Académique Documents
Professionnel Documents
Culture Documents
c lp T do Hnh phc
-----***----
T NGHIP
NHIM V
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
Gio vin hng dn
ii
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
Gio vin phn bin
iii
LI CM N
Nguyn Vn Quang
TM TT
Xy dng h thng phng chng v pht hin xm nhp l mt gii php nhm
nng cao tnh bo mt ca h thng. Xy dng h thng pht hin xm nhp khng
nhm mc ch thay th h thng tng la m ch gip b sung, thu thp tht nhiu
thng tin cho qu trnh ngn chn cc cuc tn cng.
Ngoi cc khi nim, k thut pht hin hin xm nhp ca mt h thng pht hin
xm nhp. Kha lun cn tm hiu v mt h thng pht hin xm nhp da trn
mng l Snort v mt m-un SnortSam kt hp vi iptables nhm mc ch ngn
chn tn cng.
Mc tiu chnh ca kha lun l hiu r nht v cu trc ca tp lut Snort. Hnh
thnh t duy phn tch h thng thay v trin khai h thng. T xy dng ra cc
tp lut cho nhng tnh hung c th ca tng h thng.
Ni dung chnh ca kha lun c th chia thnh 3 phn chnh:
Phn 1: Bao gm cc ni dung chnh v h thng pht hin xm nhp, m hnh, k
thut pht hin
Phn 2: Chi tit k thut v h thng pht hin xm nhp mng Snort/SnortSam.
Kin trc ca h thng Snort, cu trc lut ca Snort.
Phn 3: Phn tch mt vi dng tn cng, phn tch cc lut tng ng. Demo h
thng.
T kha: pht hin xm nhp, h thng pht hin xm nhp, pht hin da trn s
bt thng, pht hin da trn mu, Snort, SnortSam, SYN Flood, Apache Killer
ABSTRACT
MC LC
DANH MC HNH V
DANH MC T VIT TT
CNSS
IDS
IPS
NIDS
Netword-base IDS
HIDS
Host-based IDS
ICMP
IP
Internet Protocol
TCP
UDP
DoS
Denial-of-Service
DDoS
Distributed Denial-of-Service
GNU/GPL
ACID
BASE
ISP
FDDI
ACL
HTTP
PHN I
T VN
10
PHN II
GII QUYT VN
Ni dung
Cc ni dung chnh trong phn ny bao gm: h thng pht hin xm nhp, Snort,
SnortSam, cu trc v cch vit cc lut trong Snort. Ci t trin khai Snort trong
h thng mng, demo tn cng v pht hin.
Chng 1, H thng pht hin xm nhp (IDS), tng quan v h thng pht hin
xm nhp, k thut pht hin xm nhp, phn loi cc h thng ph hin xm nhp.
t h thng IDS trn h thng mng nh th no.
Chng 2, Gii thiu v Snort/S nortSam.
Chng 3, Preprocessors v Output Plug-ins, tin x l trong Snort v phn
output.
Chng 4, Lut trong Snort, cu trc ca mt lut trong Snort.
Chng 5, Phn tch mt s lut trong Snort, trnh by mt s dng tn cng v
tp lut km theo.
Chng 5, Ci t v cu hnh Snort/SnortSam.
Chng 6, Demo pht hin xm nhp v phng chng da trn Snort/SnortSam.
CHNG 1
H THNG PHT HIN XM NHP (IDS)
Theo nh ngha trong ti liu CNSSI-4009 ca y ban An ninh Quc gia ca Hoa
K th intrusion ngha l hnh ng truy cp tri php bng cch vt qua c
ch bo mt ca h thng.
Computer Intrusion l hnh ng c tnh truy cp vo mt my tnh mc d
khng c s cho php hoc tm cch vt qua quyn truy cp ( c) c thm
quyn truy cp vo cc ti nguyn khc v thu thp thng tin.
Intrusion Detection l qu trnh theo di cc s kin xy ra trong mt h thng
my tnh hoc trong mt h thng mng. Sau phn tch cc du hiu ca cc s
c c th xy ra. Cc s c c th l hnh ng vi phm cc chnh sch bo mt
hoc cc tiu chun v an ninh ca h thng hoc cng c th l cc mi e da n
h thng ca doanh nghip. Nguyn nhn xy ra cc s c ny c th l do cc phn
mm c hi nh virus, worm, trojan, spyware... cng c th l hnh ng c xm
nhp t Internet hoc vt qu quyn truy cp thng thng. Tuy vy cng c
nhng nguyn nhn khch quan v d nh ngi s dng g nhm a ch ca mt
my tnh v c gng truy cp vo mt h thng m mnh khng c php.
Intrusion Detection Systems (IDS) c th l mt thit b phn cng (cc thit b
pht hin xm nhp ca Cisco (Cisco IDSM-2 hoc Cisco IPS 4200 Series
Sensors)) hoc cng c th l mt ng dng phn mm gip gim st my tnh, h
thng mng trc cc hnh ng e da n h thng hoc vi phm chnh sch an
ninh v bo co li cho ngi qun tr h thng. Mt h thng pht hin xm nhp
ci t trn h thng mng ging nh mt h thng cnh bo chng trm (burglar
alarm) trong mt ngi nh.
Mt s h thng pht hin xm nhp cn kim lun c chc nng ngn chn cc
mi e da tuy nhin iu c th khng cn thit v cng khng phi l chc
nng chnh ca ca mt h thng gim st.
Mt h thng pht hin xm nhp c bn s xc nh cc mi nguy hi, ghi li
thng tin v chng v sau bo co li cc thng tin .
Ni ngn gn v chc nng ca mt h thng pht hin xm nhp l gim st
(lu lng mng), cnh bo (bo co tnh trng mng cho h thng v ngi qun
6
hin ra.
C th gim st cc lung traffic b m ha.
Khng b nh hng bi cc thit b chuyn mch (switch).
Nhc im ca HIDS:
Kh qun l hn do phi ci ln tt c cc host cn bo v nn vic cu
10
Cc bin php v k thut c s dng trong pht hin bt thng bao gm:
Pht hin giao thc bt thng (Protocol Anomaly Detection). Giao thc
11
12
u im:
t bo sai v c bit l rt hiu qu i vi cc hnh thc xm nhp
c bit n.
Nhanh chng v ng tin cy trong vic xc nh cng c v k thut tn
13
port gim st trn switch (span port, port monitoring), khi d liu i qua switch
n s gi mt bn sao ti cc IDS.
CHNG 2
GII THIU V SNORT/SNORTSAM
2.1. Snort l g?
Snort l mt h thng phng chng v pht hin xm nhp da trn mng (IPS/IDS)
ngun m c pht trin bi Sourcefire. Kt hp vic kim tra du hiu, giao thc
v du hiu bt thng, Snort c trin khai rng khp trn ton th gii. Vi
hng triu lt download v hn 400.000 lt ngi dng ng k, Snort tr
thnh tiu chun ca h thng phng chng v pht hin xm nhp.
Chc nng chnh ca Snort l packet sniffing, packet logging v network-based
intrusion detection.
Ti sao Snort li tr nn ph bin nh vy.
D dng cu hnh: Snort lm vic nh th no, tp tin cu hnh u, cc
lut nh th no ngi qun tr u c th bit v cu hnh theo mnh
c. K c vic to ra cc lut mi.
Snort l phn mm m ngun m: Snort c pht hnh di giy php
GNU/GPL iu ny c ngha l bt c ai cng c th s dng Snort mt
cch min ph d l doanh nghip hay ngi dng c nhn. Ngoi ra v
l phn mm m ngun m nn Snort c mt cng ng ngi s dng
ln, sn sng h tr nu c bt c thc mc g.
Chy trn nhiu nn tng khc nhau: Khng ch chy trn cc h iu
hnh ngun m nh GNU/Linux m Snort cn c th chy c trn cc
nn tng thng mi nh Microsoft Windows, Solaris, HP-UX...
Snort thng xuyn c cp nht: Cc lut ca Snort thng xuyn
c b sung v cp nht cc hnh thc xm nhp mi. Ngi s dng c
th d dng ti v t http://www.snort.org.
2.2. Trin khai h thng Snort
15
16
Nu h thng mng ln, s lng cm bin (sensor) nhiu nn cn nhc vic tng
RAM cho h thng h thng khng b lag khi x l qua nhiu thng tin gi v.
2.2.2. H iu hnh v cc gi phn mm khc
Snort c th chy trn nhiu nn tng h iu hnh khc nhau. Snort c th chy
trn cc nn tng x86 nh GNU/Linux, FreeBSD, OpenBSD, NetBSD v Windows.
Ngoi ra n cn h tr c kin trc Sparc vi cc nn tng h iu hnh nh:
Solaris, MacOS-X, HP-UX...
Ngoi h iu hnh, nu c nh compile Snort t source code th cn m bo
cc phn mm sau c ci t trn h thng.
autoconf v automake.
gcc.
lex v yacc hoc GNU flex v bison.
libpcap.
Hu ht cc phn mm ny u c th download ti http://www.gnu.org/ v libpcap
c th download ti http://www.tcpdump.org
Ngoi ra nu c nh ci cc Snort add-on hoc cc cng c qun l v d nh mt
add-on ph bin Analysis Console for Intrusion Detection (ACID) Web interface
th cn ci t thm Apache Web Server (nn s dng giao thc SSL bo mt),
PHP v c s d liu lu tr cc cnh bo th cn ci MySQL hoc PostgreSQL.
Mt vi add-on ph bin:
ACID.
Oinkmaster.
SnortSnarf.
SnortReport.
Snorby.
Nu qun tr t xa thng qua giao thc SSH th cn cu hnh SSH.
2.3. c im ca Snort
17
19
DecodeEthPkt
Ethernet
DecodePPPoEPkt
PPP Over Ethernet
DecodeVLAN
802.1Q
DecodeARP
ARP
DecodeIP
IP
DecodeIPX
IPX
DecodeIPOptions
IP Options
DecodeTCP
TCP
DecodeUDP
DecodeICMP
DecodeIPOnly
Embedded IP
DecodeTCPOptions
TCP Options
20
Preprocessors l plug-in cho php phn tch c php d liu theo nhng cch khc
nhau. Nu chy Snort m khng c bt c cu hnh no v preprocessor s trong tp
tin cu hnh s ch thy tng gi d liu ring r trn mng. iu ny c th lm
IDS b qua mt s cuc tn cng, v nhiu loi hnh tn cng hin i c tnh phn
mnh d liu hoc c tnh t phn c hi ln mt gi tin v phn cn li ln gi
tin khc (k thut ln trn).
D liu s c a vo Preprocessors sau khi i qua b gii m gi tin (packet
decoder). Snort cung cp mt lot cc Preprocessors v d nh: Frag3 (mt module
chng phn mnh gi tin IP), sfPortscan (module c thit k chng li cc cuc
trinh st, nh scan port, xc nh dch v, scan OS), Stream5 (module ti gp cc
gi tin tng TCP)
thi im hin ti Snort c 10 preprocesstor c m t trong hng dn ca
Snort ti a ch (http://manual.snort.org/node17.html).
23
24
Cu lnh trn cho php sau khi bt cc gi tin, lu tr chng di dng tp tin log.
Ngoi ra c th lu tr cc tp tin log da trn cc a ch IP truy cp. V d cu
lnh sau s cho php ta bt, in ra mn hnh v lu tr li cc gi tin TCP/IP cng
vi tiu tng data-link, d liu ca gi tin ca tt c cc gi tin i vo t a ch
ca lp mng C.
$ snort dev l /hom/user/log -h 192.168.1.0/24
2.4.2 Ch NIDS
khi chy Snort ch pht hin xm nhp mng khng cn bt tt c cc gi
tin.
25
Checkpoint Firewall-1
Linux IPchains
Linux IPtables
Linux EBtables
29
CHNG 3
PREPROCESSORS V OUTPUT PLUG-INS
3.1. Preprocessors
Nh trong chng pha trn, chng ta c nhng hiu bit c bn v cu trc v
cch lm vic ca Snort. Ngoi ra cng c ci nhn tng qut v preprocessors trong
Snort. Vy chc nng chnh ca preprocessor l g?
Preprocessors c gii thiu ln u trong phin bn 1.5 ca Snort. Ban u n
c bit n vi chc nng bnh thng ha cc giao thc mng. Ngy nay,
preprocessor khng ch m nhim chc nng bnh thng ha cc giao thc na
m n cn c th pht hin xm nhp da trn s bt thng v to ra nhng
cnh bo ring. Trong thc t Snort ni bt vi chc nng pht hin xm nhp da
theo mu v cc du hiu c sn. Cc plug-in preprocessors c b sung vo ngoi
mc ch to u ra cho detection engine m n cn c chc nng to ra cc cnh
bo thng qua vic pht hin cc im bt thng trong cc lu lng mng i vo
h thng.
Phn ny s tm hiu mt vi tin x l quan trng, c bit l cc tin x l ti hp
cc gi tin, mt hnh thc c th gip cc attacker ln trn khi cc h thng pht
hin xm nhp.
Cc preprocessors cc k hu ch khi pht hin cc cuc tn cng phn mnh gi
tin nhm mc ch nh la h thng pht hin xm nhp nh Tiny Fragment
Attack, Overlaping Fragment Attack, Teardrop Fragment Attack.
30
prealloc_memcap <bytes>:
prealloc_frags <number>:
32
disabled:
Cu hnh ng c:
Tn tin x l: frag3_engine
Cc ty chn (cch nhau bi khong trng)
-
bind_to
33
Platform
Type
Platform
Type
AIX 2
BSD
Linux
7.1-7.3)
AIX 4.3 8.9.3
BSD
MacOS
First
Cisco IOS
Last
OpenBSD
Linux
FreeBSD
BSD
OS/2
BSD
HP JetDirect
BSD-right
OSF1 V4.0,5.0,5.1
BSD
HP-UX B.10.20
BSD
SunOS 4.1.4
BSD
HP-UX 11.00
First
SunOS
First
5.5.1,5.6,5.7,5.8
IRIX 6.2, 6.3
BSD
Tru64 Unix
BSD
V5.0A,V5.1
IRIX64 6.4
BSD
Windows
Windows
(95/98/NT4/W2K/XP)
Hnh 3.2: Phn loi cc h iu hnh.
Output: Frag3 c kh nng pht hin tm loi khc nhau ca d thng. Phn output
da trn cc gi tin v lm vic vi tt c cc ch output khc ca Snort. Cc
cnh bo output ny c th tm thy trong
/preproc_rules/preprocessor.rules ca tp tin m ngun Snort vi
gid=123.
V d:
preprocessor frag3_global: prealloc_nodes 8192
preprocessor frag3_engine: policy linux, bind_to
192.168.1.0/24
preprocessor frag3_engine: policy first, bind_to
[10.1.47.0/24,172.16.8.0/24]
preprocessor frag3_engine: policy last, detect_anomalies
34
3.1.2. Stream5
Tin x l Stream5 cng l mt m-un ti hp TCP da trn mc tiu. N c kh
nng theo di cc phin ca c giao thc TCP v UDP. Vi tin x l ny, cc lut
flow v flowbits c th c s dng cho c lu lng TCP v UDP.
Stream5 cng tng t nh Frag3, tc l IDS s x l cc lung d liu da vo
mc tiu. Stream5 s x l vic chng cho d liu v cc du hiu bt thng ca
kt ni TCP.
Mt s v d v vic nhn dng s bt thng trn giao thc TCP nh: d liu tn
ti trong gi SYN, d liu nhn c vt qu kch thc ca ca s TCP.
a. Cu hnh ton cc
preprocessor stream5_global: <ty chn>
Ty chn
M t
track_tcp <yes|no>
max_tcp <num
sessions>
track_udp <yes|no>
max_udp <num
sessions>
track_icmp <yes|no>
max_icmp <num
sessions>
track_ip <yes|no>
disabled
flush_on_alert
show_rebuilt_packets
prune_log_max <num
bytes>
Ty chn
M t
bind_to <ip_addr>
policy <policy_id>
overlap_limit <number>
max_window <number>
detect_anomalies
check_session_hijacking
ports
<client|server|both>
<all|number(s)>
37
protocol
<client|server|both>
<all|service name(s)>
Ty chn
M t
ignore_any_rules
Ty chn
timeout <num seconds>
M t
Thi gian ch ca mt phin. Mc nh l
30, ti thiu l 1 v ti a l 86400.
Ty chn
timeout <num seconds>
M t
Thi gian ch ca mt phin. Mc nh l
30, ti thiu l 1 v ti a l 86400.
V d 1:
preprocessor stream5_global: max_tcp 8192, track_tcp yes,
track_udp yes, track_icmp no
preprocessor stream5_tcp: policy first,
use_static_footprint_sizes
preprocessor stream5_udp: ignore_any_rules
V d 2:
preprocessor stream5_global: track_tcp yes
preprocessor stream5_tcp: bind_to 192.168.1.0/24, policy
windows
preprocessor stream5_tcp: bind_to 10.1.1.0/24, policy linux
preprocessor stream5_tcp: policy solaris
3.1.3. sfPortscan
M-un sfPortscan c pht trin bi Sourcefire, n c thit k nhm pht hin
cc hnh thc thm d h thng trc khi tn cng. Trong giai on trinh st h
thng, attacker s xc nh cc giao thc mng, dch v my ch hoc h iu hnh
mc tiu. Giai on cha phi l giai on xm nhp nhng attacker c th thu thp
c nhiu thng tin hu ch chun b cho qu trnh xm nhp. Mt cng c qut
cng cc k mnh m v ph bin hin nay n Nmap. Nmap y cc k thut
qut cng hin nay v sfPortscan c thit k nhm chng li nhng k thut qut
cng t Nmap.
3.1.4. HTTP Inspect
HTTP tr thnh mt trong nhng giao thc ph bin v thng dng trn Internet.
Nn y m mt giao thc rt c cc attacker a chung. Attacker c th s dng
s linh hot ca cc Web server c gng n thn v che du hnh vi tn cng
trc cc NIDS. V d trong mu sau, cc mu pht hin nh trong Snort s ch c
th pht hin c dng foo/bar m khng th pht hin c foo\bar.
http://www.abc/foo/bar/xyz.php
39
http://www.abc/foo\bar\xyz.php
Ngoi ra Attacker cn c th s dng v s cc k thut m ha da trn m hex
vi uft-8. http_inspect s ch x l trn tng gi tin, iu ny c ngha l nhng
chui m n x l phi c ti hp trc bng tin x l stream5.
V d di y v cc phng thc GET, chng u c chung mt chc nng ging
h nhau, c cc webserver x l ging h nhau.
GET /../../../../etc/passwd HTTP /1.1
GET %2f..%2f..%2f..%2f..%2fetc%2 fpasswd HTTP /1.1
GET
%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%
73%77%64
HTTP /1.1
CHNG 4
LUT TRONG SNORT
Gii thiu
Lut trong Snort ta c th hiu mt cch n gin n ging nh cc quy tc v
lut l trong th gii thc. Ngha l n s c phn m t mt trng thi v hnh ng
g s xy ra khi trng thi ng. Mt trong nhng im ng gi nht ca Snort
l kh nng cho php ngi s dng c th t vit cc lut ca ring mnh hoc
ty bin cc lut c sn cho ph hp vi h thng mng ca mnh. Ngoi mt c s
d liu ln m ngi s dng c th download t trang ch ca Snort , ngi qun
tr c th t pht trin cc lut cho h thng ca mnh. Thay v phi ph thuc vo
nh cung cp, mt c quan bn ngoi, hoc phi cp nht khi c mt cuc tn cng
mi hay mt phng php khai thc l hng mi c pht hin. Ngi qun tr c
th vit ring mt lut dnh cho h thng ca mnh khi nhn thy cc lu lng
mng bt thng v so snh vi b lut c cng ng pht trin. u im ca
vic t vit cc lut l c th ty bin v cp nht mt cch cc k nhanh chng khi
h thng mng c s bt thng.
V d: Nu c ngi c gng m ca t th ci s h..
Phn tch y ta hnh ng ci h s c thc hin nu c du hiu l c
ngi c gng m ca t.
Trong h thng mng cng vy, ta khng th s dng ngn ng t nhin hng ngy
m t du hiu hay trng thi ca h thng mng c. V d: Nu c mt kt ni
SSH c a ch IP Public kt ni ti my ch web th chn li . Mc d y l mt
m t kh c th, tuy nhin Snort li khng th hiu c. Lut trong Snort s gip
ta d dng m t du hiu ny theo ngn ng m Snort c th hiu c.
bit cch vit mt lut t cc d liu ca h thng ta cn phi hiu cu trc ca
lut trong Snort nh th no. Mt lut trong Snort c chia thnh hai phn l
42
phn header v options. Phn header bao gm: rule action, protocol, a ch ip
ngun, a ch ip ch, subnetmask, port ngun, port ch. Phn options bao gm
cc thng ip cnh bo, thng tin cc phn ca gi tin s c kim tra xc nh
xem hnh ng no s c p dng.
4.1. Rule Header
Rule Header
Rule
Action
Protocol
Src/Des
Port
Rule Option
Hnh 4.1: Cu trc lut trong Snort.
4.1.1. Rule Action
Phn Header s cha cc thng tin xc nh ai, u, ci g ca mt gi tin, cng
nh phi lm g nu tt c cc thuc tnh trong lut c hin ln. Mc u tin
trong mt lut chnh l phn rule action, rule action s ni cho Snort bit phi
lm g khi thy cc gi tin ph hp vi cc lut c quy nh sn. C 5 hnh
ng mc nh trong Snort l: alert (cnh bo), log (ghi li log), pass (cho qua),
active (kch hot), dynamic. Ngoi ra nu chy Snort ch inline cn c thm
cc ty chn b sung nh drop, reject v sdrop.
alert - to ra cnh bo s dng phng php la chn trc v sau
ghi log li cc gi tin.
log - ghi log li cc gi tin.
pass - b qua gi tin .
active - cnh bo v sau bt mt dynamic rule khc kim tra thm
iu kin ca gi tin.
dynamic - duy tr trng thi nhn ri cho n khi c kch hot bi
mt active rule sau hnh ng nh mt log rule
43
4.1.4. Port
44
- 1024.
log udp any any 192.168.1.0/24 :6000 - port bt k ti dy port nh
hn 6000.
log udp any any 192.168.1.0/24 500: - port bt k ti dy port ln
hn 500.
log udp any any 192.168.1.0/24 !6000:6010 - port bt k ti bt k
45
4.2.1. General
a. msg
msg l mt t kha ph bin v hu ch c s dng khi mun gn thm mt
chui vn bn vo log v cnh bo. Chui vn bn s c bc trong du ngoc
kp . Nu mun th hin k t c bit th thm du \ ng trc.
V d:
msg: Chui vn bn c t y.
b. reference
reference l mt t kha c s dng khi mun tham chiu thng tin t mt h
thng khc trn Internet.
46
System
URL Prefix
bugtraq
http://www.securityfocus.com/bid
cve
http://cve.mitre.org/cgibin/cevname.cgi?name=
nessus
http://cgi.nessus.org/plugins/dump.php3?id=
arachnids
http://www.whitehats.com/info/IDS (down)
mcafee
http://vil.nai.com/vil/content/v_
osvdb
http://osvdb.org/show/osvdb
url
http://
Hnh 4.2: Bng reference.
Cu trc:
reference:<id system>, <id>; [reference:<id system>, <id>;]
V d:
alert tcp any any -> any 7070 (msg:"IDS411/dos-realaudio";
flags:AP;content:"|fff4 fffd 06|";\
reference:arachnids,IDS411;)
alert tcp any any -> any 21 (msg:"IDS287/ftp-wuftp260venglin-linux"; flags:AP; content:"|31c031db 31c9b046 cd80
31c031db|"; reference:arachnids,IDS287;
reference:bugtraq,1387; reference:cve,CAN-2000-1574;)
c. sid
T kha sid c s dng xc nh duy nht mt lut trong Snort. Ty c hn ny
cho php output plug-in c th nh danh cc lut mt cch d dng. Ty chn ny
nn c s dng vi t kha rev.
<100, s c s dng trong tng lai.
100 999,999 cc lut c cha trong cc h thng Snort phn tn.
47
f. priority
c s dng gn mc nghim trng ca mt quy tc. Trng classtype gn
gi tr u tin mc nh ca mt loi tn cng tuy nhin ta c th ghi u tin
vi t kha ny.
Cu trc:
priority:<priority integer>;
V d:
alert tcp any any -> any 80 (msg:"WEB-MISC phf attempt";\
flags:A+; content:"/cgi-bin/phf"; priority:10;)
4.2.2. Payload
a. content
T kha content cho php ngi s dng thit lp cc lut cho php tm kim cc
chui c th trong phn ti ca gi tin v kch hot cc cnh bo da trn cc d
48
b. nocase
S dng kt hp vi t kha content tm kim cc ni dung m khng phn bit
ch hoa ch thng.
c. rawbyte
T kha rawbytes cho php cc lut xem xt cc gi d liu th cha c gii m.
V d:
alert tcp any any -> any 21 (msg:"Telnet NOP"; content:"|FF \
F1|"; rawbytes;)
d. depth
T kha depth c s dng xc nh khong cch bao xa m lut s tm
kim ti. Ti thiu l 1 v ti a l 65535. c s dng kt hp vi t kha
content gii hn ni dung tm kim, kt hp vi t kha offset th ta s xc nh
c mt khong d liu so snh vi mu trong content.
e. offset
T kha offset c s dng xc nh im bt u tm kim mu trong mt
gi tin. T kha ny cho php gi tr t -65535 ti 65535. T kha offset c s
dng kt hp vi t kha content gii hn khong khng gian tm kim.
V d:
alert tcp 192.168.1.0/24 any -> any any (content: \"HTTP";
offset: 4; depth: 40; msg: "HTTP matched";)
49
f. distance
T kha distance c s dng trong trng hp mun b qua bao nhiu byte t
ni dung tm kim trc .
V d:
content:"GET"; depth:3; content:"downloads"; distance:10;
Lut trn c ngha l sau khi tm c chui GET trong 3 byte u tin ca
trng d liu, lut s di chuyn thm 10 byte so vi v tr cui cng ca GET v
sau mi tm kim download.
g. within
T kha within c s dng m bo rng c nhiu nht N byte gia cc mu
ni dung tm kim. N gn ging vi t kha depth nhng n khng bt u t u
ca gi tin nh depth m bt u t mu trc .
V d:
content:"GET"; depth:3 content:"download"; distance:10 \
within:9;
50
i. pcre (http://www.pcre.org/)
PCRE l t vit tt ca Perl Compatible Regular Expressions c th dch l biu
thc chnh quy tng thch vi Perl. Perl l mt ngn ng kt xut v bo co thc
dng dng x l v thao tc trn cc chui k t.
V d:
alert tcp any any -> any 80 (content:"/foo.php?id="; \
pcre:"/\/foo.php?id=[0-9]{1,10}/iU";)
Lut trn thc hin mt tm kim trong HTTP URI m khng phn hoa thng phn
pha sau ca chui foo.php?id=<some numbers>.
4.2.3. Non-Payload
a. ttl
T kha ttl c s dng kim tra gi tr time-to-live trong IP Header. T kha
ttl c s dng pht hin mt hnh ng c gng traceroute mng.
Cu trc:
ttl:[<, >, =, <=, >=]<number>;
ttl:[<number>]-[<number>];
V d:
ttl:<3
b. tos
T kha tos c s dng kim tra trng ToS (type of service) trong IP Header.
V d:
tos:!4;
c. id
T kha id c s dng kim tra cc gi tr c th trong trng ID ca IP
Header. Mt vi cng c (khai thc li, scan) thng thit lp cc gi tr c bit
cho cc mc ch khai thc v d nh gi tr 31337 thng c attacker s dng.
51
d. ipopts
T kha ipopts c s dng kim tra trng IP Option trong IP Header. Trng
ny c kch thc 20 bit v c cc gi tr sau:
rr
Record Router
eol
End of list
nop
No Op
ts
Time Stamp
sec
IP Security
esec
IP Extended Security
lssr
Cu trc:
ipopts:<rr|eol|nop|ts|sec|esec|lsrr|lsrre|ssrr|satid|any>;
e. fragbits
Trng ny c s dng kim tra s phn mnh v bit reserved trong trng 3
bit Flags ca IP Header. 2 bit c dng iu khin s phn mnh c gi tr D
(Dont Fragment) v M (More Fragment) v 1 bit c gi tr R (Reserved). Cc b t
sau c s dng thm thit lp cc gi tr ph hp.
52
V d:
dsize:300<>400;
g. flag
T kha flag c s dng kim tra cc bit trong trng TCP Flag ca TCP
Header. Cc bit ny gm:
F
RST - Reset
PSH Push
ACK Acknowledgment
URG Urgent
Hnh 4.4: Bng flag
53
V d:
alert tcp any any -> 192.168.1.0/24 any (flags: SF;
msg:"SYNC-FIN packet detected";)
Lut ny cnh bo khi kim tra trng TCP Flag v thy c SYN v c FIN.
h. flow
T kha flow c s dng p dng mt lut nn cc gi tin di chuyn theo mt
hng c th. Cc ty chn ca t kha ny bao gm:
to_client, to_server, from_client, from_server, established,
not_established, stateless, no_stream, only_stream, no_frag,
only_frag.
V d:
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"cd incoming \
detected"; flow:from_client; content:"CWD incoming"; nocase;)
i. sed
T kha sed c s dng kim tra gi tr sequence number ca TCP Header.
j. ack
T kha ack c s dng kim tra gi tr acknowledge number ca TCP
Header.
k. window
T kha window c s dng kim tra kch c ca ca s trong TCP Header.
l. itype
T kha itype c s dng kim tra gi tr trong trng Type ca ICMP
Header. Trng ny c di 8 bit cha tt c 0-255 gi tr.
Type
Name
Reference
Echo Reply
[RFC792]
Destination Unreachable
[RFC792]
Source Quench
[RFC792]
54
Redirect
[RFC792]
[JBP]
Unassigned
[JBP]
Echo
Router Advertisement
[RFC1256]
10
Router Selection
[RFC1256]
11
Time Exceeded
[RFC792]
12
Parameter Problem
[RFC792]
13
Timestamp
[RFC792]
14
Timestamp Reply
[RFC792]
15
Information Request
[RFC792]
16
Information Reply
[RFC792]
17
[RFC950]
18
[RFC950]
19
20-29
30
Traceroute
[RFC1393]
31
[RFC1475]
32
37
38
39
[RFC1788]
[RFC1788]
[Markson]
40
Photuris
[RFC2521]
[RFC792]
[Solo]
[ZSu]
[David Johnson]
55
n. icmp_id
T kha icmp_id c s dng kim tra gi tr ID ca ICMP Header.
o. icmp_seq
T kha icmp_seq c s dng kim tra gi tr sequence ca ICMP Header.
p. rpc
T kha rpc c s dng pht hin cc yu cu da trn RPC. N s dng 3 i
s l: s ng dng, s th tc v s phin bn.
q. ip_proto
T kha ip_proto c s dng kim tra trng protocol trong IP Header. Danh
sch tn v s hiu ca cc giao thc c th xem /etc/protocols hoc trong
rfc1700.
V d:
alert ip any any -> any any (ip_proto:igmp;).
r. sameip
T kha sameip c s dng kim tra xem a ch ngun v a ch ch c
ging nhau hay khng.
4.2.3. Post-detection
a. logto
T kha logto c s dng ghi log vo cc tp tin c bit. iu ny s rt hu
ch khi ta kt hp vi cc d liu t cc cng c khc nh wireshark phn tch.
V d:
alert icmp any any -> any any (logto:logto_log; ttl: 100;)
T kha session c s dng trch xut ngi dng t mt phin TCP (TCP
Session). C 3 tham s c s dng l printable s ch in ra cc d liu thng
thng m ngi s dng c th nhn thy hoc g c. Binary c s dng
in cc d liu dng nh phn. All s thay th tt c cc k t non-printable bng
cc gi tr thp lc phn tng ng.
V d:
log tcp any any <> any 23 (session:printable;)
c. resp
T kha resp l mt t kha rt quan trng n cho php ch ng to ra nhng phn
hi tiu dit cc phin vi phm. Hot ng c ch ni tuyn v ch th
ng.
d. react
T kha react cho php to ra cc phn hi bao gm gi mt website hoc mt ni
dung no ti client v sau ng kt ni li. Hot ng c ch ni tuyn
v ch th ng.
e. tag
T kha tag cho php cc lut ghi log nhiu hn mt gi tin khi lut c kch
hot. Khi mt lut c kch hot lu lng truy cp lin quan n a ch ngun v
ch s c gn tag. Lu lng c tag l cc lung lu lng c ghi log
gip cho qu trnh phn tch v phn hi li cc cuc tn cng.
V d:
alert tcp any any -> any 23 (flags:S,CE;
tag:session,10,seconds;)
detection_filter: \
track <by_src|by_dst>, \
count <c>, seconds <s>;
Ty chn
M t
Mc theo di a ch ngun hoc a ch ch
track
by_src|by_dst
count c
seconds s
Lut trn c ngha l ln vi phm th 10 trong khong thi gian 60s th cnh bo
s c to ra. Nu c t hn 10 ln vi phm trong vng 60s th s khng c bt c
cnh bo no c to ra. Lut trn rt hu hiu trong cc tnh hu ng attacker c
gng brute force ng nhp vo h thng.
60
CHNG 5
PHN TCH MT S LUT TRONG SNORT
61
63
64
report.html?resource=bf25f7588c58cd4b7cc5ac04ebfd00c5;
classtype:trojan-activity; sid:23938; rev:3;
Name-";
distance:0;
Sau
ni
dung
67
68
7,5-8,5-9,5-10,5-11,5-12,5-13,5-14"; http_header;
fast_pattern:only;
reference:url,seclists.org/fulldisclosure/2011/Aug/175;
classtype:attempted-dos; sid:2013472; rev:2;)
69
us/library/cc240836.aspx; reference:cve,2012-0002;
classtype:attempted-admin; sid:2014383; rev:2; fwsam:src;
70
6.1 S h thng
Card 2 (eth1)
IP: 1.2.3.4/24
Gateway: 1.2.3.5
Snort/SnortSam
IP: 1.2.3.5/24
Web Server
IP: 10.0.0.100/24
IP: 10.0.0.1/24
72
barnyard2-1.9
C s d liu: MySQL:
mysql, mysql-server.
mysql-devel
Gi h tr qun tr:
httpd.
php and php-devel.
php-cli
php-pear
php-gd
php-mysql
Cng c qun tr:
base-1.4.5
adodb517
php-image-graph v php-image-canvas
6.2.1. Ci t cc gi bt buc v Snort
To th mc cho vic ci t:
# cd /usr/src
# mkdir snorttemp
# cd snorttemp
Ti tt c cc gi v:
# wget http://www.snort.org/dl/snort-current/snort2.9.3.1.tar.gz
# wget http://www.tcpdump.org/release/libpcap-1.3.0.tar.gz
# wget http://www.snort.org/sub-rules/snortrules-snapshot2931.tar.gz/<oinkcode> -O snortrules-2931.tar.gz
73
# wget http://www.snort.org/dl/snort-current/daq-1.1.1.tar.gz
# wget http://libdnet.googlecode.com/files/libdnet -1.12.tgz
# wget
http://www.securixlive.com/download/barnyard2/barnyard21.9.tar.gz
Gii nn cc gi:
# ls
# tar -xzvf daq-1.1.1.tar.gz
# tar -xzvf libdnet-1.12.tgz
# tar -xzvf libpcap-1.3.0.tar.gz
# tar -xzvf snort-2.9.3.1.tar.gz
# tar -xzvf snortrules-2931.tar.gz
# tar -xzvf barnyard2-1.9.tar.gz
Ci t libdnet:
# cd libdnet-1.12
74
Ci t daq:
# cd daq-1.1.1
# ./configure && make && make install
Ci t Snort t m ngun.
# cd snort-2.9.3.1
# ./configure --enable-zlib -enable-sourcefire && make &&
make install
# groupadd snort
# useradd g snort snort s /sbin/nologin
To cc th mc.
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /etc/snort/preproc_rules
# mkdir /etc/snort/so_rules
# mkdir /usr/local/lib/snort_dynamicrules
# mkdir /var/log/snort
# chown R snort:snort /var/log/snort
75
# cp ../so_rules/precompiled/RHEL-6-0/x86_64/2.9.3.1/*
/usr/local/lib/snort_dynamicrules
# touch /etc/snort/rules/white_list.rules
/etc/snort/rules/black_list.rules
76
dynamicengine
/usr/local/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/lib/snort_dynamicrules
t
mysql> create database snort; # To c s d liu lu tr cc tp tin
log ca snort.
mysql> CREATE USER snort@localhost; # To user mi cho snort.
mysql> SET PASSWORD for
snort@localhost=PASSWORD('snortpass'); # To password cho Snort
user.
mysql> GRANT INSERT, SELECT on root.* to snort@localhost; #
77
mc etc ca gi lut ti v.
Bc tip theo l chnh sa tp tin cu hnh ca Barnyard2 chng trnh c th
ghi d liu xung MySQL. Lu l t p tin cu hnh ca Barnyard2 gm c phn
chnh l: phn khai bo bin, phn cu hnh input v cu hnh output.
78
# vi /etc/snort/barnyard2.conf
79
6.2.5. Ci t BASE
V c bn vic cu hnh xong, tuy nhin cho vic phn tch log v theo di
cc cnh bo c thun tin ta s ci thm BASE. BASE l mt plug-in chy trn
nn web v vy ta s cn ci t v cu hnh web server h tr php.
Ci t BASE:
# wget
http://downloads.sourceforge.net/project/secureideas/BASE/bas
e-1.4.5/base-1.4.5.tar.gz
# wget http://sourceforge.net/projects/adodb/files/adodb php5-only/adodb-517-for-php5/adodb517.tgz
# tar -xzvf base-1.4.5.tar.gz
# tar -xzvf adodb517.tgz
# cp -r adodb5 /var/www
# cp -r base-1.4.5 /var/www/html/base
# cd /var/www/html/base
# cp base_conf.php.dist base_conf.php
# vi base_conf.php
...
$BASE_urlpath = "/base";
$DBlib_path = "/var/www/adodb5/";
$DBtype = "mysql";
$alert_dbname
= "snort";
$alert_host
= "localhost";
$alert_port
= "3306";
80
$alert_user
= "snort";
$alert_password = "snortpass";
...
6.2.6. Ci t SnortSam
Ti source libtool v v ci t. http://ftpmirror.gnu.org/libtool/libtool-2.4.2.tar.gz
# tar xzvf libtool-2.4.2.tar.gz
# cd libtool-2.4.2
# ./configure prefix=/usr
# make && make install
Ti m ngun ca SnortSam v ti a ch
http://www.snortsam.net/files/snortsam/snortsam-src-2.70.tar.gz
# tar xzvf snortsam-src-2.70.tar.gz
# chmod +x makesnortsam.sh
# ./makesnortsam.sh
81
Khi Snort pht hin ra cc dng scan ny, s gi cnh bo ti cho agen SnortSam
trn firewall v yu cu firewall chn cc a ch ny trong vng 1 pht.
83
Attacker khai thc l hng trn cc phin bn Apache 2.0 (nh hn 2.0.65) v 2.2
(nh hn 2.2.20) nhm tn cng t chi dch v lm tiu tn nhiu ti nguyn ca
h thng, khin h thng b treo.
Lut trn khi nhn c cnh bo ca Snort, iptables s chn a ch ngun trong
vng 1 pht.
6.3.3 Ping of Death
Attacker gi cc gi tin ICMP c kch thc ln ti my ch nhm chim ng
truyn v ngn vic cung cp dch v ca my ch. Lut Snort s kim tra kch
thc ca cc gi tin ICMP c gi ti
alert icmp any any -> $HOME_NET any (msg:Large ICMP Packet;
dsize: >200; sid: 1000004; fwsam:src, 1 minutes;)
6.3.4 MS12-020
L hng c attacker khai thc qua dch v Terminal Service (3389) lm h thng
b shutdown t ngt.
alert tcp any any -> $HOME_NET 3389 (msg:"ET EXPLOIT
Microsoft RDP Server targetParams Exploit Attempt";
flow:to_server,established; content:"|03 00|"; depth:2;
content:"|7f 65 82 01 94|"; distance:24; within:5;
content:"|30 19|"; distance:9; within:2;
84
byte_test:1,<,6,3,relative;
reference:url,msdn.microsoft.com/en-us/library/cc240836.aspx;
reference:cve,2012-0002; classtype:attempted-admin;
sid:2014383; rev:2; fwsam:src; 1 minutes;)
85
KT QU T C
86
Nu ngi qun tr h thng c k nng tt, h thng khng cn thit phi tr thm
29.99$ cho ngi dng c nhn hoc t 399.00-499.00$ cho doanh nghip mi nm
cho vic mua thm cc b lut.
Chi ph thp cho mt h thng tt, c y chc nng ca mt h thng pht hin
xm nhp.
Kt hp vi cc h thng ngun m khc nh netfilter/iptables, h thng gim st
nh Nagios, mod_security cho ng dng web c th xy dng mt h thng tt c
kh nng ngn chn cc cuc tn cng, phn tch, theo di v nng cao hiu sut ca
dch v vi chi ph cc k thp.
Hn ch:
Mt vi hn ch vn cn tn ti trong ti
Cha cu hnh y cc lut trong iptables.
Cha demo c cc dng tn cng trong vng mng ni b v d nh ARP
Spoofing hay Sniffer gi tin trong mng ni b.
87
PHN KT LUN
88
Kt lun
ti t c mt s mc tiu nh hiu v cch thc hot ng v cch thc
pht hin xm nhp ca h thng IDS. Cch b tr mt h thng pht hin xm nhp
trong h thng mng ra lm sao?
Nghin cu v hiu cu trc v cch thc x l gi tin ca Sno rt cng nh
SnortSam. Hiu r cu trc ca mt tp lut trong Snort. Cch thc vit mt lut
cho nhng yu cu c th. Phn tch d liu vit lut.
Ci t v cu hnh thnh cng h thng, demo cc hnh thc xm nhp n gin.
Tc gi gp mt cht kh khn trong vic trin khai m hnh trn my o, s phc
tp ca m hnh mng kh th hin trn h thng o.
Tc gi gp kh khn trong vic demo cc loi hnh tn cng mi hin nay, vic
demo cc dng tn cng cn dng n gin do mc ch ch th phn n g ca
Snort.
Phin bn mi nht ca Snort cha c gi patch SnortSam ph hp.
Tc gi mun tp trung vo vic hnh thnh nn cc lut tng ng vi cc dng tn
cng thay v ci t cu hnh v trin khai. Theo tm hiu ca tc gi, vic kh khn
nht ca xy dng mt h thng Snort/SnortSam khng phi qu trnh ci t, cu
hnh hay demo m qu trnh kh khn nht nm pha ngi qun tr. D mt h
thng Snort/SnortSam c tt n u nhng nu ngi qun tr khng c k nng
phn tch log, phn tch trng thi ca h thng, khng nm r cu trc ca lut th
khng th hnh thnh nn c cc tp lut i vi mi trng doanh nghip c
trin khai.
Kt lut cui cng l vic xy dng h thng pht hin xm nhp c tt hay khng
nm pha ngi qun tr h thng. Snort/SnortSam cng ch l mt cng c v
khng th ph mc hon ton vn bo mt h thng cho cc h thng ny.
ngh
89
90
[1] Andrew T. Baker, Brian Caswell & Mike Poor (2004), Snort 2.1 Intrusion
Detection Second Edition, Syngress Publishing, Inc.
[2] Andrew R. Bakeer & Joel Esler (2007), Snort IDS and IPS Toolkit. Syngress
Publishing, Inc.
[3] David Gullett (2012), Snort 2.9.3 and Snort Report 1.3.3 on Ubuntu 12.04 LTS
Install Guide, Symmetrix Technologies.
[4] Karthikeyan .K.R & A. Indra (2010), Intrusion Detection Tools and Techniques
A Survey, International Journal of Computer Theory and Engineering, Vol.2, No.6.
[5] Rebecca Bace and Peter Mell (2011), NIST Special Publicationon Intrusion
Detection Systems, National Institute of Standards and Technology.
[6] The Snort Team (2012), Snort User Manual 2.9.3, The Snort Project.
[7] University of Marland University College (2012), Installing Snort from Source
Code on Linux, http://polaris.umuc.edu/~sgantz/Install.html
[8] Hacker Vietnam Association (2005), K s cc v DDoS n HVA,
http://www.hvaonline.net/hvaonline/posts/list/112.hva
[9] BleedingSnort (2009), B lut cung cp bi BleedingSnort,
http://www.bleedingsnort.com/
91
PH LC
92
93