Khóa luận Snort

Trng i Hc S Phm K Thut Tp.
HCM Cng Ha X Hi Ch Ngha Vit Nam

Khoa o To Cht Lng Cao
c lp T do Hnh phc
-----***----
----***---Tp. H Ch Minh, ngy thng nm 2013
T NGHIP
NHIM V
H v tn sinh vin: ................................................. MSSV: ......................................

Chuyn ngnh: ........................................................ Lp: .........................................
Gio vin hng dn: ................................................................................................
Ngy giao ti:.................................... Ngy np ti:........................................
1. Tn ti:
...............................................................................................................................................
...............................................................................................................................................
2. Cc s liu, ti liu ban u
...............................................................................................................................................
...............................................................................................................................................
3. Ni dung thuyt minh v tnh ton
...............................................................................................................................................
...............................................................................................................................................
...............................................................................................................................................
...............................................................................................................................................
...............................................................................................................................................
4. Sn phm
...............................................................................................................................................
...............................................................................................................................................
Trng ngnh
Gio vin hng dn
NHN XT CA GIO VIN HNG DN
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
Gio vin hng dn
ii
NHN XT CA GIO VIN PHN BIN
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
..................................................................................................................................................
Gio vin phn bin
iii
LI CM N
Sau nhiu thng tm hiu, nghin cu v ci t, ti Tm hiu v xy dng h

thng phng chng v pht hin xm nhp s dng Snort/Snortsam v c bn
hon thnh. Trong thi gian thc hin ti em nhn c nhiu s gip
t bn b, cc anh ch v thy c.
Em xin chn thnh gi li cm n n s gip , s ng vin v ng h tinh thn
ca gia nh v b bn hon thnh ti ny.
Em cng xin chn thnh c m n qu thy c ti trng i hc S Phm K
Thut Tp. H Ch Minh, v Khoa o to Cht lng cao to iu kin cho
em c nghin cu v hc tp. c bit em xin chn thnh c m n thy Nguyn
ng Quang lun nhit tnh nhc nh, c thc em lm vic chm ch, thy ch
bo v gi em nhiu bi bo co em c th tham kho v hon thnh ti. Thy
c nhng gp v c ni dung v trnh by em c th hon thnh bi bo co
mt cch tt nht
Mc d rt c gng hon thnh ti mt cch tt nht, nhng chc chn
ti s vn cn tn ti nhng thiu st. Em lun mong mi nhn c cc gp , cc
tho lun v cc vn ny.
Sinh vin thc hin
Nguyn Vn Quang
TM TT
Xy dng h thng phng chng v pht hin xm nhp l mt gii php nhm
nng cao tnh bo mt ca h thng. Xy dng h thng pht hin xm nhp khng
nhm mc ch thay th h thng tng la m ch gip b sung, thu thp tht nhiu
thng tin cho qu trnh ngn chn cc cuc tn cng.
Ngoi cc khi nim, k thut pht hin hin xm nhp ca mt h thng pht hin
xm nhp. Kha lun cn tm hiu v mt h thng pht hin xm nhp da trn
mng l Snort v mt m-un SnortSam kt hp vi iptables nhm mc ch ngn
chn tn cng.
Mc tiu chnh ca kha lun l hiu r nht v cu trc ca tp lut Snort. Hnh
thnh t duy phn tch h thng thay v trin khai h thng. T xy dng ra cc
tp lut cho nhng tnh hung c th ca tng h thng.
Ni dung chnh ca kha lun c th chia thnh 3 phn chnh:
Phn 1: Bao gm cc ni dung chnh v h thng pht hin xm nhp, m hnh, k
thut pht hin
Phn 2: Chi tit k thut v h thng pht hin xm nhp mng Snort/SnortSam.
Kin trc ca h thng Snort, cu trc lut ca Snort.
Phn 3: Phn tch mt vi dng tn cng, phn tch cc lut tng ng. Demo h
thng.
T kha: pht hin xm nhp, h thng pht hin xm nhp, pht hin da trn s
bt thng, pht hin da trn mu, Snort, SnortSam, SYN Flood, Apache Killer
ABSTRACT
For enchanced security of system, we implement a intrusion detection system and

intrusion prevention system for our system. Deploy IDS/IPS dont replace firewall
system so supplenment and collected many infomations for prevention attacks.
Graduation thesis is researched about define, intrusion detection technology of
intrusion detection system (IDS). It still is researched about Snort, SnortSam with
iptables for prevention attacks.
Main objectives of graduation thesis is system administrator have knowledge about
rule syntax, analytics system. Build own Snort rule for him system.
Content of graduation thesis include three main part:
Part 1: Intrusion detection, network diagram, intrusion detection technology.
Part 2: Snort/SnortSam, Snort architecture, Snort rule syntax.
Part3: Analytics a few attacks, analytics a few rules for attack and demo.
Keywords: intrusion detection, intrusion detection system, anomaly based i ntrusion
detection, misuse/signature based intrusion detection, Snort, SnortSam, SYN Flood,
Apache Killer.
MC LC
DANH MC HNH V ..................................................................................................... 7

DANH MC T VIT TT ............................................................................................ 9
PHN I: T VN ...................................................................................................10
PHN II: GII QUYT VN ................................................................................... 3
CHNG 1: H THNG PHT HIN XM NHP (IDS) ...................................... 5
1.1. Gii thiu .................................................................................................................. 5
1.2. H thng pht hin xm nhp l g? ...................................................................... 5
1.2.1. Network-based IDS........................................................................................... 7
1.2.2. Host-based IDS.................................................................................................. 8
1.3. Cc k thut pht hin xm nhp ........................................................................10
1.3.1. Anomaly Based Intrusion Detection .............................................................10
1.3.2. Misuse/Signature Based Intrusion Detection...............................................12
1.4. t IDS trong h thng mng...............................................................................13
CHNG 2: GII THIU V SNORT/SNORTSAM ...............................................15
2.1. Snort l g? ..............................................................................................................15
2.2. Trin khai h thng Snort .....................................................................................15
2.2.1. Yu cu phn cng ..........................................................................................16
2.2.2. H iu hnh v cc gi phn mm khc .....................................................17
2.3. c im ca Snort................................................................................................17
2.3.1. Packet Sniffer (Decoder) ................................................................................19
2.3.2. Preprocessors ...................................................................................................20
2.3.3. Detection Engine .............................................................................................21
4
2.3.4. Thnh phn cnh bo/logging........................................................................23

2.4. Cc ch hot ng ca Snort ...........................................................................24
2.4.1 Ch sniffer v ch log ...........................................................................24
2.4.2 Ch NIDS .....................................................................................................25
2.5. Gii thiu v SnortSam .........................................................................................26
2.5.1. Snort Output Plug-in .......................................................................................27
2.5.2. Blocking Agent................................................................................................28
CHNG 3: PREPROCESSORS V OUTPUT PLUG-INS....................................30
3.1. Preprocessors ..........................................................................................................30
3.1.1. Frag3 .................................................................................................................31
3.1.2. Stream5 .............................................................................................................35
3.1.4. HTTP Inspect ...................................................................................................39
3.2. Output ......................................................................................................................40
CHNG 4: LUT TRONG SNORT ..........................................................................42
4.1. Rule Header ............................................................................................................43
4.1.1. Rule Action ......................................................................................................43
4.1.2. Protocol.............................................................................................................44
4.1.3. IP Address ........................................................................................................44
4.1.4. Port ....................................................................................................................44
4.1.5. iu hng.......................................................................................................45
4.1.6. Activate/Dynamic rule ....................................................................................45
4.2. Rule Options ...........................................................................................................46
4.2.1. General..............................................................................................................46
4.2.2. Payload .............................................................................................................48
5
4.2.3. Non-Payload ....................................................................................................51

4.2.3. Post-detection ..................................................................................................57
CHNG 5: PHN TCH MT S LUT TRONG SNORT .................................61
5.1. Kho st lut scan ..................................................................................................61
5.2 Win.Trojan.Ibabyfa.dldr .........................................................................................64
5.3. TCP-SYN Flood .....................................................................................................65
5.4 Apache Killer (CVE-2011-3192)..........................................................................67
CHNG 6: CI T V CU HNH SNORT .......................................................71
6.1 S h thng .........................................................................................................71
6.2. Ci t Snort v SnortSam ....................................................................................72
6.3. Th nghim cc kiu tn cng .............................................................................83
KT QU T C ...................................................................................................86
PHN KT LUN ...........................................................................................................88
TI LIU THAM KHO ................................................................................................91
DANH MC HNH V
Hnh 1.1: OSSEC c trin khai trn cc Server. ..................................................... 9

Hnh 1.2: Cc mu khc thng. .................................................................................10
Hnh 1.3: Phn tch chuyn trng thi.........................................................................12
Hnh 1.4: Cc v tr t IDS trong h thng mng. ...................................................14
Hnh 2.1: Kin trc ca Snort. .....................................................................................18
Hnh 2.2: Cc gi tin i vo Sniffer. ...........................................................................19
Hnh 2.3: Gii m gi tin. .............................................................................................20
Hnh 2.4: Qu trnh x l Preprocessors. .................................................................21
Hnh 2.5: Gi tin c x l Detection Engine bng cc lut. ............................22
Hnh 2.6: Thnh phn cnh bo v logging. ..............................................................24
Hnh 3.1: Qu trnh tin x l. .....................................................................................31
Hnh 3.2: Phn loi cc h iu hnh..........................................................................34
Hnh 3.3: ngha cc tham s cu hnh ton cc. ....................................................36
Hnh 3.4: ngha cc tham s cu hnh TCP. ...........................................................38
Hnh 3.5: ngha cc tham s cu hnh UDP. ..........................................................38
Hnh 3.6: ngha cc tham s cu hnh ICMP. ........................................................38
Hnh 3.7: ngha cc tham s cu hnh IP. ...............................................................38
Hnh 4.1: Cu trc lut trong Snort. ............................................................................43
Hnh 4.2: Bng reference..............................................................................................47
Hnh 4.3: Bng ipopts. ..................................................................................................52
Hnh 4.4: Bng flag .......................................................................................................53
Hnh 4.5: Bng Type ca ICMP Header.....................................................................55
7
Hnh 4.6: Gi tr Code ca ICMP Header ..................................................................56

Hnh 4.7: Tham s ca t kha detection_filter. .......................................................59
Hnh 5.1: Giao thc bt tay ba bc. ..........................................................................66
Hnh 5.2: SYN Flood ....................................................................................................66
Hnh 5.3: HTTP Request bnh thng. .......................................................................68
Hnh 5.4: HTTP Request to bi Apache Killer........................................................68
Hnh 6.1: M hnh trin khai trong thc t vi mt vng DMZ. ............................71
Hnh 6.2: M hnh thc nghim. .................................................................................71
Hnh 6.2: Bng danh sch cc my trong h thng mng. .......................................71
Hnh 6.3: M hnh x l ca Snort, MySQL, Base...................................................72
DANH MC T VIT TT
CNSS
Committee on National Security Systems
IDS
Intrusion Detection System
IPS
Intrusion Prevention System
NIDS
Netword-base IDS
HIDS
Host-based IDS
ICMP
Internet Control Message Protocol
IP
Internet Protocol
TCP
Transmission Control Protocol
UDP
User Datagram Protocol
DoS
Denial-of-Service
DDoS
Distributed Denial-of-Service
GNU/GPL
GNU General Public License
ACID
Analysis Console for Intrusion Databases
BASE
Basic Analysis and Security Engine
ISP
Internet Service Provider
FDDI
Fiber Distributed Data Interface
ACL
Access Control List
HTTP
Hypertext Transfer Protocol
PHN I
T VN
10
Tnh cp thit ca ti.

X hi ngy cng pht trin, Internet tr thnh mt phn khng th thiu i vi
tng c nhn, doanh nghip, cc t chc, trng hc cng nh chnh ph. Internet
du nhp vo Vit Nam c hn 15 nm, tr thnh cng c, phng thc gip
cho cc doanh nghip tip cn vi khch hng, cung cp dch v, qun l d liu
ca t chc mt cch hiu qu v nhanh chng.
Cng vi s pht trin theo chiu hng tt, cc cuc tn cng v xm nhp mng
ca nhng k xu cng pht trin theo. Khng ch trn th gii m Vit Nam vn
an ton thng tin v ang tr thnh vn nng bng. S a dng v phc
tp trong cc loi hnh tn cng gy ra nhiu kh khn cho vic ngn chn v
phng chng.
Thng mi in t Vit Nam cng pht trin th cng tr thnh mc tiu ca
nhiu attacker hn. Thng mi in t tr thnh mc tiu c nhiu gi tr thu
li hn, hp dn cc attacker b nhiu cng sc hn trong vic xm nhp v ph
hoi.
Mt h thng phng chng v pht hin xm nhp s gip ngi qun tr c th
lun lun theo di v thu thp nhiu thng tin ng gi cho qu trnh chng li cc
hnh thc tn cng v xm nhp .
Mc tiu nghin cu.
Nghin cu chung v h thng pht hin xm nhp, cc c im, kin trc ca mt
h thng pht hin xm nhp, c bit l cc k thut pht hin xm nhp ang
c p dng.
Nghin cu v h thng pht hin xm nhp Snort, cch ci t, cu hnh, trin khai
trong h thng mng.
Phn tch cc du hiu ca cc hnh thc tn cng, hnh thnh nn cc lut tng
ng vi c im ca cc dng tn cng v xm nhp
Nghin cu, trin khai SnortSam nh mt add-on ca Snort nhm chn cc cuc
xm nhp c ch nh.
1
i tng nghin cu.

i tng nghin cu ca ti l h thng pht hin xm nhp ni chung. H
thng pht hin xm nhp Snort, add-ons ca Snort l SnortSam.
Nghin cu v hnh thnh cc tp lut i vi cc dng tn cng, xm nhp c th.
Phng php nghin cu.
Nghin cu v l thuyt pht hin xm nhp thng qua cc ti liu cc bi bo co.
Nghin cu l thuyt v Snort thng qua ti liu t trang ch ca Snort, ti liu
hng dn cho ngi s dng t Sourcefire v cc ngun ti liu khc.
Nghin cu v SnortSam thng qua ti liu v hng dn s dng t trang ch ca
SnortSam.
Trin khai h thng trn my o Virtualbox, xy dng h thng mng n gin m
t mt h thng mng nh trong thc t. Trin khai cc dch v nh trong m hnh
mng c nh.
Tm hiu v cc phng thc xm nhp, tn cng v khai thc l hng, cng c v
cch thc thc hin.
Trin khai tn cng, xm nhp, khai thc l hng. Sau c log, phn tch gi tin
bt c, chuyn ha thnh cc lut nhm pht hin v ngn chn.
PHN II
GII QUYT VN
Ni dung
Cc ni dung chnh trong phn ny bao gm: h thng pht hin xm nhp, Snort,
SnortSam, cu trc v cch vit cc lut trong Snort. Ci t trin khai Snort trong
h thng mng, demo tn cng v pht hin.
Chng 1, H thng pht hin xm nhp (IDS), tng quan v h thng pht hin
xm nhp, k thut pht hin xm nhp, phn loi cc h thng ph hin xm nhp.
t h thng IDS trn h thng mng nh th no.
Chng 2, Gii thiu v Snort/S nortSam.
Chng 3, Preprocessors v Output Plug-ins, tin x l trong Snort v phn
output.
Chng 4, Lut trong Snort, cu trc ca mt lut trong Snort.
Chng 5, Phn tch mt s lut trong Snort, trnh by mt s dng tn cng v
tp lut km theo.
Chng 5, Ci t v cu hnh Snort/SnortSam.
Chng 6, Demo pht hin xm nhp v phng chng da trn Snort/SnortSam.
CHNG 1
H THNG PHT HIN XM NHP (IDS)
1.1. Gii thiu

K thut pht hin xm nhp khng phi l mt k thut mi. V n c p
dng nhiu trong cc lnh vc khc nhau ch khng ch ring lnh vc an ton thng
tin ca mng my tnh. V d n gin nht m c th thy v k thut pht hin
xm nhp l h thng cnh bo bng chung trn t con. Nguyn l hot ng
rt n gin, h thng c bt nn v nu c ai chm vo chic t th ci s
h cnh bo rng c k ang xm nhp.
Tng t nh cc h thng tng la, h thng pht hin xm nhp c xy dng
bo v cc ti nguyn ca h thng mng trc nhng attacker khng mong
mun. Vy ti sao li cn mt IDS trong khi c mt h thng tng la ri? Nh
trong ti Tm hiu v Firewall v trin khai trn ClearOS ta bit rng
ging nh trong th gii thc tng la c dng ln ging nh con ngi xy
tng, thu v s, mua kha ca ngn cn k trm xm nhp vo h thng ca
mnh. Tuy nhin d c bo v nh th no cng khng m bo rng chng ta c
th bit ht cc phng php m k trm c th tn cng c. V vy ngoi h
thng ngn chn k xm nhp ra (tng la) cn c th trin khai cc h thng cnh
bo nh chung bo ng, camera quan st, h thng cnh bo...
Tng t nh vy trong h thng mng, khng ai c th chc chn rng cc phn
cng v cc ch bo v khc c th chn c ht cc cuc tn cng cng nh
bit c ht cc phng php ca attacker. Chnh v vy m cn xy dng mt h
thng IDS pht hin cc du hiu bt thng, cnh bo khi c biu hin bt
thng v gim st cc hot ng ra vo h thng phn tch v ngn chn kp
thi (Monitor and Logging).
1.2. H thng pht hin xm nhp l g?
Theo nh ngha trong ti liu CNSSI-4009 ca y ban An ninh Quc gia ca Hoa
K th intrusion ngha l hnh ng truy cp tri php bng cch vt qua c
ch bo mt ca h thng.
Computer Intrusion l hnh ng c tnh truy cp vo mt my tnh mc d
khng c s cho php hoc tm cch vt qua quyn truy cp ( c) c thm
quyn truy cp vo cc ti nguyn khc v thu thp thng tin.
Intrusion Detection l qu trnh theo di cc s kin xy ra trong mt h thng
my tnh hoc trong mt h thng mng. Sau phn tch cc du hiu ca cc s
c c th xy ra. Cc s c c th l hnh ng vi phm cc chnh sch bo mt
hoc cc tiu chun v an ninh ca h thng hoc cng c th l cc mi e da n
h thng ca doanh nghip. Nguyn nhn xy ra cc s c ny c th l do cc phn
mm c hi nh virus, worm, trojan, spyware... cng c th l hnh ng c xm
nhp t Internet hoc vt qu quyn truy cp thng thng. Tuy vy cng c
nhng nguyn nhn khch quan v d nh ngi s dng g nhm a ch ca mt
my tnh v c gng truy cp vo mt h thng m mnh khng c php.
Intrusion Detection Systems (IDS) c th l mt thit b phn cng (cc thit b
pht hin xm nhp ca Cisco (Cisco IDSM-2 hoc Cisco IPS 4200 Series
Sensors)) hoc cng c th l mt ng dng phn mm gip gim st my tnh, h
thng mng trc cc hnh ng e da n h thng hoc vi phm chnh sch an
ninh v bo co li cho ngi qun tr h thng. Mt h thng pht hin xm nhp
ci t trn h thng mng ging nh mt h thng cnh bo chng trm (burglar
alarm) trong mt ngi nh.
Mt s h thng pht hin xm nhp cn kim lun c chc nng ngn chn cc
mi e da tuy nhin iu c th khng cn thit v cng khng phi l chc
nng chnh ca ca mt h thng gim st.
Mt h thng pht hin xm nhp c bn s xc nh cc mi nguy hi, ghi li
thng tin v chng v sau bo co li cc thng tin .
Ni ngn gn v chc nng ca mt h thng pht hin xm nhp l gim st
(lu lng mng), cnh bo (bo co tnh trng mng cho h thng v ngi qun
6
tr), bo v (dng cc thit lp mc nh v cu hnh t ngi qun tr m c

nhng hnh ng chng li s xm nhp)
IDS c th c phn loi theo chc nng thnh 2 loi l Network-based IDS v
Host-based IDS. Mi loi c mt cch tip cn ring bit theo di v bo v d
liu v mi loi cng c nhng u nhc im ring.
1.2.1. Network-based IDS
H thng pht hin xm nhp da trn mng hot ng nh mt thit b c lp trn
mng. N thng c t cc segment mng hoc cc im kt ni gia cc
vng mng khc nhau. Nh n c th gim st lu lng mng t nhiu host
khc nhau trong vng mng . NIDS c th l mt thit b phn cng hoc phn
mm.
V cu trc th NIDS thng bao gm mt tp hp cc cm bin (sensors) c
t cc im khc nhau trong h thng mng. Cc cm bin ny s thc hin gim
st lu lng mng, thc hin phn tch cc b lu lng mng v bo co v
cho trung tm qun l (Center Management Console).
Mt s NIDS: Snort, Suricata, cc NIDS ca Cisco, Juniper...
u im ca NIDS:
Qun l c c mt network segment (gm nhiu host). Chi ph thp v
c th gim st c mt h thng mng ln vi ch vi thit b (mng c
thit k tt).
Trong sut i vi c ngi dng v cc attacker.
Ci t v bo tr n gin, khng nh hng ti mng.
Nhc im ca NIDS:
NIDS c th gp kh khn trong vic x l tt c cc gi tin trn mt
mng c kch thc ln v mt lu thng cao. iu ny dn n NIDS
c th s khng th pht hin ra mt cuc tn cng khi mng ang trng
thi over-whelming (qu ti).
B hn ch bi switch. Trn cc mng chuyn mch hin i, cc switch

c s dng nhiu chia mng ln thnh cc segment nh d qun
l. V th dn n NIDS khng th thu thp c thng tin trong ton h
thng mng. Do ch kim tra trn segment m n kt ni trc tip nn n
khng th pht hin tn cng trn mt segment khc. Vn ny dn n
vic doanh nghip phi mua mt s lng ln cm bin nu mun bao
ph ton h thng mng ca h, lm tng chi ph.
NIDS khng th phn tch c cc thng tin b m ha (SSL, SSH...).
Mt s h thng NIDS c th gp kh khn vi dng tn cng phn mnh
gi d liu (fragmenting packets).
NIDS khng th phn bit c mt cuc tn cng thnh cng hay tht
bi. N ch c th phn bit c c mt cuc tn cng c khi
xng. iu ny ngha l bit c cuc tn cng thnh cng hay
tht bi ngi qun tr phi iu tra cc my ch v xc nh n c b
xm nhp hay khng?
1.2.2. Host-based IDS
H thng pht hin xm nhp da trn my ch hot ng trn mt my trm n.
HIDS s s dng cc ti nguyn ca my ch theo di lu lng truy cp v
pht hin cc cuc tn cng nu c. Bng cch ny HIDS c th theo di c tt c
cc hot ng trn host nh tp tin log v nhng lu lng mng ra vo host .
Ngoi ra n cn theo di h iu hnh, lch s s sch, cc thng ip bo li ca
my ch.
Khng phi hu ht cc cuc tn cng u thng qua h thng mng, nn khng
phi lc no NIDS cng c th pht hin c cuc tn cng trn mt host. V d,
k tn cng c quyn physical access, t c th xm nhp vo host m khng
cn to ra bt c network traffic no.
Mt u im ca HIDS so vi NIDS l n c th ngn chn cc cuc tn cng
phn mnh (Fragmentation Attacks). Bi vy nn HIDS thng c ci t trn
cc trn cc my ch xung yu ca t chc, cc server trong vng DMZ (do l mc

tiu tn cng chnh).
HIDS cng thng theo di nhng g thay i trn h thng nh cc thuc tnh ca
h thng tp tin, cc thuc tnh (kch thc, v tr, quyn) ca tp tin, pht hin
tp tin mi c to ra hay xa i.
Mt s HIDS: Symantec ESM, OSSEC, Tripwire ...
Hnh 1.1: OSSEC c trin khai trn cc Server.

u im ca HIDS:
Pht hin cc cuc tn cng nn cc my ch m NIDS khng th pht
hin ra.
C th gim st cc lung traffic b m ha.
Khng b nh hng bi cc thit b chuyn mch (switch).
Nhc im ca HIDS:
Kh qun l hn do phi ci ln tt c cc host cn bo v nn vic cu
hnh, qun l, cp nht l mt khi lng ln cng vic cn thc hin.

NIDS khng th pht hin vic qut mng (network scan bng nmap) do
ch gim st trn host m n c ci t.

C th b v hiu ha bi tn cng t chi dch v (DoS).
Chim ti nguyn h thng: Do ci t trn my cn bo v nn n s s
dng ti nguyn ca h thng nh RAM, CPU, Hard Disk dn n c th

lm gim hiu sut ca vic gim st.
HIDS s cht khi h iu hnh ca host b cht.
1.3. Cc k thut pht hin xm nhp

phn ny s tm hiu v nhng k thut c s dng trn IDS pht hin ra
cc cuc xm nhp. V c bn c 2 k thut c s dng pht hin s xm
nhp l:
Pht hin s bt thng (Anomaly Based ID)
Pht hin s lm dng/du hiu (Misuse/Signature Based ID).
1.3.1. Anomaly Based Intrusion Detection
u tin, d thng ( anomaly) cn c bit n nh s sai khc, s ring bit
vi nhng mu c sn trong d liu hoc khng ph hp vi nhng khi nim, hnh
vi thng thng ca h thng. Hnh di l mt v d v s khc thng ca O1,
O2, O3 v c hnh vi v cu to so vi N1 v N2.
Hnh 1.2: Cc mu khc thng.

K thut pht hin da trn s bt thng c thit k nhm pht hin cc mu
hnh vi (patterns of behavior) khc xa vi nhng hnh vi thng thng sau gn
c l c th xm nhp i vi nhng hnh vi ny.
u im:
10
Mt IDS c xy dng da tn k thut pht hin bt thng c th pht
hin ra cc hnh vi khng bnh thng v do n c th pht hin ra

triu chng ca cc cuc tn cng m khng cn bit chi tit, c th v
loi tn cng . Ni n gin l n c th pht hin ra cc cuc tn cng
cha tng c bit n.
Pht hin s bt thng c th c s dng cung cp cc thng tin,
m cc thng tin ny c th c xy dng cc du hiu (signature) s

dng trong k thut misuse detector.
Nhc im:
Phng php tip cn s bt thng thng to ra mt s lng ln cc
bo ng sai do khng th on c hnh vi ca ngi s dng v h

thng mng.
Phng php tip cn s bt thng yu cu phi thng xuyn c
o to t cc bn ghi ca h thng nhm bit c u l cc hnh vi

bnh thng.
Pht hin xm nhp da trn s bt thng rt hu hiu trong vic pht hin cc
cuc tn cng nh:
Lm dng giao thc v cng dch v.
Tn cng t chi dch v.
Buffer Overflow.
Cc bin php v k thut c s dng trong pht hin bt thng bao gm:
Pht hin giao thc bt thng (Protocol Anomaly Detection). Giao thc
bt thng ngha l nhng trng hp vi phm cc nh dng, cc tiu

chun cc hnh vi c quy nh thnh chun Internet t trc . V
d: Kch thc gi tin ICMP ti a l 65,535 bytes attacker c tnh gi
mt gi tin c kch thc ln hn kch thc tiu chun nhm gy ra
li trn b m.
11
Pht hin xm nhp da trn qu trnh t hc: Qu trnh ny gm 2 bc,
bc 1 sau khi h thng c thit lp th cho h thng chy t do v to

h s v cc hot ng mng vi trng thi bnh thng. Sau thi gian
khi to, h thng s i vo qu trnh lm vic, h thng s tin hnh theo
di v pht hin cc hot ng bt thng da trn vic so snh trng thi
hin ti vi trng thi h s c to.
Pht hin xm nhp da trn s thng k bt thng (Statistical Anomaly
Based Intrusion Detection). K thut ny nhn mnh vic o m cc hot

ng bnh thng trn mng. V d ng nhp qu s ln quy nh, s tin
trnh hot ng qu mc trn CPU, s lng gi tin c gi qu mc
1.3.2. Misuse/Signature Based Intrusion Detection
Bng cch so snh du hiu ca cc i tng ang quan st vi du hiu ca cc
hnh thc xm nhp bit trc. Hai k thut c s dng trong phng pht
pht hin xm nhp da trn du hiu l:
Expression matching (biu thc ph hp).
State transition analysis (phn tch chuyn trng thi).
Hnh 1.3: Phn tch chuyn trng thi.
12
u im:
t bo sai v c bit l rt hiu qu i vi cc hnh thc xm nhp
c bit n.
Nhanh chng v ng tin cy trong vic xc nh cng c v k thut tn
cng. T ngi qun tr h thng c th nhanh chng a ra cc bin

php x l kp thi.
Nhc im:
hiu qu trong vic pht hin xm nhp th phng php ny phi
thng xuyn cp nht du hiu ca cc hnh thc xm nhp mi.

Cc du hiu dng pht hin nu khng c thit k cht ch th c
th s khng th pht hin ra cc cuc tn cng bin th.

1.4. t IDS trong h thng mng
Vn cn quan tm khi s dng IDS l t n u trong h thng mng sao
cho cc cm bin c t c th nhn thy tt c cc lu lng di chuyn trn h
thng mng.
bit nn t cc cm bin u c th tr li mt vi cu hi nh sau:
Cc ti nguyn cn bo v l g?
H thng mng c thit k nh th no, hnh mng thit k theo
kiu bus, vng hay kiu sao hay kiu kt hp?
Mun t cm bin trc tng la (lc trc) hay sau tng la (khng
lc)?
H thng mng s dng thit b g hub, switch?
Router nh tuyn t nh th no trong h thng mng?
Tm li, nn t cm bin ni no m n c th thy c lng traffic cng
nhiu cng tt. c th l v tr kt ni gia cc segment vi nhau.
Mt im lu l cc IDS trong m hnh di c gn vo cc hub m bo
khng b st bt c lu lng mng no. Tuy nhin c th gn cc IDS ny vo
13
port gim st trn switch (span port, port monitoring), khi d liu i qua switch
n s gi mt bn sao ti cc IDS.
Hnh 1.4: Cc v tr t IDS trong h thng mng.

14
CHNG 2
GII THIU V SNORT/SNORTSAM
2.1. Snort l g?
Snort l mt h thng phng chng v pht hin xm nhp da trn mng (IPS/IDS)
ngun m c pht trin bi Sourcefire. Kt hp vic kim tra du hiu, giao thc
v du hiu bt thng, Snort c trin khai rng khp trn ton th gii. Vi
hng triu lt download v hn 400.000 lt ngi dng ng k, Snort tr
thnh tiu chun ca h thng phng chng v pht hin xm nhp.
Chc nng chnh ca Snort l packet sniffing, packet logging v network-based
intrusion detection.
Ti sao Snort li tr nn ph bin nh vy.
D dng cu hnh: Snort lm vic nh th no, tp tin cu hnh u, cc
lut nh th no ngi qun tr u c th bit v cu hnh theo mnh
c. K c vic to ra cc lut mi.
Snort l phn mm m ngun m: Snort c pht hnh di giy php
GNU/GPL iu ny c ngha l bt c ai cng c th s dng Snort mt
cch min ph d l doanh nghip hay ngi dng c nhn. Ngoi ra v
l phn mm m ngun m nn Snort c mt cng ng ngi s dng
ln, sn sng h tr nu c bt c thc mc g.
Chy trn nhiu nn tng khc nhau: Khng ch chy trn cc h iu
hnh ngun m nh GNU/Linux m Snort cn c th chy c trn cc
nn tng thng mi nh Microsoft Windows, Solaris, HP-UX...
Snort thng xuyn c cp nht: Cc lut ca Snort thng xuyn
c b sung v cp nht cc hnh thc xm nhp mi. Ngi s dng c
th d dng ti v t http://www.snort.org.
2.2. Trin khai h thng Snort
15
2.2.1. Yu cu phn cng

Rt kh a ra mt yu cu chung nht cho phn cng ci t Snort v iu
ny cn ph thuc vo nhiu yu t khc nhau. Hai yu t cn quan tm n vic
la chn phn cng cho h thng Snort l lu lng traffic trn h thng v yu
cu x l, lu tr i vi h thng Snort. Yu cu phn cng ca h thng i vi
mt doanh nghip ln nh cc ISP s khc rt nhiu so vi mt mng small home.
xc nh phn cng ci t Snort cho h thng c th tr li mt vi cu hi
sau xc nh c iu :
H thng mng l mng small home, small bussiness, large enterprise hay
l mt ISP.
Lu lng traffic thng thng trong h thng l bao nhiu?
Lu lng traffic gia h thng internal v mng Internet bn ngoi l
khong bao nhiu? V ngc li?
Ni lu tr cc cnh bo (alerts) ca Snort l u?
Thi gian lu tr cc cnh bo ny l bao lu?
C mun lu tr cc gi tin lin quan n cc cnh bo ny hay khng?
Tuy Snort khng c bt k yu cu phn cng c bit no tuy nhin nu phn cng
mnh th s mt s li im. V Snort l mt h thng pht hin xm nhp da trn
mng nn nu c mt a cng c dung lng lu tr ln v tc quay nhanh th
h thng Snort s hot ng mt cch trn tru hn. V d i vi mt mng doanh
nghip c th chia phn vng /var vi dung lng l 100 GB. Ngoi ra nu c yu
cu cao th c th s dng RAID lu tr.
Bn s cn mt card mng (NIC) c tc cao vic sniffer cc gi tin tr nn d
dng hn. V d nu tc card mng di 100Mb/s th nn s dng mt card
mng tc 100Mb/s. Nu tc card mng qu thp th Snort c th b l
mt vi gi tin v dn n thng tin thu thp b sai khc. Ngoi ra nn c thm mt
card mng khc kt ni ti ngi qun tr thng qua giao thc SSH hoc qua Web
Interface, trnh vic s dng chung vi card mng sniffer gi tin.
16
Nu h thng mng ln, s lng cm bin (sensor) nhiu nn cn nhc vic tng
RAM cho h thng h thng khng b lag khi x l qua nhiu thng tin gi v.
2.2.2. H iu hnh v cc gi phn mm khc
Snort c th chy trn nhiu nn tng h iu hnh khc nhau. Snort c th chy
trn cc nn tng x86 nh GNU/Linux, FreeBSD, OpenBSD, NetBSD v Windows.
Ngoi ra n cn h tr c kin trc Sparc vi cc nn tng h iu hnh nh:
Solaris, MacOS-X, HP-UX...
Ngoi h iu hnh, nu c nh compile Snort t source code th cn m bo
cc phn mm sau c ci t trn h thng.
autoconf v automake.
gcc.
lex v yacc hoc GNU flex v bison.
libpcap.
Hu ht cc phn mm ny u c th download ti http://www.gnu.org/ v libpcap
c th download ti http://www.tcpdump.org
Ngoi ra nu c nh ci cc Snort add-on hoc cc cng c qun l v d nh mt
add-on ph bin Analysis Console for Intrusion Detection (ACID) Web interface
th cn ci t thm Apache Web Server (nn s dng giao thc SSL bo mt),
PHP v c s d liu lu tr cc cnh bo th cn ci MySQL hoc PostgreSQL.
Mt vi add-on ph bin:
ACID.
Oinkmaster.
SnortSnarf.
SnortReport.
Snorby.
Nu qun tr t xa thng qua giao thc SSH th cn cu hnh SSH.
2.3. c im ca Snort
17
ch NIDS, sau khi cc gi tin i vo v vt qua packet sniffer, d liu s

c gi thng qua bt k preprocessor no c cu hnh trong snort.conf . D
liu tip tc i qua detection engine, kim tra xem c ph hp vi cc lut trong tp
tin snort.conf hay khng? Cc gi ph hp s c gi n thnh phn cnh bo v
ghi li (alert and logging) vt qua bt k output plug-in c chn, sau n s
c ghi li (log) hoc cnh bo ty theo cu hnh.
Kin trc ca Snort gm 4 phn c bn sau:
The Sniffer (Packet Decoder).
The Preprocessors.
The Detection Engine.
The Output.
Hnh di y cung cp mt ci nhn d hiu v kin trc v quy trnh x l ca
Snort. Tng tng n nh mt my phn loi ng xu.
Hnh 2.1: Kin trc ca Snort.

Tin xu c a vo (packet c a vo t trc mng chnh)
Tin xu c gi thng qua mt ci mng xc nh xem n c phi l
xu hay khng v c gi n li hay khng (preprocessors)
Tip n tin xu c sp xp theo loi. V d phn loi theo gi tr ca
ng xu (Detection Engine).
Cui cng nhim v ca ngi qun tr l xc nh xem lm g vi n
(ghi li v lu vo c s d liu).
18
Preprocessors, detection engine v alert system u l cc plug-ins. iu ny gip

cho cho vic chnh sa h thng theo mong mun ca ngi qun tr mt cch d
dng.
2.3.1. Packet Sniffer (Decoder)
Packet Sniffer l mt thit b phn cng hoc phn mm c t vo trong mng.
Chc nng ca n tng t nh vic nghe ln trn in thoi di ng, nhng thay v
hot ng trn mng in thoi n nghe ln trn mng d liu. Bi v trong m hnh
mng c nhiu giao thc cao cp nh TCP, UDP, ICMP... nn cng vic ca packet
sniffer l n phi phn tch cc giao thc thnh thng tin m con ngi c th
c v hiu c. Packet Sniffer c th c s dng vi cc mc ch nh:
Phn tch mng v troubleshooting.
Performance network and bechmarking.
Nghe ln mt khu clear-text v nhng d liu khc.
M ha lu lng mng c th trnh c vic sniffer cc gi tin. Ty vo mc
ch m packet sniffer c th s dng cho mc ch tt hoc xu.
Hnh 2.2: Cc gi tin i vo Sniffer.

Khi Snort nhn cc gi tin t qu trnh sniffer n s i vo qu trnh gii m.
Chnh xc th ni m gi tin i vo b gii m ph thuc vo lp lin kt m trc
c c. Snort h tr mt s lp lin kt t pcap: Ethernet, 802.11, Token ring,
FDDI, Cisco HDLC, SLIP, PPP v OpenBSDs PF. trn lp lin kt Snort h tr
gii m cc giao thc khc nhau, bao gm IP, ICMP, TCP, UDP (chi tit trong m
ngun src/decode.c)
19
Bt k l lp lin kt no ang c s dng, tt c cc b gii m s u lm vic

theo mt kiu chung. i vi trng hp cc lp c th, con tr trong cu trc ca
gi tin s c thit lp tr ti mt phn khc ca gi tin. Da vo cc thng tin
gii m c, n s gi cc lp cao hn v gii m cho n khi khng cn b gii
m no na.
Hu ht cc mng hin nay trin khai Snort l mng Ethernet nn s xt th mt v
d gii m mt gi tin trong mng ny. u tin khi gi tin i vo n s phi i qua
chc nng DecodeEthPkt. Sau , overlaying cu trc Ethernet ln u ca phn d
liu, a ch MAC ngun v ch v loi tng tip theo (ether_type) s c bit.
Da trn gi tr ether_type, b giiar m tip theo s c gi. Gi s gi tr ca
ether_type l 2048 (ETHERNET_TYPE_IP) th tng tip theo l tng IP v nn gi
b gii m DecodeIP v tip tc n khi khng cn b gii m no.
DecodeIPv6
IPv6
DecodeEthPkt
Ethernet
DecodePPPoEPkt
PPP Over Ethernet
DecodeVLAN
802.1Q
DecodeARP
ARP
DecodeIP
IP
DecodeIPX
IPX
DecodeIPOptions
IP Options
DecodeTCP
TCP
DecodeUDP
DecodeICMP
DecodeIPOnly
Embedded IP
DecodeTCPOptions
TCP Options
Hnh 2.3: Gii m gi tin.

2.3.2. Preprocessors
20
Preprocessors l plug-in cho php phn tch c php d liu theo nhng cch khc
nhau. Nu chy Snort m khng c bt c cu hnh no v preprocessor s trong tp
tin cu hnh s ch thy tng gi d liu ring r trn mng. iu ny c th lm
IDS b qua mt s cuc tn cng, v nhiu loi hnh tn cng hin i c tnh phn
mnh d liu hoc c tnh t phn c hi ln mt gi tin v phn cn li ln gi
tin khc (k thut ln trn).
D liu s c a vo Preprocessors sau khi i qua b gii m gi tin (packet
decoder). Snort cung cp mt lot cc Preprocessors v d nh: Frag3 (mt module
chng phn mnh gi tin IP), sfPortscan (module c thit k chng li cc cuc
trinh st, nh scan port, xc nh dch v, scan OS), Stream5 (module ti gp cc
gi tin tng TCP)
thi im hin ti Snort c 10 preprocesstor c m t trong hng dn ca
Snort ti a ch (http://manual.snort.org/node17.html).
Hnh 2.4: Qu trnh x l Preprocessors.

2.3.3. Detection Engine
u vo l cc gi tin c sp xp qu trnh preprocessors. Detection engine
l mt phn ca h thng pht hin xm nhp da trn du hiu. Detection engine s
ly d liu t preprocessors v kim tra chng thng qua cc lut. Nu cc lut
21
khp vi d liu trong gi tin, n s c gi ti h thng cnh bo , nu khng n

s b b qua nh hnh pha di.
d hnh dung c th hiu v d v vic phn loi ng xu. Thng thng c cc
ng xu: 1 xu, 2 xu, 5 xu. Nu xut hin tin giy 10 xu th n s bi b i.
Cc lut c th c chia thnh 2 phn:
Phn Hearder: gm cc hnh ng (log hay alert), loi giao thc (TCP,
UDP, ICMP...), a ch IP ngun, a ch IP ch v port.
Phn Options: l phn ni dung ca gi tin c to ra ph hp vi
lut.
Lut l phn quan trng m bt c ai tm hiu v Snort cn phi nm r. Cc lut
trong Snort c mt c php c th. C php ny c th lin quan n giao thc, ni
dung, chiu di, hearder v mt vi thng s khc. Mt khi hiu c cu trc cc
lut trong Snort, ngi qun tr c th d dng tinh chnh v ti u ha chc nng
pht hin xm nhp ca Snort. T c th nh ngha cc lut ph hp vi tng
mi trng v h thng mng.
Hnh 2.5: Gi tin c x l Detection Engine bng cc lut.

22
2.3.4. Thnh phn cnh bo/logging

Cui cng sau khi cc lut ph hp vi d liu, chng s c chuyn ti thnh
phn cnh bo v ghi li (alert and loggin component). C ch log s lu tr cc gi
tin kch hot cc lut cn c ch cnh bo s thng bo cc phn tch b tht bi.
Ging nh Preprocessors, chc nng ny c cu hnh trong tp tin snort.conf, c
th ch nh cnh bo v ghi li trong tp tin cu hnh nu mun kch hot.
D liu l gi tr cnh bo, nhng c th chn nhiu cch gi cc cnh bo ny
cng nh ch nh ni ghi li cc gi tin. C th gi cnh bo th ng qua SMB
(Server Message Block) pop-up ti my trm Windows, ghi chng di dng
logfile, gi qua mng thng qua UNIX socket hoc thng qua giao thc SNMP.
Cnh bo cng c th lu tr di dng c s d liu SQL nh MySQL hoc
PostgerSQL. Thm ch mt vi h thng ca cc hng th 3 c th gi cnh bo
thng qua SMS ti in thoi di ng.
C rt nhiu cc add-on gip ngi qun tr nhn cc cnh bo cng nh phn tch
cc d liu mt cch trc quan.
The Analysis Console for Intrusion Detection (ACID): c bit nh
mt add-on phn tch c php log da trn PHP, search engine v l mt
front-end phn tch log ca Snort.
http://www.andrew.cmu.edu/user/rdanyliw/snort/
SGUIL (Snort GUI for Lamerz) l mt cng c phn tch tuyt vi khc.
Oinkmaster: l mt Pert script gip cp nht cc lut ca Snort v
comment nu khng mun sau mi ln cp nht.
IDS Policy Manager l mt giao din qun l dnh cho Windows XP.
SnortSnarf: L mt chng trnh vit bng Pert gip to v cung cp cc
bn bo co log gn y mt cch tng hp di dng HTML.
Swatch: http://swatch.sourceforge.net l mt cng c gim st syslog
theo thi gian thc v gi cnh bo bng email.
23
BASE: http://sourceforge.net/projects/secureideas/ Basic Analysis and

Security Engine l mt plug-in phn tch v truy vn cc cnh bo ca
Snort rt ng gi.
Hnh 2.6: Thnh phn cnh bo v logging.

2.4. Cc ch hot ng ca Snort
2.4.1 Ch sniffer v ch log
chy Snort ch sniffer s dng tham s -v.
$ snort v
Ty chn ny ch cho php hin th cc IP v TCP/UDP/ICMP header, ngoi ra

khng cn thm g khc. Nu mun hin th thm d liu tng ng dng phi
thm ty chn d.
$ snort vd
24
Ty chn ny s cho php hin th c phn d liu v tiu ca gi tin. Nu mun

hin th nhiu hn cc thng tin khc v d nh phn header tng data-link thm
ty chn e.
$ snort vde hoc $ snort d v e
u im ca snort so vi cc ng dng bt gi tin khc l:

C th lu cc tp tin log sau khi sniffer gi tin xung c s d liu nh
MySQL hoc PostgreSQL.
Tp tin log c th hin th dng ASCII theo tng a ch IP ring bit, gip
d dng phn tch.
Ngoi ra tp tin log cng c th c lu tr di dng tp tin nh phn theo
nh dng ca tcpdump.
chy Snort ch logger s dng tham s -l.
$ snort dev l /home/user/log
Cu lnh trn cho php sau khi bt cc gi tin, lu tr chng di dng tp tin log.
Ngoi ra c th lu tr cc tp tin log da trn cc a ch IP truy cp. V d cu
lnh sau s cho php ta bt, in ra mn hnh v lu tr li cc gi tin TCP/IP cng
vi tiu tng data-link, d liu ca gi tin ca tt c cc gi tin i vo t a ch
ca lp mng C.
$ snort dev l /hom/user/log -h 192.168.1.0/24
Trng hp mun chy snort ch logger lu tr cc tp tin log dng nh phn

c th s dng ty chn b, v s dng ty chn r c cc tp tin nh phn c
ghi li.
$ snort l /log b
$ snort dv r packet.log
2.4.2 Ch NIDS
khi chy Snort ch pht hin xm nhp mng khng cn bt tt c cc gi
tin.
25
$/snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
Tham s -c c s dng ch nh tp tin cu hnh ca snort. Mc nh cc tp

tin log s c lu tr ti /var/log/snort. Khi chy ch NIDS c th
b ty chn v tng tc , do khng cn thit phi bt cc gi tin v in ra mn
hnh.
2.5. Gii thiu v SnortSam
Chc nng ca Snort ch l pht hin xm nhp v cnh bo cho ngi qun tr bit
v nhng xm nhp , n khng th ngn chn cc cuc tn cng . thc hin
c chc nng ngn chn mt cch ch ng (active response) c th s dng cc
plug-in dnh cho Snort nh SnortSam, Fwsnort hay snort_inline lm iu ny.
Cc plug-in s thay i hoc chn cc lu lng mng da trn a ch IP
(SnortSam), da trn giao thc tng Transport (Fwsnort) hay tng Application
(Snort_inline).
Mt im cn lu l mt h thng ngn chn xm nhp ngoi vic ngn chn cc
gi tin i vo h thng n cn c th thay i trc tip cc gi tin khi chng
c chuyn qua mng. Bi vy Fwsnort v snort_inline c xp vo h thng
ngn chn xm nhp (IPS) cn SnortSam ch c xp vo h thng phn ng ch
ng (Active Response System)
Ni dung phn ny s tm hiu v SnortSam mt plug-in ca Snort cho php t
ng chn cc a ch IP da trn cc tng la nh:
Checkpoint Firewall-1
Cisco PIX firewalls
Cisco Routers (s dng ACL)
Former Netscreen, now Juniper firewalls
IP Filter (ipf), trn cc dng Unix-like OS v d FreeBSD
FreeBSD's ipfw2 (phin bn 5.x)
OpenBSD's Packet Filter (pf)

26
Linux IPchains
Linux IPtables
Linux EBtables
WatchGuard Firebox firewalls
8signs firewalls trn Windows
MS ISA Server firewall/proxy trn Windows
CHX packet filter
Ali Basel's Tracker SNMP thng qua SNMP-Interface-down plug-in.
SnortSam bao gm hai phn ring bit. Mt phn l mt tp hp ca cc sa i

trong tp tin m ngun, m rng Snort bng cch thm mt m-un output mi
l: alert_fwsam. Phn cn li l mt tc nhn s giao tip trc tip vi tng la gi
l agent. Tc nhn ny c th t ngay trn chnh cc tng la nu tng la l
iptables, hoc trn pf nu h thng l BSD hoc trn Checkpoints Firewall-1 nu
h thng l Windows. i vi cc tng la phn cng nh Cisco PIX th tc nhn
ny ca SnortSam phi t trn mt my ring bit rnh ring giao tip vi PIX.
V phng thc hot ng. Snort s gim st cc lung lu lng trn mng, v khi
mt lut ca Snort c kch hot (gp mt traffic ph hp), Snort s gi u ra cho
m-un fwsam. M-un fwsam sau s gi mt tin nhn m ha ti cho agent
c t trn tng la. Agent ny s kim tra xem tin nhn c phi c gi
ti t mt ngun c thm quyn hay khng, nu ng n s gii m thng ip va
nhn c v kim tra xem cc a ch IP no c yu cu chn. SnortSam s r
sot xem cc a ch IP c nm trong danh sch trng (white-list) hay khng.
Nu IP khng nm trong danh sch trng, SnortSam s yu cu tng la chn
a ch IP trong mt khong thi gian c nh ngha t trc.
2.5.1. Snort Output Plug-in
Phn Output yu cu chnh sa c tp tin cu hnh v lut ca Snort. Phn output
ny s giao tip vi agent trn tng la thng qua giao thc TCP hot ng port
898. Phn output plug-in ny h tr m ha giao tip vi phn agent vi mt kha
27
c nh ngha trc trong tp tin cu hnh. Thut ton m ha SnortSam ang

s dng l Twofish.
i vi tp tin cu hnh snort.conf thm dng ny vo:
output alert_fwsam: 192.168.10.1/sn0r3sam
i vi cc lut s thm ty chn fwsam v thi gian vo sau mi lut. V d, mun

chn mt a ch IP no vi khong thi gian l mt gi s thm chui
:fwsam:src, 1 hour;
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-CGI /wwwboard/passwd.txt access";
flow:to_server,established;
uricontent:"/wwwboard/passwd.txt"; nocase;
reference:arachnids,463; reference:cve,CVE 1999-0953;
reference:nessus,10321; reference:bugtraq,649;
classtype:attempted-recon; sid:807; rev:7; fwsam: src, 1
hour;)
2.5.2. Blocking Agent

Phn ny s c trch nhim tng tc trc tip vi cc tng la thay cho phn
output plug-in trn Snort. Nu Snort pht hin mt cuc tn cng ph hp vi bt
k mt quy tc no nh trong v d trn n s thit lp mt phin m ha TCP
gi mt thng ip cha cc IP ngun t cc gi tin gy ra cnh bo + thi gian m
a ch IP b cm.
V phin m ha TCP s giao tip thng qua port 898 (ho c bt c port no c
cu hnh) nn cm m bo l tng la cho php giao tip trn port ny. Trng thi
ca tt c cc a ch IP b cm s c t trong tp tin /var/log/snortsam.state.
Tp tin cu hnh ca SnortSam t ti /etc/snortsam.conf di y l mt s ty
chn quan trng c th c s dng trong tp tin cu hnh.
accept: Cho php cc cm bin c th ca Snort c th giao tip vi phn
agent trn tng la. Nhiu cm bin cng c th c cu hnh vi ty chn
ny cng vi cc kha dng m ha ring: accept <host>/<mask>,<key>
28
defautlkey: Thit lp kha mc nh c s dng cho tt c cc cm bin.

port: Thit lp port lng nghe t cc cm bin ca Snort. Mc nh l port
TCP 898.
dontblock: Ch nh mt host hoc mt mng m SnortSam s b qua ngay
c khi pht hin mt cuc tn cng t ngun ny.
logfile: Ch nh ng dn lu logfile m SnortSam s ghi. Tp ny cng
lit k tt c cc a ch IP m SnortSam chn km theo thi gian chn.
daemon: Chy agent nh mt dch v.
bindip: Gii hn phn agent trn tng la lng nghe trn mt a ch IP vi
mt card mng nht nh. iu ny lm gim kh nng tn cng cc agent v
gii hn s ng kt ni ti cc agent .
<firewall><interface>: Ch nh loi tng la c th m agent ang chy
trn v cng giao tip m cc lut nn thm vo.
keyinterval <time>: Ty chn ny cho php cc agent yu c u hoc to cc
kha m ha mi sau mi khong thi gian no . Mc nh nu khng
thit lp l 4 ting.
email <smtpserver>:<port> <recipient> <sender>: Ty chn ny cho
php xc nh my ch email. Khi mt a ch no b block, SnortSam s
gi thng bo ti a ch email c cu hnh.
V d:
accept 192.168.20.3, sn0r3sam
bindip 192.168.20.1
iptables eth0
logfile /var/log/snortsam.log
daemon
29
CHNG 3
PREPROCESSORS V OUTPUT PLUG-INS
3.1. Preprocessors
Nh trong chng pha trn, chng ta c nhng hiu bit c bn v cu trc v
cch lm vic ca Snort. Ngoi ra cng c ci nhn tng qut v preprocessors trong
Snort. Vy chc nng chnh ca preprocessor l g?
Preprocessors c gii thiu ln u trong phin bn 1.5 ca Snort. Ban u n
c bit n vi chc nng bnh thng ha cc giao thc mng. Ngy nay,
preprocessor khng ch m nhim chc nng bnh thng ha cc giao thc na
m n cn c th pht hin xm nhp da trn s bt thng v to ra nhng
cnh bo ring. Trong thc t Snort ni bt vi chc nng pht hin xm nhp da
theo mu v cc du hiu c sn. Cc plug-in preprocessors c b sung vo ngoi
mc ch to u ra cho detection engine m n cn c chc nng to ra cc cnh
bo thng qua vic pht hin cc im bt thng trong cc lu lng mng i vo
h thng.
Phn ny s tm hiu mt vi tin x l quan trng, c bit l cc tin x l ti hp
cc gi tin, mt hnh thc c th gip cc attacker ln trn khi cc h thng pht
hin xm nhp.
Cc preprocessors cc k hu ch khi pht hin cc cuc tn cng phn mnh gi
tin nhm mc ch nh la h thng pht hin xm nhp nh Tiny Fragment
Attack, Overlaping Fragment Attack, Teardrop Fragment Attack.
30
Hnh 3.1: Qu trnh tin x l.

3.1.1. Frag3
31
Trong tin x l frag3 c mt khi nim mi c a ra l target-based.

tng ca thut ng ny nh sau: Mt IDS c t trong h thng mng, nhng
IDS ny hon ton khng bit c cc h iu hnh trn cc my trm trong h
thng mng m n theo di. Cc gi tin phn mnh sau c ghp li ti cc
my trm ny. Vn t ra l nu cc attacker bit c mc tiu ca chng l
mt my trm ci t h iu hnh Linux. Chng c tnh phn mnh d liu sao cho
nu ti hp cc mnh ny trn h iu hnh Windows th khng c bt c hiu ng
g, nhng nu h iu hnh Linux ti hp cc phn mnh th s gy ra mt l
hng c th khai thc c.
iu quan trng l nu IDS c iu chnh ti hp cc phn mnh nh trn h
iu hnh Windows th IDS s khng th pht hin c cuc tn cng nh trn. V
attacker nh la c IDS v xm nhp vo c h thng mng m khng gp
bt trc g.
tng t ra l cu hnh sao cho IDS c th kim sot c cc h iu hnh ci
t trn cc my trm trong h thng mng. Nu c bt k gi tin no c gi ti
my trm , IDS s phn tch v ti hp cc phn mnh nh h iu hnh ti my
trm .
Cu hnh: C hai ch th tin x l trong vic cu hnh Frag3 l cu hnh ton cc
v cu hnh ng c. C th c nhiu cu hnh ng c nhng ch duy nht mt cu
hnh ton cu.
Cu hnh ton cu:
Tn tin x l: frag3_global
Cc ty chn (cc ty chn ny c phn cch bng du phy ,)
-
max_frags <number>: S lng ti a cc phn mnh c theo

di ng thi. Mc nh l 8192.
memcap <bytes>: B nh t qun, mc nh l 4MB. Con s ny

th hin b nh ln nht m Frag3 c php s dng.
prealloc_memcap <bytes>:
prealloc_frags <number>:
32
disabled:
Cu hnh ng c:
Tn tin x l: frag3_engine
Cc ty chn (cch nhau bi khong trng)
-
timeout <seconds>: Thi gian timeout ca phn mnh. Nhng

phn mnh tn ti trn h thng sau thi gian ny s b hy. Mc nh l
60s.
min_ttl <value>: Gi tr TTL ti thiu chp nhn c cho mt

phn mnh gi tin. Mc nh l 1, chp nhn gi tr t 1-255.
detect_anomalies: Pht hin cc phn mnh d thng.
bind_to
<ip_list>: Danh sch cc a ch IP b rng buc vi
cu hnh ny. Tin x l ny s ch x l vi cc a ch ch c trong

danh sch ny. Mc nh l tt c.
-
overlap_limit <number>: Gii hn s phn mnh chng cho

trn mi gi tin. Mc nh gi tr l 0 ngha l khng gii hn. Yu cu
ty chn detect_anomalies phi c thit lp trc .
min_fragment_length <number>: nh ngha kch thc nh

nht ca mt phn mnh (kch thc phn payload) c chp nhn.
Nhng phn mnh c kch thc nh hn hoc bng s b coi l c hi
v s c mt hnh ng x l. Mc nh gi tr l 0 khng gii hn, gi
tr ti thiu l 0. Ty chn ny cng yu cu ty chn
detect_anomalies c thit lp trc.
policy <type>: La chn ch chng phn mnh da trn mc

tiu. Gm cc loi nh first, last, bsd, bsd-right, linux, windows v
solaris. Mc nh l bsd.
33
Platform
Type
Platform
Type
AIX 2
BSD
Linux 2.4 (RedHat
Linux
7.1-7.3)
AIX 4.3 8.9.3
BSD
MacOS
First
Cisco IOS
Last
OpenBSD
Linux
FreeBSD
BSD
OS/2
BSD
HP JetDirect
BSD-right
OSF1 V4.0,5.0,5.1
BSD
HP-UX B.10.20
BSD
SunOS 4.1.4
BSD
HP-UX 11.00
First
SunOS
First
5.5.1,5.6,5.7,5.8
IRIX 6.2, 6.3
BSD
Tru64 Unix
BSD
V5.0A,V5.1
IRIX64 6.4
BSD
Windows
Windows
(95/98/NT4/W2K/XP)
Hnh 3.2: Phn loi cc h iu hnh.
Output: Frag3 c kh nng pht hin tm loi khc nhau ca d thng. Phn output
da trn cc gi tin v lm vic vi tt c cc ch output khc ca Snort. Cc
cnh bo output ny c th tm thy trong
/preproc_rules/preprocessor.rules ca tp tin m ngun Snort vi
gid=123.
V d:
preprocessor frag3_global: prealloc_nodes 8192
preprocessor frag3_engine: policy linux, bind_to
192.168.1.0/24
preprocessor frag3_engine: policy first, bind_to
[10.1.47.0/24,172.16.8.0/24]
preprocessor frag3_engine: policy last, detect_anomalies
34
3.1.2. Stream5
Tin x l Stream5 cng l mt m-un ti hp TCP da trn mc tiu. N c kh
nng theo di cc phin ca c giao thc TCP v UDP. Vi tin x l ny, cc lut
flow v flowbits c th c s dng cho c lu lng TCP v UDP.
Stream5 cng tng t nh Frag3, tc l IDS s x l cc lung d liu da vo
mc tiu. Stream5 s x l vic chng cho d liu v cc du hiu bt thng ca
kt ni TCP.
Mt s v d v vic nhn dng s bt thng trn giao thc TCP nh: d liu tn
ti trong gi SYN, d liu nhn c vt qu kch thc ca ca s TCP.
a. Cu hnh ton cc
preprocessor stream5_global: <ty chn>
Ty chn
M t
track_tcp <yes|no>
Theo di phin TCP. Mc nh l yes
max_tcp <num
sessions>
S phin TCP ti a c ng thi theo di. Mc

nh l 262144, ti a l 1048576, ti thiu l
1.
memcap <num bytes>
B nh cho lu tr gi tin TCP. Mc nh l

"8388608" (8MB), ti a l "1073741824" (1GB), ti
thiu l "32768" (32KB).
track_udp <yes|no>
Theo di phin UDP. Mc nh l yes.
max_udp <num
sessions>
S phin UDP ti a c ng thi theo di. Mc

nh l "131072", ti a l "1048576", ti thiu l
"1".
track_icmp <yes|no>
Theo di phin ICMP. Mc nh l no.
max_icmp <num
sessions>
S phin ICMP ti a c ng thi theo di. Mc

nh l "65536", ti a l "1048576", ti thiu l "1".
track_ip <yes|no>
Theo di phin IP. Mc nh l no

35
max_ip <num sessions>
S phin IP ti a c ng thi theo di. Mc nh

l "16384", ti a l "1048576", ti thiu l "1".
disabled
Ty chn v hiu ha stream5, mc nh ty chn

ny c tt.
flush_on_alert
Tng thch ngc. y ra mt TCP stream khi mt

cnh bo c to ra. Mc nh c tt.
show_rebuilt_packets
In/hin th cc gi tin sau khi c xy dng li

(debug). Mc nh c tt.
prune_log_max <num
bytes>
In ra mt thng bo khi mt phin chm dt hoc

tiu tn nhiu hn s bytes c quy nh. Mc nh
l "1048576" (1MB), ti thiu l "0" (disabled) hoc
nu khng b v hiu ha th ti thiu l "1024" v
ti a l 1073741824".
Hnh 3.3: ngha cc tham s cu hnh ton cc.

b. Cu hnh cho giao thc TCP
preprocessor stream5_tcp: <ty chn>
Ty chn
M t
bind_to <ip_addr>
Dy a ch IP s c p dng chnh sch ny.

Mc nh l bt k a ch no.
timeout <num seconds>
Thi gian ch ca mt phin. Mc nh l 30,

ti thiu l 1 v ti a l 86400 (khong 1
ngy).
policy <policy_id>
Chnh sch ny p dng cho h iu hnh mc

tiu no.
overlap_limit <number>
Gii hn s lng gi tin chng cho nhau trn

mt phin. Mc nh l 0 (khng gii hn) ti
a l "255".
max_window <number>
S TCP window ti a cho php. Mc nh l

36
0 (khng gii hn) v ti a l "1073725440"

(65535 dch tri 14). Ty chn ny c s dng
chng DoS.
require_3whs [<number
seconds>]
Mt phin thit lp ch hon thnh khi thc hin

qu trnh bt tay 3 bc, mc nh n c tt.
S giy ch thi gian gia hn ca mt phin hin
ti. Ti thiu l 0 (khng xem xt thi gian
thit lp) v ti a l 86400.
detect_anomalies
Pht hin v cnh bo s bt thng ca giao

thc TCP. Mc nh n c tt.
check_session_hijacking
Kim tra kiu tn cng TCP Session Hijacking

bng cch kim tra a ch MAC ca hai u kt
ni c ging trong qu trnh bt tay ba bc hay
khng.
dont_store_large_packets Khng lu cc gi tin qu ln vo buffer trong
qu trnh ti phn mnh.

dont_reassemble_async
Khng i cc gi tin ti hp nu lu lng

mng khng c tm thy c hai hng.
max_queued_bytes <bytes> Hn ch s bytes i cho vic ti phn mnh trn
mt phin TCP. Mc nh l "1048576" (1MB).

Gi tr "0" c ngha l khng gii hn v gi tr
ti thiu khc 0 l 1024, ti a l
"1073741824" (1GB).
max_queued_segs <num>
Hn ch s segments i cho vic ti phn mnh

trn mt phin TCP. Mc nh l 2621. Gi tr
"0" ngha l khng gii hn, ti thiu l 2 v
ti a l "1073741824" (1GB).
ports
<client|server|both>
<all|number(s)>
Ch nh danh sch cc port client, server hoc

c hai pha trong vic ti phn mnh gi tin. Mc
nh l cc port: 21 23 25 42 53 80 110 111 135
136 137 139 143 445 513 514 1433 1521 2401
3306.
37
protocol
<client|server|both>
<all|service name(s)>
Ch nh danh sch cc dch v client, server

hoc c hai pha trong vic ti phn mnh gi tin.
Mc ch l cc dch v: ftp telnet smtp
nameserver dns http pop3 sunrpc dcerpc netbiosssn imap login shell mssql oracle cvs mysql.
Hnh 3.4: ngha cc tham s cu hnh TCP.

c. Cu hnh cho giao thc UDP
preprocessor stream5_udp: [timeout <number secs>],
[ignore_any_rules]
Ty chn
M t
Thi gian ch ca mt phin. Mc nh l

30, ti thiu l 1 v ti a l 86400.
ignore_any_rules
Khng x l bt k lut no any any.

Mc nh c tt.
Hnh 3.5: ngha cc tham s cu hnh UDP.

d. Cu hnh cho giao thc ICMP
preprocessor stream5_icmp: [timeout <number secs>]
Ty chn
M t
30, ti thiu l 1 v ti a l 86400.
Hnh 3.6: ngha cc tham s cu hnh ICMP.

e. Cu hnh cho giao thc IP
preprocessor stream5_ip: [timeout <number secs>]
Ty chn
M t
30, ti thiu l 1 v ti a l 86400.
Hnh 3.7: ngha cc tham s cu hnh IP.

38
V d 1:
preprocessor stream5_global: max_tcp 8192, track_tcp yes,
track_udp yes, track_icmp no
preprocessor stream5_tcp: policy first,
use_static_footprint_sizes
preprocessor stream5_udp: ignore_any_rules
V d 2:
preprocessor stream5_global: track_tcp yes
preprocessor stream5_tcp: bind_to 192.168.1.0/24, policy
windows
preprocessor stream5_tcp: bind_to 10.1.1.0/24, policy linux
preprocessor stream5_tcp: policy solaris
3.1.3. sfPortscan
M-un sfPortscan c pht trin bi Sourcefire, n c thit k nhm pht hin
cc hnh thc thm d h thng trc khi tn cng. Trong giai on trinh st h
thng, attacker s xc nh cc giao thc mng, dch v my ch hoc h iu hnh
mc tiu. Giai on cha phi l giai on xm nhp nhng attacker c th thu thp
c nhiu thng tin hu ch chun b cho qu trnh xm nhp. Mt cng c qut
cng cc k mnh m v ph bin hin nay n Nmap. Nmap y cc k thut
qut cng hin nay v sfPortscan c thit k nhm chng li nhng k thut qut
cng t Nmap.
3.1.4. HTTP Inspect
HTTP tr thnh mt trong nhng giao thc ph bin v thng dng trn Internet.
Nn y m mt giao thc rt c cc attacker a chung. Attacker c th s dng
s linh hot ca cc Web server c gng n thn v che du hnh vi tn cng
trc cc NIDS. V d trong mu sau, cc mu pht hin nh trong Snort s ch c
th pht hin c dng foo/bar m khng th pht hin c foo\bar.
http://www.abc/foo/bar/xyz.php
39
http://www.abc/foo\bar\xyz.php
Ngoi ra Attacker cn c th s dng v s cc k thut m ha da trn m hex
vi uft-8. http_inspect s ch x l trn tng gi tin, iu ny c ngha l nhng
chui m n x l phi c ti hp trc bng tin x l stream5.
V d di y v cc phng thc GET, chng u c chung mt chc nng ging
h nhau, c cc webserver x l ging h nhau.
GET /../../../../etc/passwd HTTP /1.1
GET %2f..%2f..%2f..%2f..%2fetc%2 fpasswd HTTP /1.1
GET
%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%
73%77%64
HTTP /1.1
Trn y l mt v d v tn cng directory traversal, hay cn gi vi cc tn

khc nh dot-dot-slash, directory clumbing. L hnh thc tn cng truy c p n
nhng file v th mc m c lu bn ngoi webroot. Mt h thng pht hin xm
nhp hiu c phng thc GET ca giao thc HTTP nn n s cho php request
ny. Tuy nhin vn l c v hn cch m ha cc chui c hi dn n vic nu
ta cu hnh mt IDS nhm pht hin chui c hi ny da trn signature th
khng th m bo s pht hin c ht. Mt cch khc l bnh thng ha
chui ny, sau so snh n vi mt danh sch known bad pht hin.
3.2. Output
M-un ouput c thm vo Snort t phin bn 1.6. Chng cho php Snort c
nhiu cu hnh linh hot hn trong vic nh dng v trnh by d liu u ra cho
ngi qun tr h thng. Cc m-un output ny s c khi chy khi mt s kin
cnh bo hoc yu cu ghi log c gi, sau qu trnh tin x l v pht hin thng
qua detection engine.
Trong tp tin cu hnh ca Snort ta c th cu hnh nhiu m-un u ra khc nhau
v cc m-un ny s c gi th t khi c mt s kin no xy ra. Mc nh
40
cc cnh bo v cc tp tin log s c ghi vo th mc /var/log/snort hoc

bt k th mc no m ngi qun tr cu hnh.
Snort h tr nhiu m-un output khc nhau bao gm:
alert_syslog: Cu hnh ny cho php Snort s gi thng bo ti syslog.
alert_fast: Cc cnh bo ca Snort s c in ra mt cch nhanh chng nht.
y l mt phng php ghi cc cnh bo nhanh hn hn so vi alert_full v n
khng cn in ra tt c phn header ca gi tin v bi v n ch in ra trong mt tp tin
duy nht.
alert_full: Cc cnh bo s c in ra vi y phn header ca cc gi
tin. Mc nh thng tin s c lu ti /var/log/snort ho c mt th mc c ch
nh. Snort s to ra cc th mc con cha cc cnh bo ng vi mi IP, iu ny
lm cho hot ng ca Snort chm i do n khng c khuyn khch s dng.
alert_unixsock: Ty chn ny yu cu thit lp mt UNIX domain socket v
gi cnh bo ti n. Cc chng trnh hoc cc tin trnh m rng s lng nghe trn
socket gip cho vic nhn cc cnh bo cc cc gi d liu trong thi gian thc.
log_tcpdump: Ty chn cu hnh ny cho php Snort ghi cc t p tin log nh
dng tp tin ca chng trnh tcpdump. iu ny c bit hu ch trong vic tng
hp v phn tch cc thng tin vi s lng ln. C rt nhiu cng c c th c
c nh dng ny ln n rt hu ch.
csv: y l mt nh dng lu tr dng text vi cc trng c phn cch nhau
bi du phy. nh dng ny gip ta c th d dng import vo cc c s d liu.
unified v unified2: L hai nh dng u ra thng nht, phin bn unified2
l phin bn ci tin ca unified. u im ca phng php lu tr vi cc nh
dng u ra thng nht l: cho php d dng trong vic lu tr v qun l, c tc
nhanh hn hn so vi cc phng php khc, t p tin xut ra kh c th chnh sa
ni dung.
log_null: Ty chn ny hu ch trong mt s trng hp mun to ra mt vi
quy tc cnh bo lu lng truy cp mng m khng mun ghi ra cc tp tin log.
41
CHNG 4
LUT TRONG SNORT
Gii thiu
Lut trong Snort ta c th hiu mt cch n gin n ging nh cc quy tc v
lut l trong th gii thc. Ngha l n s c phn m t mt trng thi v hnh ng
g s xy ra khi trng thi ng. Mt trong nhng im ng gi nht ca Snort
l kh nng cho php ngi s dng c th t vit cc lut ca ring mnh hoc
ty bin cc lut c sn cho ph hp vi h thng mng ca mnh. Ngoi mt c s
d liu ln m ngi s dng c th download t trang ch ca Snort , ngi qun
tr c th t pht trin cc lut cho h thng ca mnh. Thay v phi ph thuc vo
nh cung cp, mt c quan bn ngoi, hoc phi cp nht khi c mt cuc tn cng
mi hay mt phng php khai thc l hng mi c pht hin. Ngi qun tr c
th vit ring mt lut dnh cho h thng ca mnh khi nhn thy cc lu lng
mng bt thng v so snh vi b lut c cng ng pht trin. u im ca
vic t vit cc lut l c th ty bin v cp nht mt cch cc k nhanh chng khi
h thng mng c s bt thng.
V d: Nu c ngi c gng m ca t th ci s h..
Phn tch y ta hnh ng ci h s c thc hin nu c du hiu l c
ngi c gng m ca t.
Trong h thng mng cng vy, ta khng th s dng ngn ng t nhin hng ngy
m t du hiu hay trng thi ca h thng mng c. V d: Nu c mt kt ni
SSH c a ch IP Public kt ni ti my ch web th chn li . Mc d y l mt
m t kh c th, tuy nhin Snort li khng th hiu c. Lut trong Snort s gip
ta d dng m t du hiu ny theo ngn ng m Snort c th hiu c.
bit cch vit mt lut t cc d liu ca h thng ta cn phi hiu cu trc ca
lut trong Snort nh th no. Mt lut trong Snort c chia thnh hai phn l
42
phn header v options. Phn header bao gm: rule action, protocol, a ch ip
ngun, a ch ip ch, subnetmask, port ngun, port ch. Phn options bao gm
cc thng ip cnh bo, thng tin cc phn ca gi tin s c kim tra xc nh
xem hnh ng no s c p dng.
4.1. Rule Header
Rule Header
Rule
Action
Protocol
Src/Des
Port
Rule Option
Hnh 4.1: Cu trc lut trong Snort.
4.1.1. Rule Action
Phn Header s cha cc thng tin xc nh ai, u, ci g ca mt gi tin, cng
nh phi lm g nu tt c cc thuc tnh trong lut c hin ln. Mc u tin
trong mt lut chnh l phn rule action, rule action s ni cho Snort bit phi
lm g khi thy cc gi tin ph hp vi cc lut c quy nh sn. C 5 hnh
ng mc nh trong Snort l: alert (cnh bo), log (ghi li log), pass (cho qua),
active (kch hot), dynamic. Ngoi ra nu chy Snort ch inline cn c thm
cc ty chn b sung nh drop, reject v sdrop.
alert - to ra cnh bo s dng phng php la chn trc v sau
ghi log li cc gi tin.
log - ghi log li cc gi tin.
pass - b qua gi tin .
active - cnh bo v sau bt mt dynamic rule khc kim tra thm
iu kin ca gi tin.
dynamic - duy tr trng thi nhn ri cho n khi c kch hot bi
mt active rule sau hnh ng nh mt log rule
43
drop - chn gi tin v ghi log li.

reject - chn gi tin, ghi log li v gi tr v mt thng ip.
sdrop - chn gi tin nhng khng ghi log li.
hnh ng do user t nh ngha.
4.1.2. Protocol
Trng tip theo trong lut l protocol. C 4 giao thc m Snort hin ang phn
tch cc hnh vi bt thng l TCP, UDP, ICMP v IP.
4.1.3. IP Address
Mc tip theo ca phn header l a ch IP. Cc a ch ny dng kim tra
ni i v ni n ca mt gi tin. a ch ip c th l a ch ca mt my n
hoc cng c th l a ch ca mt lp mng. T kha any c s dng nh
ngha mt a ch bt k.
Mt a ch ip s c vit di dng ip_address/netmask. iu ny c ngha l nu
netmask l /24 th lp mng l lp mng C, /16 l lp mng B hoc /32 l ch
mt my n. V d: a ch 192.168.1.0/24 c ngha l mt di my c a ch IP t
192.168.1.1-192.168.1.255.
Trong hai a ch IP trong mt lut Snort th s c mt a ch IP ngun v mt a
ch IP ch. Vic xc nh u l a ch ngun, u l a ch ch ph thuc vo
.
Ngoi ra ton t ph nh c th c p dng cho vic nh a ch IP. C ngha l
khi s dng ton t ny th Snort s b qua vic kim tra a ch ca gi tin .
Ton t l !. Ngoi ra ta c th nh ngha mt danh sch cc a ch IP bng
cch vit lin tip chng cch nhau bi mt du ,.
V d:
alert tcp any any ![192.168.1.0/24, 172.16.0.0/16] 80
(msg:\ Cho phep truy cap)
4.1.4. Port
44
Port c th c nh ngha bng nhiu cch. Vi t kha any ging nh a ch

IP ch c th s dng bt k port no. Gn mt port c nh v d nh gn kim
tra port 80 http hoc port 22 ssh. Ngoi ra ta cng c th s dng ton t ph nh
b qua mt port no hoc lit k mt di cc port.
V d:
log udp any any 192.168.1.0/24 1:1024 - port bt k ti dy port t 1
- 1024.
log udp any any 192.168.1.0/24 :6000 - port bt k ti dy port nh
hn 6000.
log udp any any 192.168.1.0/24 500: - port bt k ti dy port ln
hn 500.
log udp any any 192.168.1.0/24 !6000:6010 - port bt k ti bt k
port no, b qua dy port t 6000 6010.

4.1.5. iu hng
Ton t hng c h ra u l hng ngun, u l hng ch. Phn a ch IP
v port pha bn tri ca ton t c coi nh l a ch ngun v port ngun,
phn bn phi c coi nh a ch ch v port ch. Ngoi ra cn c ton t <>
Snort s xem cp a ch/port ngun v ch l nh nhau. Ngha l n s ghi/phn
tch c hai pha ca cuc hi thoi.
V d:
log tcp !192.168.1.0/24 any <> 192.168.1.0/24 23
4.1.6. Activate/Dynamic rule

Cp lut ny cung cp cho Snort mt kh nng rt mnh m. Active rule ging nh
alert rule nhng khc mt im l n c thm trng: activates. Dynamic rule ging
nh log rule nhng n c th trng: activated_by v count.
V d:
45
activate tcp !$HOME_NET any $Home_Net 143 (flags:PA;

content: |E8C0FFFFFF|/bin; activates:1; msg:IMAP buffer
overflow!;)
dynamic tcp !$HOME_NET any $HOME_NET 143 (activated_by:1;
count:50;)
4.2. Rule Options

Rule options chnh l trung tm ca vic pht hin xm nhp. Ni dung cha cc
du hiu xc nh mt cuc xm nhp. N nm ngay sau phn Rule Header v
c bc bi du ngoc n (). Tt c cc rule options s c phn cch nhau
bi du chm phy ;, phn i s s c tch ra bi dy hai chm :.
C 4 loi rule options chnh bao gm:
-
General: Ty chn ny cung cp thng tin v lut nhng khng c bt c

nh hng no trong qu trnh pht hin.
Payload: Ty chn lin quan n phn ti trong mt gi tin.
Non-payload: Bao gm cc ty chn khng lin quan n phn ti ca gi

tin (header).
Post-detection : Cc ty chn ny s gy ra nhng quy tc c th sau khi

mt lut c kch hot.
4.2.1. General
a. msg
msg l mt t kha ph bin v hu ch c s dng khi mun gn thm mt
chui vn bn vo log v cnh bo. Chui vn bn s c bc trong du ngoc
kp . Nu mun th hin k t c bit th thm du \ ng trc.
V d:
msg: Chui vn bn c t y.
b. reference
reference l mt t kha c s dng khi mun tham chiu thng tin t mt h
thng khc trn Internet.
46
System
URL Prefix
bugtraq
http://www.securityfocus.com/bid
cve
http://cve.mitre.org/cgibin/cevname.cgi?name=
nessus
http://cgi.nessus.org/plugins/dump.php3?id=
arachnids
http://www.whitehats.com/info/IDS (down)
mcafee
http://vil.nai.com/vil/content/v_
osvdb
http://osvdb.org/show/osvdb
url
http://
Hnh 4.2: Bng reference.
Cu trc:
reference:<id system>, <id>; [reference:<id system>, <id>;]
V d:
alert tcp any any -> any 7070 (msg:"IDS411/dos-realaudio";
flags:AP;content:"|fff4 fffd 06|";\
reference:arachnids,IDS411;)
alert tcp any any -> any 21 (msg:"IDS287/ftp-wuftp260venglin-linux"; flags:AP; content:"|31c031db 31c9b046 cd80
31c031db|"; reference:arachnids,IDS287;
reference:bugtraq,1387; reference:cve,CAN-2000-1574;)
c. sid
T kha sid c s dng xc nh duy nht mt lut trong Snort. Ty c hn ny
cho php output plug-in c th nh danh cc lut mt cch d dng. Ty chn ny
nn c s dng vi t kha rev.
<100, s c s dng trong tng lai.
100 999,999 cc lut c cha trong cc h thng Snort phn tn.
47
>= 1000, 000 s dng cho cc lut cc b.

d. rev
T kha rev c s dng nh danh c c sa i trong lut ca Snort. T kha
ny thng c s dng phn bit cc phin bn lut khc nhau.
e. classtype
T kha classtype dng phn loi cc hnh thc tn cng km theo u tin
ca loi tn cng . Cc hnh thc c nh ngha trong tp tin
classification.config.
config classification: <name>, <description>, <priority>
config classification: web-application-attack,Web Application
Attack,1
config classification: network-scan, Detection of a Network
Scan,3
config classification: misc-activity,Misc activity,3
f. priority
c s dng gn mc nghim trng ca mt quy tc. Trng classtype gn
gi tr u tin mc nh ca mt loi tn cng tuy nhin ta c th ghi u tin
vi t kha ny.
Cu trc:
priority:<priority integer>;
V d:
alert tcp any any -> any 80 (msg:"WEB-MISC phf attempt";\
flags:A+; content:"/cgi-bin/phf"; priority:10;)
4.2.2. Payload
a. content
T kha content cho php ngi s dng thit lp cc lut cho php tm kim cc
chui c th trong phn ti ca gi tin v kch hot cc cnh bo da trn cc d
48
liu . Ni dung c th dng ASCII, m nh phn hoc s kt hp ca c hai. D

liu nh phn phi c bc trong k t | | (ng ng) v c biu din dng
s thp lc phn.
V d:
alert tcp any any -> any 139 (content:"|5c
00|P|00|I|00|P|00|E|00 5c|";)
alert tcp any any -> any 80 (content:!"GET";)
b. nocase
S dng kt hp vi t kha content tm kim cc ni dung m khng phn bit
ch hoa ch thng.
c. rawbyte
T kha rawbytes cho php cc lut xem xt cc gi d liu th cha c gii m.
V d:
alert tcp any any -> any 21 (msg:"Telnet NOP"; content:"|FF \
F1|"; rawbytes;)
d. depth
T kha depth c s dng xc nh khong cch bao xa m lut s tm
kim ti. Ti thiu l 1 v ti a l 65535. c s dng kt hp vi t kha
content gii hn ni dung tm kim, kt hp vi t kha offset th ta s xc nh
c mt khong d liu so snh vi mu trong content.
e. offset
T kha offset c s dng xc nh im bt u tm kim mu trong mt
gi tin. T kha ny cho php gi tr t -65535 ti 65535. T kha offset c s
dng kt hp vi t kha content gii hn khong khng gian tm kim.
V d:
alert tcp 192.168.1.0/24 any -> any any (content: \"HTTP";
offset: 4; depth: 40; msg: "HTTP matched";)
49
C mt s th v hai lut sau:

content:"GET"; offset:0; content:"downloads"; offset:13;
content:"GET"; content:"downloads";
f. distance
T kha distance c s dng trong trng hp mun b qua bao nhiu byte t
ni dung tm kim trc .
V d:
content:"GET"; depth:3; content:"downloads"; distance:10;
Lut trn c ngha l sau khi tm c chui GET trong 3 byte u tin ca
trng d liu, lut s di chuyn thm 10 byte so vi v tr cui cng ca GET v
sau mi tm kim download.
g. within
T kha within c s dng m bo rng c nhiu nht N byte gia cc mu
ni dung tm kim. N gn ging vi t kha depth nhng n khng bt u t u
ca gi tin nh depth m bt u t mu trc .
V d:
content:"GET"; depth:3 content:"download"; distance:10 \
within:9;
Lut ny tng t nh lut trn, tm GET trong 3 byte u tin ca trng d

liu, di chuyn thm 10 byte bt u t GET v tm khp download. Tuy nhin,
download phi xut hin trong 9 byte tip theo.
h. uricontent
Tng t nh t kha content ngoi tr vic n c s dng tm kim chui
trong trng URI.
V d:
log tcp any any -> any 80 (content: "Logging PHF"; \
uricontent:"/cgibin/phf";)
50
i. pcre (http://www.pcre.org/)
PCRE l t vit tt ca Perl Compatible Regular Expressions c th dch l biu
thc chnh quy tng thch vi Perl. Perl l mt ngn ng kt xut v bo co thc
dng dng x l v thao tc trn cc chui k t.
V d:
alert tcp any any -> any 80 (content:"/foo.php?id="; \
pcre:"/\/foo.php?id=[0-9]{1,10}/iU";)
Lut trn thc hin mt tm kim trong HTTP URI m khng phn hoa thng phn
pha sau ca chui foo.php?id=<some numbers>.
4.2.3. Non-Payload
a. ttl
T kha ttl c s dng kim tra gi tr time-to-live trong IP Header. T kha
ttl c s dng pht hin mt hnh ng c gng traceroute mng.
Cu trc:
ttl:[<, >, =, <=, >=]<number>;
ttl:[<number>]-[<number>];
V d:
ttl:<3
b. tos
T kha tos c s dng kim tra trng ToS (type of service) trong IP Header.
V d:
tos:!4;
c. id
T kha id c s dng kim tra cc gi tr c th trong trng ID ca IP
Header. Mt vi cng c (khai thc li, scan) thng thit lp cc gi tr c bit
cho cc mc ch khai thc v d nh gi tr 31337 thng c attacker s dng.
51
d. ipopts
T kha ipopts c s dng kim tra trng IP Option trong IP Header. Trng
ny c kch thc 20 bit v c cc gi tr sau:
rr
Record Router
eol
End of list
nop
No Op
ts
Time Stamp
sec
IP Security
esec
IP Extended Security
lssr
Loose Source Routing
lssre Loose Source Routing (For MS99-038 and CVE1999-0909)

ssrr
Strict Source Routing
satid Stream identifier

any
any IP options are set

Hnh 4.3: Bng ipopts.
Cu trc:
ipopts:<rr|eol|nop|ts|sec|esec|lsrr|lsrre|ssrr|satid|any>;
V d: Lut ny s kim tra gi tr IP Option l Loose Source Routing

ipopts:lsrr;
e. fragbits
Trng ny c s dng kim tra s phn mnh v bit reserved trong trng 3
bit Flags ca IP Header. 2 bit c dng iu khin s phn mnh c gi tr D
(Dont Fragment) v M (More Fragment) v 1 bit c gi tr R (Reserved). Cc b t
sau c s dng thm thit lp cc gi tr ph hp.
52
+: Ph hp vi mt hoc nhiu bit quy nh.

*: Ph hp nu cc bit quy nh c thit lp.
!: Ph hp nu cc bit quy nh khng c thit lp.
V d:
fragbits:MD+;
Lut ny kim tra ph hp nu trng fragbits c gi tr MD.

f. dsize
T kha dsize c s dng kim tra kch thc ca phn d liu trong gi tin.
L do l attacker c th thay i kch thc ca phn d liu ny gy ra li trn b
m.
Cu trc:
dsize:min<>max;
dsize:[<|>]<number>;
V d:
dsize:300<>400;
g. flag
T kha flag c s dng kim tra cc bit trong trng TCP Flag ca TCP
Header. Cc bit ny gm:
F
FIN - Finish (LSB in TCP Flags byte)
SYN - Synchronize sequence numbers
RST - Reset
PSH Push
ACK Acknowledgment
URG Urgent
Hnh 4.4: Bng flag
53
V d:
alert tcp any any -> 192.168.1.0/24 any (flags: SF;
msg:"SYNC-FIN packet detected";)
Lut ny cnh bo khi kim tra trng TCP Flag v thy c SYN v c FIN.
h. flow
T kha flow c s dng p dng mt lut nn cc gi tin di chuyn theo mt
hng c th. Cc ty chn ca t kha ny bao gm:
to_client, to_server, from_client, from_server, established,
not_established, stateless, no_stream, only_stream, no_frag,
only_frag.
V d:
alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"cd incoming \
detected"; flow:from_client; content:"CWD incoming"; nocase;)
i. sed
T kha sed c s dng kim tra gi tr sequence number ca TCP Header.
j. ack
T kha ack c s dng kim tra gi tr acknowledge number ca TCP
Header.
k. window
T kha window c s dng kim tra kch c ca ca s trong TCP Header.
l. itype
T kha itype c s dng kim tra gi tr trong trng Type ca ICMP
Header. Trng ny c di 8 bit cha tt c 0-255 gi tr.
Type
Name
Reference
Echo Reply
[RFC792]
Destination Unreachable
[RFC792]
Source Quench
[RFC792]
54
Redirect
[RFC792]
Alternate Host Address
[JBP]
Unassigned
[JBP]
Echo
Router Advertisement
[RFC1256]
10
Router Selection
[RFC1256]
11
Time Exceeded
[RFC792]
12
Parameter Problem
[RFC792]
13
Timestamp
[RFC792]
14
Timestamp Reply
[RFC792]
15
Information Request
[RFC792]
16
Information Reply
[RFC792]
17
Address Mask Request
[RFC950]
18
Address Mask Reply
[RFC950]
19
Reserved (for Security)
20-29
Reserved (for Robustness Experiment)
30
Traceroute
[RFC1393]
31
Datagram Conversion Error
[RFC1475]
32
Mobile Host Redirect
37
38
39
Domain Name Request

Domain Name Reply
SKIP
[RFC1788]
[RFC1788]
[Markson]
40
Photuris
[RFC2521]
[RFC792]
[Solo]
[ZSu]
[David Johnson]
Hnh 4.5: Bng Type ca ICMP Header

m. icode
T kha icode c s dng kim tra gi tr trong trng Code ca ICMP
Header. Trng ny cng c di l 8 bit. Chi tit v gi tr ca trng code c
th xem hnh pha di.
55
Hnh 4.6: Gi tr Code ca ICMP Header

56
n. icmp_id
T kha icmp_id c s dng kim tra gi tr ID ca ICMP Header.
o. icmp_seq
T kha icmp_seq c s dng kim tra gi tr sequence ca ICMP Header.
p. rpc
T kha rpc c s dng pht hin cc yu cu da trn RPC. N s dng 3 i
s l: s ng dng, s th tc v s phin bn.
q. ip_proto
T kha ip_proto c s dng kim tra trng protocol trong IP Header. Danh
sch tn v s hiu ca cc giao thc c th xem /etc/protocols hoc trong
rfc1700.
V d:
alert ip any any -> any any (ip_proto:igmp;).
r. sameip
T kha sameip c s dng kim tra xem a ch ngun v a ch ch c
ging nhau hay khng.
4.2.3. Post-detection
a. logto
T kha logto c s dng ghi log vo cc tp tin c bit. iu ny s rt hu
ch khi ta kt hp vi cc d liu t cc cng c khc nh wireshark phn tch.
V d:
alert icmp any any -> any any (logto:logto_log; ttl: 100;)
Lut ny s ghi log li tt c cc gi tin ICMP m trng TTL ca n c gi tr bng

100 v lu vo tp tin logto_log (khng cn ch ng dn tuyt i, mc nh lu
vo /var/log/snort).
b. session
57
T kha session c s dng trch xut ngi dng t mt phin TCP (TCP
Session). C 3 tham s c s dng l printable s ch in ra cc d liu thng
thng m ngi s dng c th nhn thy hoc g c. Binary c s dng
in cc d liu dng nh phn. All s thay th tt c cc k t non-printable bng
cc gi tr thp lc phn tng ng.
V d:
log tcp any any <> any 23 (session:printable;)
c. resp
T kha resp l mt t kha rt quan trng n cho php ch ng to ra nhng phn
hi tiu dit cc phin vi phm. Hot ng c ch ni tuyn v ch th
ng.
d. react
T kha react cho php to ra cc phn hi bao gm gi mt website hoc mt ni
dung no ti client v sau ng kt ni li. Hot ng c ch ni tuyn
v ch th ng.
e. tag
T kha tag cho php cc lut ghi log nhiu hn mt gi tin khi lut c kch
hot. Khi mt lut c kch hot lu lng truy cp lin quan n a ch ngun v
ch s c gn tag. Lu lng c tag l cc lung lu lng c ghi log
gip cho qu trnh phn tch v phn hi li cc cuc tn cng.
V d:
alert tcp any any -> any 23 (flags:S,CE;
tag:session,10,seconds;)
Lut ny s ghi log 10 giy u tin ca session m lut ny c kch hot.

f. detection_filter
T kha detection_filter nh ngha mt mc c thc thi bi a ch ngun hoc
a ch ch trc khi mt lut pht sinh mt s kin. Cu trc ca t kha
detection_filter nh sau:
58
detection_filter: \
track <by_src|by_dst>, \
count <c>, seconds <s>;
Ty chn
M t
Mc theo di a ch ngun hoc a ch ch
track
by_src|by_dst
count c
S ti a ph hp vi lut cho php trc khi

gii hn detection_filter c thc thi. Gi
tr c phi khc 0.
seconds s
Khong thi gian m gi tr count c tnh

ly. Gi tr s phi khc 0.
Hnh 4.7: Tham s ca t kha detection_filter.

Thng thng t kha detection_filter l bc cui cng trong qu trnh pht hin
xm nhp.
V d:
drop tcp 10.1.2.100 any -> 10.1.1.100 22 ( \
msg:"SSH Brute Force Attempt"; flow:established,to_server; \
content:"SSH"; nocase; offset:0; depth:4; \
detection_filter:track by_src, count 30, seconds 60; \
sid:1000001; rev:1;)
v d trn m t mt hnh ng tn cng SSH Brute Force. Lut ny s c thc

thi khi m attacker c gng ng nhp nhng tht bi t a ch ngun 10.1.2.100
trong thi gian 60s v sau 30 ln ng nhp tht bi.
g. threshold
T kha threshold c s dng quy nh mt gii hn no m cc lut ca
Snort a ra cnh bo. T kha ny c a ra nhm trnh cc attacker c th
tn cng h thng mt cch c ch ch kch hot Snort lin tc to ra cc cnh
59
bo v lm cho h thng qu ti. T kha threshold c hay ty chn chnh l

limit v threshold.
Limit ngha l quy nh trong mt khong thi gian bao nhiu lu th bao nhiu cnh
bo c kch hot.
V d:
alert tcp $external_net any -> $http_servers
$http_ports(msg:"web-misc robots.txt access"; flow:to_server,
established; uricontent:"/robots.txt"; nocase;
reference:nessus,10302; classtype:web-application-activity;
threshold:type limit, track by_src, count 1 , seconds 60;
sid:1000852; rev:1;)
Lut trn c ngha l trong khong t hi gian 60s nu c bt k traffic no ph hp

vi lut trn th cng ch to mt cnh bo duy nht.
Threshold ngha l trong mt khong thi gian bao nhiu lu, bao nhiu ln vi phm
th mt cnh bo s c to ra.
V d:
alert tcp $external_net any -> $http_servers
$http_ports(msg:"web-misc robots.txt access"; flow:to_server,
established; uricontent:"/robots.txt"; nocase;
reference:nessus,10302; classtype:web-application-activity;
threshold:type threshold, track by_dst, count 10 , seconds 60
; sid:1000852; rev:1;)
Lut trn c ngha l ln vi phm th 10 trong khong thi gian 60s th cnh bo
s c to ra. Nu c t hn 10 ln vi phm trong vng 60s th s khng c bt c
cnh bo no c to ra. Lut trn rt hu hiu trong cc tnh hu ng attacker c
gng brute force ng nhp vo h thng.
60
CHNG 5
PHN TCH MT S LUT TRONG SNORT
5.1. Kho st lut scan

Qu trnh scanning thc cht l qu trnh thu thp cc thng tin v h thng mt
cch trc tip. Cc bc thc hin bao gm: Xc nh h thng c ang sng hay
khng -> Kim tra xem cc port no ang c m -> Xc nh cc dch v ang
chy trn h thng tng ng vi cc port ang m -> Xc nh banner ca tng
dch v, h iu hnh v phin bn tng ng vi cc dch v -> Kim tra li
ca cc dch v ang chy -> Chun b tn cng.
Mt cng c mnh m thng c s dng l nmap. Nmap h tr nhiu kiu
scan khc nhau nh: TCP, Null, Xmas, SYN, FIN scan hoc cc k thut xc nh
phin bn h iu hnh.
5.1.1. FIN Scan
Lut di y c vit pht hin k thut FIN Scan. FIN Scan l k thut m
nmap s gi mt lot cc gi tin n mc tiu vi c duy nht c FIN c thit lp
trng flags ca IP Header.
C php: nmap sF <target>
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:
"BLEEDING-EDGE SCAN NMAP -f -sF"; fragbits: !M; dsize: 0;
flags: F; ack: 0; window: 2048; reference:arachnids,162;
classtype: attempted-recon; sid: 2000543; rev:3; )
msg: "BLEEDING-EDGE SCAN NMAP -f -sF"; ty chn ny th

hin thng bo k thut FIN Scan vi ty chn f c ngha l gi cc gi tin
phn mnh.
61
fragbits: !M; Trng Flag ca IP Header s khp vi lut nu c gi

tr khc vi gi tr M.
dsize: 0; Kch thc phn d liu ca phn mnh bng 0.
flags: F; Trng TCP Flag trong TCP Header c gi tr F (c FIN c
thit lp).
ack: 0; window: 2048; S ack c gi tr bng 0 v s lng bytes d
liu trong vng ca s pht ca TCP Header.
reference:arachnids,162; Tham chiu ti website
http://www.whitehats.com/info/IDS mc 162.
classtype: attempted-recon; Phn loi lut ny vo mc
attempted-recon.
sid: 2000543; rev:3; S hiu ca lut ny l 2000543 v l ln cp
nht th 3.
5.1.2. NULL Scan
Lut di y c vit pht hin k thut Null Scan bng nmap. Null Scan l
mt k thut tng t nh FIN Scan nhng thay v gn c FIN trong trng flags
ca IP Header th Null Scan khng gn c g cho trng ny.
C php: nmap sN <target>
"BLEEDING-EDGE SCAN NMAP -f -sN"; fragbits: !M; dsize: 0;
flags: 0; ack: 0; window: 2048; reference:arachnids,162;
msg: "BLEEDING-EDGE SCAN NMAP -f -sN"; ty chn ny th

hin thng bo k thut Null Scan vi ty chn f c ngha l gi cc gi tin
phn mnh.
tr khc vi gi tr M.
62
flags: 0; Trng TCP Flag trong TCP Header c gi tr 0 (khng c c

no c thit lp).
attempted-recon.
nht th 3.
5.1.3. XMAS Scan
XMAS Scan s gi cc gi tin vi 3 c c thit lp l FIN, URG v PUSH.
Nu cng dch v m th khng c s phn hi no. Nhng nu cng dch v
ng th gi tin vi c RST/ACK c gi phn hi.
C php: nmap sX <target>
"BLEEDING-EDGE SCAN NMAP -f -sX"; fragbits: !M; dsize: 0;
flags: FPU; ack: 0; window: 2048; reference:arachnids,162;
msg: "BLEEDING-EDGE SCAN NMAP -f -sX"; ty chn ny th

hin thng bo k thut Xmas Scan vi ty chn f c ngha l gi cc gi
tin phn mnh.
tr khc vi gi tr M.
flags: FPU; Trng TCP Flag trong TCP Header c gi tr FPU (gn 3
c FIN, URG v PUSH).
63

attempted-recon.
nht th 3.
5.2 Win.Trojan.Ibabyfa.dldr
Win.Trojan.Ibabyfa.dldr hay c gi vi tn khc nh Trojan:Win32/Sisron
(Microsoft) hay HEUR:Trojan.Win32.Generic (Kaspersky) l mt trojan nguy him
nm trong top 10 trojan nguy him nht vo thng 6 nm 2009 c pht hin trn
nn tng Windows.
Trojan ny u c nhng c im ca cc phn mm c hi nh:
M cng dch v cho php truy c p t xa, iu khin t xa h thng b ly
nhim m khng cn chng thc.
Thc thi cc ng dng m khng cn s ng ca ngi dng.
Ci trang thnh cc hnh vi nguy him bng qu trnh v li trong b nh.
V hiu ha cc ng dng bo mt.
C gng ly lan bng cch s dng chc nng Autorun.
Copy chnh n vo cc th mc c bo v.
Sa i h thng t ng thc thi khi h iu hnh khi ng.
C gng vt qua h thng bo mt bng cch chnh sa quyn truy cp trn
firewall.
Ci t mt trnh iu khin.
Lut th 23938 trong tp lut ca Snort c chc nng cnh bo nu trong h thng
mng ni b b nhim trojan ny v c gng kt ni ra ngoi.
64
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587]

msg:"MALWARE-CNC Win.Trojan.Ibabyfa.dldr runtime
detection"; flow:to_server,established; content:"- f i r s
t - l o g f i l e"; content:"Username-"; within:32;

distance:55; content:"Computer Name-"; distance:0;
content:"Files Copied to"; distance:0;
reference:url,www.virustotal.com/latest-
report.html?resource=bf25f7588c58cd4b7cc5ac04ebfd00c5;
classtype:trojan-activity; sid:23938; rev:3;
msg: "MALWARE-CNC Win.Trojan.Ibabyfa.dldr runtime

detection"; Ty chn xut ra thng bo khi lut c kch hot.
flow:to_server,established; Hng kt ni l ti pha server v
trng thi kt ni l established.
content:"-first-logfile"; Lut s c kch hot nu ni dung
phn d liu trong gi tin gi i bi Trojan c on "- f i r s t - l o g f i l e".
content:"Username-"; within:32; distance:55; Sau khi tm
thy chui "- f i r s t - l o g f i l e" di chuyn t cui ni dung trn thm 55
bytes na v phi tm thy chui "Username-" trong vng 32 bytes tip theo.
content:"Computer
Name-";
distance:0;
Sau
ni
dung
"Username-" bt u tm kim ngay chui "Computer Name-".

content:"Files Copied to"; distance:0; Sau ni dung
"Computer Name-" tm kim ngay chui "Files Copied to".
5.3. TCP-SYN Flood
SYN Flood l mt dng tn cng t chi dch v da vo c tnh hng kt ni
ca giao thc TCP. Thng thng trc khi giao tip vi my ch, giao thc TCP
s yu cu thit lp mt knh ng tin cy thng qua giao thc bt tay ba bc.
65
Hnh 5.1: Giao thc bt tay ba bc.

B1: Client s gi mt gi tin vi c SYN ti server.
B2: Nu server nhn c gi tin vi c SYN th server s tr v mt gi tin
vi c SYN-ACK xc nhn.
B3: Client gi mt gi tin vi c ACK ti server xc nhn nhn gi tin
SYN-ACK v qu trnh truyn d liu c bt u.
i vi SYN Flood attacker s gi hng lot cc gi tin vi c SYN c thit lp.
Attacker s khng tr li gi tin SYN-ACK bng gi tin ACK hon thnh qu
trnh bt tay ba bc m thay vo tip tc gi cc gi tin vi c SYN. Server lc
ny s trng thi ch v do s lng gi tin gi ti qu ln dn n hao tn ti
nguyn v b nh cho cc kt ni ny. V dn ti server b li trn b m hoc b
treo, khi ng li hoc khng th cung cp dch v cho ngi dng thng thng.
Hnh 5.2: SYN Flood

66
Lut di y c cung cp bi Bleeding Edge Threat nhm pht hin loi tn

cng SYN Flood trn dch v NETBIOS (139) trn h iu hnh Windows.
alert tcp $EXTERNAL_NET any -> $HOME_NET 139
(msg:"EXTERNAL NETBIOS TCP-SYN"; flags: S; sid: 0002;
classtype: unusual-client-port-connection; threshold:

type threshold, track by_dst, count 1000, seconds 180;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139: Mt cng

bo s c to ra i vi mt kt ni t mng pha bn ngoi port bt k
ti mng ni b port 139 (NETBIOS) ca giao thc TCP.
msg:"EXTERNAL NETBIOS TCP-SYN"; Xut hin thng bo v loi
tn cng TCP-SYN dch v NETBIOS.
flags: S; Ch p dng vi cc gi tin c thit lp c SYN.
threshold: type threshold, track by_dst, count 1000,
seconds 180; Thit lp mt ngng cnh bo, v theo di pha ch
(mng HOME_NET). Cc ty chn ny c ngha l nu trong khong thi
gian 180s nu c 1000 gi tin c thit lp c SYN gi ti th lut ny s
c ng ng.
5.4 Apache Killer (CVE-2011-3192)
Mt l hng bo mt trn phn mm my ch web Apache c pht hin vo
thng 8 nm 2011. Theo cnh bo t Apache Foundation th attacker c th khai
thc l hng ny nhm mc ch tn cng t chi dch v lm t lit cc my ch
web ang s dng cc phin bn Apache 2.0 (di phin bn 2.0.65) v phin bn
2.2 (di phin bn 2.2.20).
L hng ny c th c khai thc thng qua cng c Apache Killer c pht tn
trn mng Internet. y l mt l hng thc s nguy him v theo thng k ca
Netcaft th hin ti trn th gii c trn 55% my ch web s dng Apache.
67
M ngun ca Apache Killer c vit bng ngn ng Perl v c th d dnh

download ti a ch: http://www.exploit-db.com/download/17696. Script ny s
yu cu mt vi dy bytes chng cho trong phn d liu trong mt request (kho ng
1300).
Hnh 5.3: HTTP Request bnh thng.
Hnh 5.4: HTTP Request to bi Apache Killer.

C php: perl 17696.pl <a ch web server> 50
Lut di y c cung cp bi emergingthreat gip cnh bo khi attacker khai
thc l hng thng qua cng c Apache Killer.
68
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"ET SCAN Kingcope KillApache.pl Apache mod_deflate

DoS attempt"; flow:established,to_server;
content:"Range|3a|bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-
7,5-8,5-9,5-10,5-11,5-12,5-13,5-14"; http_header;
fast_pattern:only;
reference:url,seclists.org/fulldisclosure/2011/Aug/175;
classtype:attempted-dos; sid:2013472; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET

$HTTP_PORTS; Ch hng tn cng l t mng pha bn ngoi vo mng
ni b cng http.
flow:established,to_server; Hng kt ni ti server, trng thi
kt ni l established.
content:"Range|3a|bytes=0-,5-0,5-1,5-2,5-3,5-4,55,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14"; Chui ni
dung nhn dng dng tn cng ny.
http_header; fast_pattern:only; chui ni dung pha trn c
kim tra trong HTTP Header.
reference:url,seclists.org/fulldisclosure/2011/Aug/
175; Tham chiu n ni dung chi tit.
5.5. Microsoft Security Bulletin MS12-020
y l mt l hng lin quan n dch v Remote Desktop c s dng bi
Termial Service (dch v gip iu khin t xa) trn cng 3389 trn nn tng h
iu hnh Windows c pht hin vo thng 3/2012. L hng ny c cc
attacker khai thc nhm khin h thng b li dn n khi ng li hoc li m
hnh xanh. L hng bo mt ny nh hng ln nhiu phin bn khc nhau t
Windows XP, Windows Server 2003, Windows 7 v Windows Server 2008.
69
Chi tit v l hng ny c cung cp ti a ch: http://technet.microsoft.com/enus/security/bulletin/ms12-020. M khai thc c a l hng bo mt ny c th

download ti a ch: http://www.exploit-db.com/exploits/18606/.
C php: nc SERVER 3389 < termdd_1.dat
Lut Snort:
alert tcp any any -> $HOME_NET 3389 (msg:"ET EXPLOIT
Microsoft RDP Server targetParams Exploit Attempt";
flow:to_server,established; content:"|03 00|"; depth:2;
content:"|7f 65 82 01 94|"; distance:24; within:5;

content:"|30 19|"; distance:9; within:2;
byte_test:1,<,6,3,relative;
reference:url,msdn.microsoft.com/en-
us/library/cc240836.aspx; reference:cve,2012-0002;
classtype:attempted-admin; sid:2014383; rev:2; fwsam:src;
alert tcp any any -> $HOME_NET 3389; Cnh bo truy cp t

vng mng bt k ti mng HOME_NET cng 3389.
flow:to_server,established; Hng ti pha Server, trng thi
kt ni established.
content:"|03 00|"; depth:2;03=ETX (End of Text), 00=NULL
char. Tm ni dng ny trong khong t byte th 0 ti byte th 2
7f=Delete, 65=e, 82=, (du phy), 01=SOH (Start of Heading), 94= (du
ngoc kp bn phi). T mu trn b qua 24 bytes, tm kim ni dung "|7f
65 82 01 94|" trong vng 5 bytes.
content:"|30 19|"; distance:9; within:2; 03=ETX (End of
Text), 19=EM (End of Medium). T mu trn b qua 9 bytes v tm kim ni
dung "|30 19|" trong vng 2 bytes.
70
CHNG 6: CI T V CU HNH SNORT
6.1 S h thng
Hnh 6.1: M hnh trin khai trong thc t vi mt vng DMZ.
Hnh 6.2: M hnh thc nghim.

Card 1 (eth0)
Attacker
Card 2 (eth1)
IP: 1.2.3.4/24
Gateway: 1.2.3.5
Snort/SnortSam
IP: 1.2.3.5/24
Web Server
IP: 10.0.0.100/24
IP: 10.0.0.1/24
Hnh 6.2: Bng danh sch cc my trong h thng mng.

71
H thng bao gm:

CentOS 6.2 x86_64 , Snort 2.9.3.1, Barnyard2-1.10 and BASE 1.4.5.
M hnh x l nh sau:
Hnh 6.3: M hnh x l ca Snort, MySQL, Base.

6.2. Ci t Snort v SnortSam
Cc gi chnh:
pcre, pcre-devel.
flex.
bison
zlib, zlib-devel.
gcc, gcc-c++, make
daq-1.1.1
libdnet
snortrules-snapshot-2931
snort-2.9.3.1
72
barnyard2-1.9
C s d liu: MySQL:
mysql, mysql-server.
mysql-devel
Gi h tr qun tr:
httpd.
php and php-devel.
php-cli
php-pear
php-gd
php-mysql
Cng c qun tr:
base-1.4.5
adodb517
php-image-graph v php-image-canvas
6.2.1. Ci t cc gi bt buc v Snort
To th mc cho vic ci t:
# cd /usr/src
# mkdir snorttemp
# cd snorttemp
Ti tt c cc gi v:
# wget http://www.snort.org/dl/snort-current/snort2.9.3.1.tar.gz
# wget http://www.tcpdump.org/release/libpcap-1.3.0.tar.gz
# wget http://www.snort.org/sub-rules/snortrules-snapshot2931.tar.gz/<oinkcode> -O snortrules-2931.tar.gz
73
# wget http://www.snort.org/dl/snort-current/daq-1.1.1.tar.gz
# wget http://libdnet.googlecode.com/files/libdnet -1.12.tgz
# wget
http://www.securixlive.com/download/barnyard2/barnyard21.9.tar.gz
Gii nn cc gi:
# ls
# tar -xzvf daq-1.1.1.tar.gz
# tar -xzvf libdnet-1.12.tgz
# tar -xzvf libpcap-1.3.0.tar.gz
# tar -xzvf snort-2.9.3.1.tar.gz
# tar -xzvf snortrules-2931.tar.gz
# tar -xzvf barnyard2-1.9.tar.gz
Kim tra cc gi gii nn v sau bc ny c th xa cc tp tin nn va c ti

v.
Ci t libpcap.
# cd libpcap-1.3.0
# ./configure
# make
# make install
# cd /usr/lib64/
# rm libpcap.so.1
# rm libpcap.so.1.0.0
# ln -s /usr/local/lib/libpcap.so.1.3.0
/usr/lib64/libpcap.so.1.3.0
# ln -s /usr/lib64/libpcap.so.1.3.1 /usr/lib64/libpcap.so.1
# ln -s /usr/lib64/libpcap.so.1 /usr/lib64/libpcap.so
Ci t libdnet:
# cd libdnet-1.12
74
# ./configure && make && make install
Ci t daq:
# cd daq-1.1.1
# ./configure && make && make install
Ci t Snort t m ngun.
# cd snort-2.9.3.1
# ./configure --enable-zlib -enable-sourcefire && make &&
make install
# groupadd snort
# useradd g snort snort s /sbin/nologin
To cc th mc.
# mkdir /etc/snort
# mkdir /etc/snort/rules
# mkdir /etc/snort/preproc_rules
# mkdir /etc/snort/so_rules
# mkdir /usr/local/lib/snort_dynamicrules
# mkdir /var/log/snort
# chown R snort:snort /var/log/snort
Copy cc tp tin cn thit v cc lut.

# cd snort-2.9.3.1/etc
# cp * /etc/snort
# cd ../../
# cd rules
# cp * /etc/snort/rules
# cd ../preproc_rules
# cp * /etc/snort/preproc_rules
75
# cp ../so_rules/precompiled/RHEL-6-0/x86_64/2.9.3.1/*
/usr/local/lib/snort_dynamicrules
# touch /etc/snort/rules/white_list.rules
/etc/snort/rules/black_list.rules
Chnh sa tp tin cu hnh

# vi /etc/snort/snort.conf
Tp tin cu hnh ca Snort v c bn s c chia thnh tng phn nh sau.

Thit lp cc bin mng.
Cu hnh b gii m.
Cu hnh c bn b pht hin xm nhp (detection engine).
Cu hnh np cc th vin ng.
Cu hnh cc tin x l (preprocessors)
Cu hnh cc output plug-ins..
Ty chnh cc thit lp v cc lut.
Ty chnh tin x l v v b gii m lut. (preprocessors and decode rule).
Ty chnh cc thit lp chia s i tng lut.
Sa i nhng dng sau y.
ipvar HOME_NET 172.16.0.0/24
ipvar EXTERNAL_NET !$HOME_NET
var RULE_PATH /etc/snort/rules
var SO_RULE_PATH /etc/snort/so_rules
var PREPROC_RULE_PATH /etc/snort/preproc_rules
output unified2: filename snort.log, limit 128
dynamicpreprocessor directory
/usr/local/lib/snort_dynamicpreprocessor
76
dynamicengine
/usr/local/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/lib/snort_dynamicrules
Start v kim th h thng.

# cd /usr/local/bin
# snort V
Trng hp b li lin quan n cc th vin chy lnh sau v th li Snort.

# ldconfig
# snort -V
# snort -c /etc/snort/snort.conf --dump-dynamicrules=/etc/snort/so_rules
6.2.3. Cu hnh MySQL Server

# cd /usr/bin
# /etc/init.d/mysqld start
# mysqladmin u root password password
# mysql -u root -p # H thng s nhc nh t password trong qu trnh ci
t
mysql> create database snort; # To c s d liu lu tr cc tp tin
log ca snort.
mysql> CREATE USER snort@localhost; # To user mi cho snort.
mysql> SET PASSWORD for
snort@localhost=PASSWORD('snortpass'); # To password cho Snort
user.
mysql> GRANT INSERT, SELECT on root.* to snort@localhost; #
Gn quyn cho user.

mysql> GRANT CREATE, INSERT, SELECT, DELETE, UPDATE on
snort.* to snort@localhost;
77
mysql> exit # ng xut

# cd /usr/bin # Di chuyn v th mc ci t MySQL.
# mysql -D snort -u root -p < /usr/src/snorttemp/barnyard21.9/schemas/create_mysql
Chy cu lnh sau to bng d liu, nhp mt khu khi c yu cu.

Kim tra bng d liu va c to.
# mysql -u root -p (nhp mt khu khi c yu cu)
mysql> use snort;
mysql> show tables;
exit;
6.2.4. Ci t v cu hnh Barnyard2

Ci t Barnyard2 t m ngun.
# ./configure --with-mysql -with-mysqllibraries=/usr/lib64/mysql && make && make install
Bc tip theo l to cc th mc v di chuyn tp tin cu hnh. Gi s ang ng

th mc cha m ngun Barnyard2.
# cp etc/barnyard2.conf /etc/snort # Copy tp tin cu hnh ca
Barnyard2 t vo th mc cu hnh ca Snort.

# mkdir /var/log/barnyard2
# chmod 666 /var/log/barnyard2
# touch /var/log/snort/barnyard2.waldo
# cp sid-msg.map /etc/snort # Vi tp tin sid-msg.map nm trong th
mc etc ca gi lut ti v.
Bc tip theo l chnh sa tp tin cu hnh ca Barnyard2 chng trnh c th
ghi d liu xung MySQL. Lu l t p tin cu hnh ca Barnyard2 gm c phn
chnh l: phn khai bo bin, phn cu hnh input v cu hnh output.
78
# vi /etc/snort/barnyard2.conf
Xc nh v tr n cc tp tin quan trng ca Snort.

config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
Cu hnh th mc s cha cc output log.

config logdir: /var/log/barnyard2
Cu hnh phn hostname v card mng.

config hostname: localhost
config interface: eth0
Chnh sa ng dn n tp tin waldo.

config waldo_file: /var/log/snort/barnyard2.waldo
Cu hnh phn output ghi ra c s d liu MySQL.

Comment ty chn alert_fast v mc nh Barnyard2 s bt ty chn ny.
Thm mt dng mi ghi v c s d liu.
output database: log, mysql, user=snort password=snortpass
dbname=snort host=localhost
Chy Snort v Barnyard2.

# cd /usr/local/bin
# snort u snort g snort-c /etc/snort/snort.conf i eth0
# barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ f snort.log -w /var/log/snort/barnyard2waldo
Snort v Barnyard2 t ng khi ng khi khi ng my. Thm vo trong file

rc.local on sau.
79
/usr/local/bin/snort -u snort -g snort -c

/etc/snort/snort.conf -i eth0
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d
/var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo
6.2.5. Ci t BASE
V c bn vic cu hnh xong, tuy nhin cho vic phn tch log v theo di
cc cnh bo c thun tin ta s ci thm BASE. BASE l mt plug-in chy trn
nn web v vy ta s cn ci t v cu hnh web server h tr php.
Ci t BASE:
# wget
http://downloads.sourceforge.net/project/secureideas/BASE/bas
e-1.4.5/base-1.4.5.tar.gz
# wget http://sourceforge.net/projects/adodb/files/adodb php5-only/adodb-517-for-php5/adodb517.tgz
# tar -xzvf base-1.4.5.tar.gz
# tar -xzvf adodb517.tgz
# cp -r adodb5 /var/www
# cp -r base-1.4.5 /var/www/html/base
# cd /var/www/html/base
# cp base_conf.php.dist base_conf.php
# vi base_conf.php
...
$BASE_urlpath = "/base";
$DBlib_path = "/var/www/adodb5/";
$DBtype = "mysql";
$alert_dbname
= "snort";
$alert_host
= "localhost";
$alert_port
= "3306";
80
$alert_user
= "snort";
$alert_password = "snortpass";
...
Truy cp vo http://ip-address/base/base_main.php thit lp BASE.

h tr BASE hin th ch ha ta cn ci t thm cc gi sau:
# cd /usr/bin
# pear install image_graph-alpha
# pear install Numbers_Roman
# pear install Numbers_Words-beta
# pear install image_canvas-alpha
# apachectl restart
6.2.6. Ci t SnortSam
Ti source libtool v v ci t. http://ftpmirror.gnu.org/libtool/libtool-2.4.2.tar.gz
# tar xzvf libtool-2.4.2.tar.gz
# cd libtool-2.4.2
# ./configure prefix=/usr
# make && make install
Ti m ngun ca SnortSam v ti a ch
http://www.snortsam.net/files/snortsam/snortsam-src-2.70.tar.gz
# tar xzvf snortsam-src-2.70.tar.gz
# chmod +x makesnortsam.sh
# ./makesnortsam.sh
Thm SnortSam nh mt plug-in ca Snort.

Ti tp tin patch ca snortsam ti
# cd snort-2.9.3.1 # Th mc tp tin m ngun ca Snort.
81
# patch -p1 < ../snortsam-2.9.3.1.diff

# sh ./autojunk.sh
# ./configure enable-zlib enable-sourcefire
# make && make install
Copy tp tin nh phn ca snortsam vo /usr/local/bin

Vic ci t v bin dch hon tt. Tip theo s cn cu hnh SnortSam.
# cp <path_to>/snortsam-src/etc/snortsam.conf.example
/etc/snortsam.conf
# vi /etc/snortsam.conf
...
port <666>
accept <host>/<mask>,<key>
fwsam <host>
iptables <adapter> <logoption>
email <smtpserver>:<port> <recipient> <sender>
...
Cu hnh li Snort, s phi cu hnh hai ni l file cu hnh snort.conf v

cc lut m mun ng ng SnortSam.
Snort.conf
Thm dng ny vo trong tp tin cu hnh ca snort.
output alert_fwsam: {SnortSam Station}:{port}/{password}
Dng ny s xc nh a ch IP m SnortSam ang chy, port lng nghe v mt

khu. Mt khu y l defaultkey c cu hnh trong snortsam.conf nu
khng cu hnh c th b qua.
Rule file
Thm fwsam: who,time; vo cui mi lut.
82
who: src, source, dst, dest, destination IP address.

time: 'days', 'months', 'weeks', 'years', 'minutes',
'seconds', 'hours'.
Ngoi ra cc gi tr 0 hoc 'PERManent', 'INFinite', hoc 'ALWAYS s chn vnh

vin.
V d:
alert tcp any any -> $HTTP_SERVERS 80 (msg:"WEB-MISC http
directory traversal"; flags: A+; content:
"..\\";reference:arachnids,298;)
Lut ny s thng bo vi SnortSam chn a ch truy cp ti Webserver trong vng

15 pht.
alert tcp any any -> $HTTP_SERVERS 80 (msg:"WEB-MISC http
directory traversal"; flags: A+; content:
"..\\";reference:arachnids,298; fwsam: 15 minutes;)
6.3. Th nghim cc kiu tn cng

6.3.1. Scan Port
Cc dng scan port thng gp nh XMAS Scan, Null Scan, FIN Scan. Attacker s
ng pha bn ngoi scan h thng mng nhm thu thp cc thng tin v cng dch
v c m, phin bn h iu hnh, phin bn cc phn mm trn my ch.
Lut Snort:
alert tcp any any -> $HOME_NET any (msg:FIN Scan; flags: F;
sid: 1000001; fwsam:src, 1 minutes;)
alert tcp any any -> $HOME_NET any (msg:Xmas Scan; flags:
FPU; sid: 1000002; fwsam:src, 1 minutes;)
alert tcp any any -> $HOME_NET any (msg:NULL Scan; flags:
0; sid: 1000003; fwsam:src, 1 minutes;)
Khi Snort pht hin ra cc dng scan ny, s gi cnh bo ti cho agen SnortSam
trn firewall v yu cu firewall chn cc a ch ny trong vng 1 pht.
83
6.3.2 Apache Killer

Lut Snort:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
SCAN Kingcope KillApache.pl Apache mod_deflate DoS attempt";
flow:established,to_server; content:"Range|3a|bytes=0-,5-0,51,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14";
http_header; fast_pattern:only;
reference:url,seclists.org/fulldisclosure/2011/Aug/175;
classtype:attempted-dos; sid:2013472; rev:2; fwsam:src, 1
minutes;)
Attacker khai thc l hng trn cc phin bn Apache 2.0 (nh hn 2.0.65) v 2.2
(nh hn 2.2.20) nhm tn cng t chi dch v lm tiu tn nhiu ti nguyn ca
h thng, khin h thng b treo.
Lut trn khi nhn c cnh bo ca Snort, iptables s chn a ch ngun trong
vng 1 pht.
6.3.3 Ping of Death
Attacker gi cc gi tin ICMP c kch thc ln ti my ch nhm chim ng
truyn v ngn vic cung cp dch v ca my ch. Lut Snort s kim tra kch
thc ca cc gi tin ICMP c gi ti
alert icmp any any -> $HOME_NET any (msg:Large ICMP Packet;
dsize: >200; sid: 1000004; fwsam:src, 1 minutes;)
6.3.4 MS12-020
L hng c attacker khai thc qua dch v Terminal Service (3389) lm h thng
b shutdown t ngt.
alert tcp any any -> $HOME_NET 3389 (msg:"ET EXPLOIT
Microsoft RDP Server targetParams Exploit Attempt";
flow:to_server,established; content:"|03 00|"; depth:2;
content:"|30 19|"; distance:9; within:2;
84
byte_test:1,<,6,3,relative;
reference:url,msdn.microsoft.com/en-us/library/cc240836.aspx;
reference:cve,2012-0002; classtype:attempted-admin;
sid:2014383; rev:2; fwsam:src; 1 minutes;)
6.3.5 SQL Injection

M hnh s dng web application demo dng tn cng SQL Injection bng cch
truyn vo tham s or 1=1;#.
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"[The system
detected Sql Injection Attack-1]";
flow:to_server,established;
uricontent:"/?id";nocase;pcre:"/(((\?id=)|(\?id%3D))(\w*)(((\
')|(\%27))((\w+)|(\W+)|(\D+)|(\d+))))/ix"; classtype:webapplication-attack; sid:1000015; rev:1; fwsam:src; 1
minutes;)
85
KT QU T C
Tnh khoa hc:

t c cc mc tiu ca ti nh kin thc v h thng pht hin xm nhp, cc
k thut pht hin xm nhp.
Tm hiu c kin trc v cch thc hot ng ca Snort/SnortSam. Cch phn
tch cc tp tin log, cc cnh bo, da vo vit cc lut ph hp pht hin v
ngn chn xm nhp.
Phn tch c mt s trng hp tn cng, phn tch c mt s tp lut ca cc
dng tn cng ph bin.
Demo trin khai th trong h thng m hnh.
Kh nng trin khai ng dng thc t:
An ton thng tin Vit Nam ang tr thnh mt vn nng bng nht qua hng
lot cc v vic cc h thng ln b tn cng. Snort l h thng pht hin xm nhp
c s lng ngi s dng rt ln trn th gii. Snort l phn mm ngun m nn
chi ph mua bn quyn l bng 0, ch phi b tin mua y cc lut hn t
pha Sourcefire nu cn thit.
Ngoi ra h thng ci t Snort cng khng yu cu cao, ch cn mt my ch
tm trung l c th trin khai c Snort. Nn chi ph trin khai l t hp hn rt
nhiu so vi cc h thng phn cng khc.
Snort c y cc tnh nng k thut trong vic pht hin xm nhp da trn mu
v da trn s bt thng.
Hon ton c kh nng trin khai tt cho bt c h thng no trong thc t.
Hiu qu kinh t - x hi:
86
Nu ngi qun tr h thng c k nng tt, h thng khng cn thit phi tr thm
29.99$ cho ngi dng c nhn hoc t 399.00-499.00$ cho doanh nghip mi nm
cho vic mua thm cc b lut.
Chi ph thp cho mt h thng tt, c y chc nng ca mt h thng pht hin
xm nhp.
Kt hp vi cc h thng ngun m khc nh netfilter/iptables, h thng gim st
nh Nagios, mod_security cho ng dng web c th xy dng mt h thng tt c
kh nng ngn chn cc cuc tn cng, phn tch, theo di v nng cao hiu sut ca
dch v vi chi ph cc k thp.
Hn ch:
Mt vi hn ch vn cn tn ti trong ti
Cha cu hnh y cc lut trong iptables.
Cha demo c cc dng tn cng trong vng mng ni b v d nh ARP
Spoofing hay Sniffer gi tin trong mng ni b.
87
PHN KT LUN
88
Kt lun
ti t c mt s mc tiu nh hiu v cch thc hot ng v cch thc
pht hin xm nhp ca h thng IDS. Cch b tr mt h thng pht hin xm nhp
trong h thng mng ra lm sao?
Nghin cu v hiu cu trc v cch thc x l gi tin ca Sno rt cng nh
SnortSam. Hiu r cu trc ca mt tp lut trong Snort. Cch thc vit mt lut
cho nhng yu cu c th. Phn tch d liu vit lut.
Ci t v cu hnh thnh cng h thng, demo cc hnh thc xm nhp n gin.
Tc gi gp mt cht kh khn trong vic trin khai m hnh trn my o, s phc
tp ca m hnh mng kh th hin trn h thng o.
Tc gi gp kh khn trong vic demo cc loi hnh tn cng mi hin nay, vic
demo cc dng tn cng cn dng n gin do mc ch ch th phn n g ca
Snort.
Phin bn mi nht ca Snort cha c gi patch SnortSam ph hp.
Tc gi mun tp trung vo vic hnh thnh nn cc lut tng ng vi cc dng tn
cng thay v ci t cu hnh v trin khai. Theo tm hiu ca tc gi, vic kh khn
nht ca xy dng mt h thng Snort/SnortSam khng phi qu trnh ci t, cu
hnh hay demo m qu trnh kh khn nht nm pha ngi qun tr. D mt h
thng Snort/SnortSam c tt n u nhng nu ngi qun tr khng c k nng
phn tch log, phn tch trng thi ca h thng, khng nm r cu trc ca lut th
khng th hnh thnh nn c cc tp lut i vi mi trng doanh nghip c
trin khai.
Kt lut cui cng l vic xy dng h thng pht hin xm nhp c tt hay khng
nm pha ngi qun tr h thng. Snort/SnortSam cng ch l mt cng c v
khng th ph mc hon ton vn bo mt h thng cho cc h thng ny.
ngh
89
Nu c tc gi hi vng c trin khai trn mt h thng tht, h thng cung cp

y cc dch v cn thit cho ngi dng cng nh c vng mng ni b cn
thit.
Ngoi ra tc gi c kho st qua vic cnh bo theo thi gian thc thng qua cc
email v SMS nhng tc gi nhn thy mt nhc im ca nh ny l mt
ngy h thng to ra qu nhiu cnh bo th vic gi email v SMS s tr nn qu
ti. i vi ngi qun tr h lun phi kim tra h thng mt cch thng xuyn
nn tc gi cho rng nh ny khng c nhiu u im.
Thay v s dng cc h thng email v SMS, tc gi ngh dng mt my trm
ring phc v cho mc ch phn tch log. Log ny khng ch nhn t Snort m c
th nhn t cc dch v web, t log ca h thng hoc nhn log thng qua syslogng. Trong thi gian nghin cu tc gi c kho st v bit c 2 cng c cc k
mnh m trong vic phn tch log l Splunk v Aanval SAS. y l 2 cng c
c ph nhng cc k mnh m v ng gi.
Ngoi Snort/SnortSam h thng c th s dng cc cng c v cc gii php ngun
m khc nh iptables cho firewall, mod_security chuyn bit cho web server
Apache, cc gii php monitoring khc nh Nagios, ZenOSS
90
TI LIU THAM KHO
[1] Andrew T. Baker, Brian Caswell & Mike Poor (2004), Snort 2.1 Intrusion
Detection Second Edition, Syngress Publishing, Inc.
[2] Andrew R. Bakeer & Joel Esler (2007), Snort IDS and IPS Toolkit. Syngress
Publishing, Inc.
[3] David Gullett (2012), Snort 2.9.3 and Snort Report 1.3.3 on Ubuntu 12.04 LTS
Install Guide, Symmetrix Technologies.
[4] Karthikeyan .K.R & A. Indra (2010), Intrusion Detection Tools and Techniques
A Survey, International Journal of Computer Theory and Engineering, Vol.2, No.6.
[5] Rebecca Bace and Peter Mell (2011), NIST Special Publicationon Intrusion
Detection Systems, National Institute of Standards and Technology.
[6] The Snort Team (2012), Snort User Manual 2.9.3, The Snort Project.
[7] University of Marland University College (2012), Installing Snort from Source
Code on Linux, http://polaris.umuc.edu/~sgantz/Install.html
[8] Hacker Vietnam Association (2005), K s cc v DDoS n HVA,
http://www.hvaonline.net/hvaonline/posts/list/112.hva
[9] BleedingSnort (2009), B lut cung cp bi BleedingSnort,
http://www.bleedingsnort.com/
91
PH LC
1.Lut iptables cho m hnh demo

### Shell script for publish web server
### iptables and snort/snortsam
#! /bin/bash
ipt=/sbin/iptables
echo "1" > /proc/sys/net/ipv4/ip_forward
# flush config iptables
$ipt -t filter -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -t filter -X
$ipt -t nat -X
$ipt -t mangle -X
$ipt -t filter -Z
$ipt -t nat -Z
$ipt -t mangle -Z
# change policy
$ipt -P INPUT ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
# publish wwww
$ipt -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -d
1.2.3.5/24 -j DNAT --to-destination 10.0.0.100:80
$ipt -t nat -A POSTROUTING -p tcp --dport 80 -o eth1 -s
1.2.3.5/24 -j SNAT --to-source 10.0.0.1
92

1.2.3.5/24 -j SNAT --to-source 10.0.0.1
1.2.3.5/24 -j SNAT --to-source 10.0.0.1
93

Khóa luận Snort

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Khóa luận Snort

Transféré par

Droits d'auteur :

Formats disponibles

Trng i Hc S Phm K Thut Tp.

HCM Cng Ha X Hi Ch Ngha Vit Nam

----***---Tp. H Ch Minh, ngy thng nm 2013

H v tn sinh vin: ................................................. MSSV: ......................................

Gio vin hng dn

NHN XT CA GIO VIN HNG DN

NHN XT CA GIO VIN PHN BIN

Sau nhiu thng tm hiu, nghin cu v ci t, ti Tm hiu v xy dng h

Sinh vin thc hin

For enchanced security of system, we implement a intrusion detection system and

DANH MC HNH V ..................................................................................................... 7

2.3.4. Thnh phn cnh bo/logging........................................................................23

4.2.3. Non-Payload ....................................................................................................51

Hnh 1.1: OSSEC c trin khai trn cc Server. ..................................................... 9

Hnh 4.6: Gi tr Code ca ICMP Header ..................................................................56

Committee on National Security Systems

Intrusion Detection System

Intrusion Prevention System

Internet Control Message Protocol

Transmission Control Protocol

User Datagram Protocol

GNU General Public License

Analysis Console for Intrusion Databases

Basic Analysis and Security Engine

Internet Service Provider

Fiber Distributed Data Interface

Access Control List

Hypertext Transfer Protocol

Tnh cp thit ca ti.

i tng nghin cu.

1.1. Gii thiu

tr), bo v (dng cc thit lp mc nh v cu hnh t ngi qun tr m c

B hn ch bi switch. Trn cc mng chuyn mch hin i, cc switch

cc trn cc my ch xung yu ca t chc, cc server trong vng DMZ (do l mc

Hnh 1.1: OSSEC c trin khai trn cc Server.

hnh, qun l, cp nht l mt khi lng ln cng vic cn thc hin.

ch gim st trn host m n c ci t.

Chim ti nguyn h thng: Do ci t trn my cn bo v nn n s s

dng ti nguyn ca h thng nh RAM, CPU, Hard Disk dn n c th

1.3. Cc k thut pht hin xm nhp

Hnh 1.2: Cc mu khc thng.

Mt IDS c xy dng da tn k thut pht hin bt thng c th pht

hin ra cc hnh vi khng bnh thng v do n c th pht hin ra

m cc thng tin ny c th c xy dng cc du hiu (signature) s

bo ng sai do khng th on c hnh vi ca ngi s dng v h

o to t cc bn ghi ca h thng nhm bit c u l cc hnh vi

bt thng ngha l nhng trng hp vi phm cc nh dng, cc tiu

Pht hin xm nhp da trn qu trnh t hc: Qu trnh ny gm 2 bc,

bc 1 sau khi h thng c thit lp th cho h thng chy t do v to

Based Intrusion Detection). K thut ny nhn mnh vic o m cc hot

Hnh 1.3: Phn tch chuyn trng thi.

cng. T ngi qun tr h thng c th nhanh chng a ra cc bin

thng xuyn cp nht du hiu ca cc hnh thc xm nhp mi.

th s khng th pht hin ra cc cuc tn cng bin th.

Hnh 1.4: Cc v tr t IDS trong h thng mng.

2.2.1. Yu cu phn cng

ch NIDS, sau khi cc gi tin i vo v vt qua packet sniffer, d liu s

Hnh 2.1: Kin trc ca Snort.

Preprocessors, detection engine v alert system u l cc plug-ins. iu ny gip

Hnh 2.2: Cc gi tin i vo Sniffer.

Bt k l lp lin kt no ang c s dng, tt c cc b gii m s u lm vic

Hnh 2.3: Gii m gi tin.

Hnh 2.4: Qu trnh x l Preprocessors.

khp vi d liu trong gi tin, n s c gi ti h thng cnh bo , nu khng n