nhng loi thng bo ngi dng ca mt hnh vi xm nhp. Khi
mt IDS pht hin ra mt intruder, n s bo cho ngi qun tr bo mt bng cch
dng nhng cnh bo ny. Alerts c th l mt dng ca s pop-up, dng console,
gi mt e-mail, v.v Alerts cng c th c lu trong nhng log file hay c s d
liu, ni m chng c th xem li v sau.
Snort c th pht ra Alerts trong nhiu hnh thc v c iu khin bi
nhng output plug-ins. Snort cng c th gi cng mt alert n nhiu im ch.
Cho v d, n c th ghi Alerts vo trong c s d liu v pht ra SNMP trap cng
mt lc. Mt vi plug-ins cng c th thay i cu hnh firewall nhm ngn nhng
host xm phm vo firewall hay router.
Logs
Thng ip log thng c lu trong mt file. Mc nh, Snort lu nhng
thng ip ny di th mc /var/log/snort. Tuy hin, v tr ca n c th thay i
bng cch s dng lnh khi khi ng Snort. Thng ip log c th lu dng text
(vn bn) hay binary (nh phn). Nhng file binary c th xem sau ny bng Snort
hay chng trnh tcpdump. Mt cng c mi gi l Barnyard cng c th phn tch
nhng log file nh phn. Ghi dng nh phn th nhanh hn bi v n lu theo mc
cao. Ghi theo dng nh phn rt hu dng trong trng hp khi thc thi Snort i
hi tc cao.
14
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
15
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
Cc trng thi
Snort c th c cu hnh chy ba trng thi:
+ Sniffer Mode: L ch bt gi tin v ch hin th header ca cc gi
TCP/IP ra mn hnh. Cu trc lnh nh sau:
snort -v: Lnh ny ch chy snort v hin th IP/TCP/UDP/ICMP header.
snort -vd: Lnh ny va hin th cc header va cho thy cc gi d liu.
snort -vde: Tng t nh trn nhng trnh by r rng hn. Th hin c header
ca lp Datalink.
+ Packet Logger Mode: Trong trng hp mun ghi nhn li cc gi bt
c v ni lu tr tin cho vic theo di v sau th ch packet logger s h
tr tt cho qun tr mng. Ch ny ch nh ni lu tr v khi s dng c php
sau, snort s t ng lu li thng tin vo th mc :
snort -vde -l /usr/local/log/snort
Log c lu dng nh phn, lm tng c kh nng bt gi tin ca Snort.
Hu ht cc h thng c th bt gi v ghi thnh file log tc 100Mbps m
khng xy ra vn g.
ghi nhn file log ch nh phn s dng c -b
snort -b l /usr/local/log/snort/temp.log
Khi bt c gi, chng ta c th c li file va to vi c -r v phn hin
th ging nh mode sniffer.
snort -r /usr/local/log/snort/temp.log
+ NIDS Mode: Snort pht hin xm nhp ch yu da vo mt b lut m
ngi qun tr mng nh ngha trong file snort.cfg. Hu ht cc hnh vi xm nhp
u c mt vi du hiu. Thng tin v cc du hiu ny c s dng to ra cc
lut ca Snort. Cc du hiu c th tn ti trong header ca cc gi tin. Cc lut ca
Snort c th kim tra nhiu phn ca gi tin pht hin ra cc du hiu ny.
m ch ny, s dng c php:
snort -dve -l /usr/local/log -h 192.168.0. 0/24 -c snort.cfg
16
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
17
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
B packet sniffer
B Packet Sniffer: B bt gi l mt thit b (phn cng hay phn mm) c
t vo trong h thng, lm nhim v bt lu lng ra vo trong mng. B bt gi
cho php mt ng dng hay mt thit b c kh nng nghe ln ton b d liu i
trong h thng mng.
B Preprocessor
B Preprocessor: Sau khi bt c ton b cc gi tin, lc ny cc gi tin s
c chuyn n b tin x l kim tra cc gi tin c hp l khng. B tin x l
s so snh cc gi tin ny vi cc plug -in (v d nh RPC Plug -in, HTTP plug-in,
port scanning plug -in, v.v). Cc gi tin s c kim tra hnh vi xem c khp
vi cc hnh vi c nu trong plug -in hay cha, nu khp ri, cc gi tin ny
s c chuyn n b phn pht hin xm nhp.
B tin x l l mt thnh phn rt hu dng trong Snort. V y l mt plug-
in c th m hoc tt ty nn gip ch rt nhiu trong vic ty chnh ti nguyn h
thng hay ty chnh mc bo ng. V d khi qun tr mng nhn c thng bo
port scan qu nhiu ln trong khi lm vic, h c th tt plug-in ny i trong khi cc
plug-in khc vn hot ng bnh thng.
B pht hin (detection engine)
Sau khi cc gi tin i qua b tin x l, chng c chuyn n b phn pht
hin xm nhp. Nu mt gi tin ging vi bt k lut no, chng s c gi n b
x l cnh bo.
B phn pht hin xm nhp v cc b lut chim mt phn rt ln trong s
nhng kin thc phi bit hiu c Snort. Snort c nhng c php lnh ring
s dng vi cc b lut. Cc c php ny c th lin quan n giao thc mng, ni
dung, chiu di, phn header v rt nhiu nhng thnh phn khc, bao gm c
nhng c im nhn dng buffer overflow.
Snort dng cc rules pht hin ra cc xm nhp trn mng. Xem rules
sau:
alert tcp !192.168.0.0/24 any -> any any (flags: SF; msg: SYN-FIN
Scan;)
18
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
19
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
20
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
Cu trc ca mt lut
Tp lut ca Snort n gin ta hiu v vit, nhng cng mnh c
th pht hin tt c cc hnh ng xm nhp trn mng. C ba hnh ng chnh
c Snort thc hin khi so trng mt packet vi cc mu trong rules:
- Pass: Loi b packet m Snort bt c
- Log: Tu theo dng logging c chn m packet s c ghi nhn theo
dng .
- Alert: Sinh ra mt alert ty theo dng alert c chn v log ton b
packet dng dng logging chn.
Dng c bn nht ca mt rule bao gm protocol, chiu ca gi d liu v
port cn quan tm, khng cn n phn Option:
log tcp any any -> 192.168.0. 0/24 80
Rule ny s pht hin cc truy cp vo dch v PHF trn web server v alert
s c to ra cng vi vic ghi nhn li ton b gi d liu.
Vng a ch IP trong cc rules c vit di dng CIDR block netmask,
cc port c th c xc nh ring l hoc theo vng, port bt u v port kt
thc c ngn cch bi du :
alert tcp any any -> 192.168. 0. 0/24 6000:6010 (msg: "X
traffic";)
21
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
22
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
23
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
24
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
25
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
26
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
# ln s /usr/local/bin/snort /usr/sbin/snort
# cd /etc/snort/so_rules/precompiled/CentOS-5.0/i386/2.8.4.1
# cp * /usr/local/lib/snort_dynamicrules/
Cu hnh Snort
Sa file cu hnh t /etc/snort/snort.conf
Var HOME_NET 192.168.0.0/24
Var RULE_PATH /etc/snort/rules
Var SO_RULE_PATH /etc/snort/so_rules
Var PREPROC_RULE_PATH /etc/snort/preproc_rules
Ci Barnyard
Barnyard l mt ng dng c s dng offload ti vic xut ra file log
v cnh bo cho Snort. Do , Snort dnh ti nguyn cho chc nng ca n.
# wget http://snort.org/dl/barnyanrd2-1.8.tar.gz
# cd /usr/local/
27
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
- Khi ng li snort v kim tra xem Snort v Barnyard2 tng tc ghi log
vo database hay cha:
# mysql usnort -p"123456" -D snort -e "select count(*) from
event"
Count(*)
28
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
280278
Cu hnh base:
# vi base_conf.php
Sa cc dng sau:
$BASE_urlpath=/base;
$Dblib_path=/var/www/html/adodb;
$alert_dbname=snort;
$alert_password=123456;
$archive_exists=1; # set this to 1 if you have an archive DB
$archive_dbname=snort;
$archive_user=snort;
$archive_password=123456;
$external_whois_link=index.php;
$external_dns_link=index.php;
$external_all_link=index.php;
29
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
30
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
+ Gateway: 192.168.0.254
- Cc phn mm ci t:
+ Iptables
+ Snort 2.8.4.1
+ MySQL Server
+ PHP
+ Barnyard2
+ Basic Analysis and Security Engine 1.4.5
Hng dn s dng Snort
- File cu hnh: /etc/snort/snort. conf
- Th mc cha tp lut: /etc/snort/rules/
- File log: /var/log/snort/
Kch hot tin trnh Snort g lnh:
# /etc/init.d/snort start
Hoc
# /usr/local/bin/snort Dq u snort g snort i eth0 c /etc/snort/snort.conf
hy tin trnh snort g lnh:
# pkill snort
Kt qu thng k thc nghim IDS Snort
S dng phn mm Base qun tr kim tra thng k thc nghim. Base
cung cp cng c bng giao din, cho php ngi dng truy xut v phn tch cc
cnh bo.
31
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
Hnh 3-3: Snort pht hin Nmap ang scanport, truy cp ssh
Trn bng Summary Statistics, click vo link Destination hng
Unique addresses xem cc a ch ch b tn cng.
32
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
33
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
34
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
Khi h thng IDS pht hin c k ang tin hnh ping gy ngp lt, ngi
35
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
lt. Ngi qun tr phi c trch nhim thit lp lut trn firewall hn ch vic
attacker tn cng vo h thng ca mnh.
37
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
38
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
CHNG 4: KT LUN
H thng pht hin xm nhp (IDS) tuy ch mi xut hin sau ny nhng hin
ng vai tr khng km phn quan trng. IDS gip con ngi khm ph, phn tch
mt nguy c tn cng mi. T n ngi ta vch ra phng n phng chng. mt
gc no , c th ln tm c th phm gy ra mt cuc tn cng. Mt t chc
ln khng th no thiu IDS.
4.1 Kt qu t c
- Nm c c ch hot ng Snort IDS
- C ci nhn trc quan khi thc hin th nghim mt s loi tn cng
- Nm bt c c ch hot ng ca h thng pht hin xm nhp IDS
Snort cng cc tp lut.
- Ci t v cu hnh mt h thng pht hin xm nhp m ngun m
- Trin khai c h thng IDS Snort th nghim.
4.2 Hn ch ca ti
- Ch dng li trin khai h thng th nghim.
- Trin khai h thng trong mng LAN.
- Vn v IDS Snort rt rng ln, hin nhng cch thc tn cng mi
ngy nay c nhng thay i ln. Do cha thc s hiu r cch
hot ng ca n.
- Tp lut b sung ang trong giai on ti u v b sung nn khng
trnh by trong bo co.
39
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
40
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX
41