Académique Documents
Professionnel Documents
Culture Documents
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
PHN 7 : PH LC .................................................................................................... 38
7.1 Ti liu tham kho ................................................................................................... 39
7.2 Phn mm IDS-Snort ............................................................................................... 40
7.2.1 Gii thiu Snort ................................................................................................. 40
7.2.2 Snort l mt NIDS ............................................................................................. 41
7.3 Cu hnh cc Rules c bn ca Snort v Iptables...................................................... 41
7.3.1 Rules Snort ........................................................................................................ 41
7.3.1.1 Cnh bo ping. ............................................................................................ 41
7.3.1.2 Cnh bo truy cp website. .......................................................................... 41
7.3.1.3 Cnh bo truy cp FTP. ............................................................................... 41
7.3.1.4 Cnh bo truy cp Telnet. ............................................................................ 41
7.3.1.5 Cnh bo gi tin ICMP c kch thc ln. ................................................... 42
7.3.1.6 Cnh bo Dos li SMB 2.0 .......................................................................... 42
7.3.1.7 Cnh bo chat vi cc my c IP l ............................................................. 42
7.3.1.8 Ngn chn cc trang Web c ni dung xu .................................................. 42
7.3.2 Rules Iptables .................................................................................................... 42
7.3.2.1 Ngn chn ping. .......................................................................................... 42
7.3.2.2 NAT inbound v NAT outbound ................................................................. 43
- Trang 3 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
- Trang 4 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
- Trang 5 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
CC THUT NG VIT TT
IDS Intrusion Detection System : H thng pht hin xm nhp
NIDS: Network Intrusion Detection System.
HIDS: Host Intrusion Detection System.
DIDS: Distributed Intrusion Detection System.
ADOdb: l mt th vin mc tru tng dnh cho PHP v Python da trn
cng khi nim vi ActiveX Data Objects ca Microsoft.
DdoS Distribute Denial of Service. T chi dch v phn tn.
LAN Local Area Network: mng my tnh cc b.
Sensor: B phn cm bin ca IDS.
Alert: Cnh bo trong IDS.
TCP-Transmission Control Protocol : Giao thc iu khin truyn vn.
Slow Scan: l tin trnh qut chm.
SSL Secure Sockets Layer.
SSH- Secure Shell:giao thc mng thit lp kt ni mng mt cch bo mt.
IPSec: IP Security.
DMZ demilitarized zone : Vng mng vt l cha cc dch v bn ngoi ca
mt t chc.
CPU : Central Processing Unit- n v x l trung tm.
UNIX: Unix hay UNIX l mt h iu hnh my tnh.
Host: Host l khng gian trn cng lu d liu dng web v c th truy
cp t xa.
Protocol: Giao thc
Payload: ti ca mt gi tin trn mng.
Attacker: K tn cng.
- Trang 6 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
- Trang 7 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
LI GII THIU
Do s lng xm phm ngy cng tng khi Internet v cc mng ni b cng ngy
cng xut hin nhiu khp mi ni, thch thc ca cc vn xm phm mng
buc cc t chc phi b sung thm h thng khc kim tra cc l hng v bo
mt. Cc hacker v k xm nhp to ra rt nhiu cch c th thnh cng trong
vic lm sp mt mng hoc dch v Web ca mt cng ty.
Nhiu phng php c pht trin bo mt h tng mng v vic truyn
thng trn Internet, bao gm cc cch nh s dng tng la (Firewall), m ha, v
mng ring o(VPN). H thng pht hin xm nhp tri php (IDS-Intrusion
Detection System) l mt phng php bo mt c kh nng chng li cc kiu tn
cng mi, cc v lm dng xut pht t trong h thng v c th hot ng tt vi cc
phng php bo mt truyn thng.
Chng em chn thnh cm n thy inh Xun Lm tn tnh hng dn gip
chng em hon thnh n tt nghip ny. Mc d c gng hon thnh ti
nhng y l mt lnh vc cn kh mi l v ang pht trin mnh nn cn nhiu
thiu st.
Chng em rt mong c tip nhn nhng kin, nhn xt t qu thy c.
Chng em xin chn thnh cm n.
Cc sinh vin thc hin :
1. Hunh Tin Pht : S in thoi : 0986.440.748
Email: phathuynh@daihoc.com.vn
2. Trn Quang Lm : S in thoi : 0984.055.050
Email: lamtran@daihoc.com.vn
- Trang 8 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
- Trang 9 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
1.1 L do chn ti
Chng em thc hin n ny vi mong mun khng ch nghin cu nhng c
trng c bn ca h thng pht hin xm nhp tri php vi vai tr l phng php bo
mt mi b sung cho nhng phng php bo mt hin ti, m cn c th xy dng c
mt phn mm IDS ph hp vi iu kin ca Vit Nam v c th ng dng vo thc
tin nhm m bo s an ton cho cc h thng v cht lng dch v cho ngi dng.
IDS khng ch l cng c phn tch cc gi tin trn mng, t a ra cnh bo n
nh qun tr m n cn cung cp nhng thng tin sau:
Cc s kin tn cng.
Ngun gc tn cng.
Du hiu tn cng.
Loi thng tin ny ngy cng tr nn quan trng khi cc nh qun tr mng mun thit
k v thc hin chng trnh bo mt thch hp cho mt cho mt t chc ring bit.
Mt s l do thm IDS cho h thng tng la l:
Ngn chn cc cuc tn cng c cho php thng qua tng la.
- Trang 10 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
1.3 Xc nh yu cu
Yu cu bt buc:
1. IDS l g?
2. Cc thnh phn ca IDS.
3. Cc m hnh IDS.
4. Cc ng dng IDS ph bin hin nay.
5. Trin khai m hnh IDS demo trong mng LAN.
Yu cu m rng : xy dng ng dng demo thnh phn cm bin v cnh bo ca
mt IDS.
- Trang 11 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
nghip.
- Trang 12 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
- Trang 13 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
- Trang 16 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
C tr gia thi im b tn cng vi thi im pht bo ng. Khi bo
ng c pht ra, h thng c th b tn hi.
Khng cho bit vic tn cng c thnh cng hay khng.
2.3.2 Host Base IDS (HIDS)
HIDS thng c ci t trn mt my tnh nht nh. Thay v gim st hot
ng ca mt network segment, HIDS ch gim st cc hot ng trn mt my tnh.
- Trang 17 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
- Trang 19 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
TCP Header
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
- Trang 21 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
- Trang 22 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Vista/7:SMB2.0
NEGOTIATE
PROTOCOL
REQUEST
Remote
- Trang 23 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
- Trang 26 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
- Trang 27 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Vai tr: l mt h thng pht hin v chng xm nhp mng, kim sot cc gi tin
trong mng ni b v cc gi tin t bn ngoi.
4.1.4 My Webserver
Ci t Window server 2003, ci t IIS, ASP.NET, Join Domain vsic.com.
Th mc cha source website: C:\Inetpub\wwwroot
Vai tr: l mt my ch Web Server cung cp cc dch v cn thit cho client.
4.1.5 My Windows Server 2008
+ Ci t h iu hnh Windows Server 2008 SP1, nng cp ln Domain vi tn
vsic.com.
+ Vai tr : dng thc hin Demo bng phng thc Zero day attack.
4.2 Cu hnh IDS
4.2.1 M hnh mng chi tit
- Trang 28 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
- Trang 30 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
- Trang 31 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
- Trang 32 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
5.1 Inotify
Inotify l mt Linux kernel subsystem (nhn ca h thng Linux) c pht trin bi
John McCutchan, Robert Love v Amy Griffis. Inotify c chc nng gim st s thay i
ca d liu: tng gim dung lng, sa, xa, to mi mt th mc, tp tin,v thm ch c
mt hot ng unmount, t Inotify c th thng bo nhng s thay i n mt
ng dng c lp trnh sn(API). Ta cng c th theo di ngun gc v im n ca di
chuyn ca th mc tp tin. s dng Inotify, ta cn ci t Linux vi kernel 2.6.13
hoc phin bn mi hn.
- Trang 33 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
5.3 Sn phm
- Trang 34 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
PHN 6 : TNG KT
- Trang 35 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
6.1 Nhng vn t c
Nm bt c c ch hot ng ca h thng pht hin xm nhp IDS.
Ci t v cu hnh mt h thng pht hin xm nhp trn mng cc b da trn
m ngun m Snort, iptables, squid proxy.
Vn dng nhng hiu bit nghin cu c v DoS/DDoS vit lut cho Snort,
iptables.
S dng c cc sn phm phn tch cnh bo trong Snort nh: MySQL, ACID,
BASE.
- Trang 36 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
- Trang 37 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
PHN 7 : PH LC
- Trang 38 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
- Trang 39 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Cc trang web:
Ting Vit:
Nc ngoi:
http://www.hvaonline.net
http://www.google.co.uk
http://nhatnghe.com/forum
http://www.snort.org
http://quantrimang.com.vn
http://www.openmaniak.com/inline.php
http://forum.saobacdau-acad.vn
http://sectools.org/
http://forum.t3h.vn
http://linux.org/
http://ipmac.vn/forum
http://ibm.com
http://vnexperts.net
http://support.microsoft.com
http://kmasecurity.net
http://www.winids.com
- Trang 40 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
- Trang 44 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
mkdir /etc/snort/rules
mkdir /var/log/snort
- Chp cc file cu hnh
cd etc/
cp * /etc/snort
- To nhm & ngi dng cho snort
groupadd snort
useradd -g snort snort -s /sbin/nologin
- Set quyn s hu v cho php Snort ghi log vo th mc cha log
chown snort:snort /var/log/snort/
Bc 3 : Cu hnh v pht hin xm nhp
3.1 File bo ng trong th mc /var/log/Snort
V d phn tch mt bo ng ca Snort
y l tn ca bo ng:
[**] [1:1418:3] SNMP request tcp [**]
y l phn header v thng tin ca packet l nguyn nhn gy ra bo ng:
03/24-15:07:35.827022 192.168.1.2:49641 -> 192.168.1.105:161 TCP TTL:44
TOS:0x0 ID:37753 IpLen:20 DgmLen:40 Seq: 0x4EB5A7C6 Ack: 0x0 Win:
0x400 TcpLen: 20
3.2 File Snort.conf
File Snort.conf iu khin mi th m Snort thy c, lm cch no n c th
chng li cc cuc tn cng, nhng rules no c s dng khi thy nghi ng, v
lm cch no n c th pht hin ra c nhng du hiu nguy him tm tng mc
d n khng c cc tn hiu nhn dng c th so snh.
V d file Snort.conf
Thit lp mng v cu hnh cc bin
Cu hnh phn gii m (decoder) v pht hin
- Trang 45 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Option
M t
config decode_arp
config dump_chars_only
config dump_payload
config decode_data_link
config set_gid: 30
config daemon
config alert_with_interface_name
config pkt_count: N
config nolog
config verbose
- Trang 47 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
nh trong rules kch cc bo ng, cng c kh nhiu tools dng cho vic ny
nhng Snort ca c cch chng li. Stream4 c 2 nhim v chnh: sateful
inspection ( kim tra tnh nguyn vn ), awareness and session reassembly ( nhn
bit v sp xp cc session )
Tin x l cc http inspect
C nhiu cch thng tin c th nh dng sang cc http session v cng c
nhiu loi khc nhau biu din cc thng tin nh l cc http session nh
multimedia, .xml, .HTML, .asp, .php, .java,.v kt qu Snort phi gi li ni
dung ca cc HTTP conversation nh dng li data phc v cho qu trnh pht
hin tt nht.
Arpspoof
Arpspoof c thit k cho preprocessor d detech cc hot ng spoof arp bt
hp php trn local network. Cc hacker dng cc tools man-in-the-middle attacks
nh ettercap hoc arpspoof nghe trm gia cc my trong mng ni b. cu
hnh administrator phi bit a ch MAC ca card mng, iu ny th qu d dng:
V d:
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.1.1 F0:AB:GH:10:12:53
File Inclusion
Trong file Snort.conf, cu lnh include ch cho Snort c cc file sau t include
c lu trong filesystem ca Snort sensor, ging nh trong lp trnh vy
V d :
include $RULE_PATH/bad-traffic.rules
- Trang 49 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
Cc rules trn ta c th download trn internet, khi down v ta mun phn
nhm hoc chnh sa, u tin cc rules ta c th cu hnh trong file
classification.config, file reference.config gm cc links ti web site vi cc thng
tin cho tt c cc alerts, include n rt hu tch , nhanh gn
V d:
# include classification & priority settings
# include classification.config
# include reference systems
include reference.config
Ci t tp rule cho SNORT
tar -xzvf snortrules-snapshot-2.8.tar.gz
cd rules
cp * /etc/snort/rules
7.8 Thit Lp Snort khi ng cng h thng
To mt lin kt mm (symbolic link) ca file snort binary n /usr/sbin/snort
ln -s /usr/local/bin/snort /usr/sbin/snort
cp /snort/snort-2.8.4.1/rpm/snortd /etc/init.d/
cp /snort/snort-2.8.4.1/rpm/snort.sysconfig /etc/sysconfig/snort
t quyn li cho file snort :
chmod 755 /etc/init.d/snortd
chkconfig snortd on
service snortd start
- Trang 50 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
#cd base
#cp base_conf.php.dist base_conf.php
#vi base_conf.php
Restart Snort
#service snortd restart
#service httpd restart
- Trang 53 -
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
THE END
- Trang 54 -
Su tm bi www.diendandaihoc.com