IDSReportdiendandaihocvn 827

MC LC
DANH MC CC HNH V TRONG BO CO ..................................................... 5

CC THUT NG VIT TT .................................................................................... 6
LI GII THIU .......................................................................................................... 8
PHN 1 : TNG QUAN ............................................................................................... 9
1.1 L do chn ti ..................................................................................................... 10
1.2 Phn tch hin trng ................................................................................................. 10
1.3 Xc nh yu cu .................................................................................................... 11
1.4 Gii hn v phm vi nghin cu ............................................................................. 12
1.5 ngha thc tin ca ti..................................................................................... 12
PHN 2 : TM HIU IDS ........................................................................................... 13

2.1 Khi nim ................................................................................................................ 14
2.2 Cc thnh phn v chc nng ca IDS ..................................................................... 14
2.2.1 Thnh phn thu thp gi tin ............................................................................... 14
2.2.2 Thnh phn pht hin gi tin.............................................................................. 15
2.2.3 Thnh phn phn hi ......................................................................................... 15
2.3 Phn loi IDS........................................................................................................... 15
2.3.1 Network Base IDS (NIDS) ................................................................................ 15
2.3.1.1 Li th ca Network-Based IDS .................................................................. 16
2.3.1.2 Hn ch ca Network-Based IDS ................................................................ 16
2.3.2 Host Base IDS (HIDS)....................................................................................... 17
2.3.2.1 Li th ca Host IDS .................................................................................. 17
Su tm bi www.diendandaihoc.com
ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B
2.3.2.2 Hn ch ca Host IDS ................................................................................. 18

2.4 C ch hot ng ca IDS ....................................................................................... 18
2.4.1 Pht hin da trn s bt thng........................................................................ 18
2.4.2 Pht hin thng qua Protocol ............................................................................. 18
2.4.3 Pht hin nh qu trnh t hc ........................................................................... 21
2.5 Cc ng dng IDS ph bin hin nay ....................................................................... 21
PHN 3 : CC PHNG THC TN CNG V CCH PHNG CHNG ....... 22

3.1 Cc phng thc tn cng ....................................................................................... 23
3.1.1 ARP Spoofing ................................................................................................... 23
3.1.2 Syn Flood .......................................................................................................... 23
3.1.3 Zero Day Attacks ............................................................................................... 23
3.1.4 DOS - Ping Of Death ......................................................................................... 24
3.2 Cc phng thc phng chng................................................................................. 24
3.2.1 ARP Spoofing : m ha ARP Cache .................................................................. 24
3.2.2 Syn Flood ......................................................................................................... 25
3.2.3 Zero Day Attacks ............................................................................................... 25
3.2.4 DOS Ping Of Death ........................................................................................ 25
PHN 4 : TRIN KHAI H THNG PHT HIN XM NHP ........................... 26

4.1 Cc bc thc hin .................................................................................................. 27
4.1.1 M hnh mng tng quan ................................................................................... 27
4.1.2 My Client......................................................................................................... 27
- Trang 1 -
4.1.3 My IDS ............................................................................................................ 27

4.1.4 My Webserver ................................................................................................. 28
4.1.5 My Windows Server 2008 ............................................................................... 28
4.2 Cu hnh IDS .......................................................................................................... 28
4.2.1 M hnh mng chi tit ....................................................................................... 28
4.2.2 Cc bc cu hnh cnh bo v ngn chn mt vi ng dng ca IDS trn Snort
kt hp Iptables .......................................................................................................... 29
4.2.2.1 Tn cng bng phng thc Dos li SMB 2.0 ............................................. 29
4.2.2.2 Truy cp Web tri php theo IP v tn min ................................................ 29
4.2.2.3 Truy cp Website vo gi cm. ................................................................... 29
4.2.2.4 Truy cp theo phng thc FTP .................................................................. 30
4.2.2.5 Tn cng theo phng thc Ping Of Death .................................................. 30
4.2.2.6 Hnh ng chat vi cc my ip l. ............................................................... 30
4.2.2.7 Hnh ng chng sniff s dng phng php ARP Spoofing. ..................... 30
4.2.3 Ci t webmin qun l Snort ............................................................................ 31
4.2.4 To CSDL Snort vi MySQL ............................................................................ 31
4.2.5 Ci t BASE .................................................................................................... 31
PHN 5 : XY DNG NG DNG DEMO THNH PHN SENSOR V ALERT

CA MT IDS ............................................................................................................ 32
5.1 Inotify ...................................................................................................................... 33
5.2 Lp trnh API kt hp vi Inotify ............................................................................ 33
5.3 Sn phm ................................................................................................................. 34
- Trang 2 -
PHN 6 : TNG KT ................................................................................................. 35

6.1 Nhng vn t c ............................................................................................ 36
6.2 Nhng vn cha t c.................................................................................... 36
6.3 Hng m rng ti .............................................................................................. 37
PHN 7 : PH LC .................................................................................................... 38
7.1 Ti liu tham kho ................................................................................................... 39
7.2 Phn mm IDS-Snort ............................................................................................... 40
7.2.1 Gii thiu Snort ................................................................................................. 40
7.2.2 Snort l mt NIDS ............................................................................................. 41
7.3 Cu hnh cc Rules c bn ca Snort v Iptables...................................................... 41
7.3.1 Rules Snort ........................................................................................................ 41
7.3.1.1 Cnh bo ping. ............................................................................................ 41
7.3.1.2 Cnh bo truy cp website. .......................................................................... 41
7.3.1.3 Cnh bo truy cp FTP. ............................................................................... 41
7.3.1.4 Cnh bo truy cp Telnet. ............................................................................ 41
7.3.1.5 Cnh bo gi tin ICMP c kch thc ln. ................................................... 42
7.3.1.6 Cnh bo Dos li SMB 2.0 .......................................................................... 42
7.3.1.7 Cnh bo chat vi cc my c IP l ............................................................. 42
7.3.1.8 Ngn chn cc trang Web c ni dung xu .................................................. 42
7.3.2 Rules Iptables .................................................................................................... 42
7.3.2.1 Ngn chn ping. .......................................................................................... 42
7.3.2.2 NAT inbound v NAT outbound ................................................................. 43
- Trang 3 -
7.3.2.3 Ngn chn truy cp website ......................................................................... 43

7.3.2.4 Ngn chn truy cp FTP .............................................................................. 44
7.3.2.5 Ngn chn Dos li SMB 2.0 ....................................................................... 44
7.3.2.6 Ngn chn gi tin ICMP c kch thc ln. ................................................. 44
7.3.2.7 Ngn chn chat vi cc my c IP l ........................................................... 44
7.4 Hng dn chi tit cu hnh Snort ........................................................................... 44
7.5 Thit lp mng v cu hnh cc bin ....................................................................... 46
7.6 Cu hnh option ca file Snort.conf .......................................................................... 47
7.7 Cu hnh tin x l (preprocessor) ......................................................................... 48
7.8 Thit Lp Snort khi ng cng h thng ................................................................ 50
7.9 Qun l snort bng webmin .................................................................................... 51
7.10 To CSDL snort vi MySQL ................................................................................. 51
7.11 Ci t BASE v ADODB .................................................................................... 52
- Trang 4 -
DANH MC CC HNH V TRONG BO CO

Hnh 1: M hnh kin trc h thng pht hin xm nhp (IDS) : Hnh 1 trong phn 2
Hnh 2: Network IDS : Hnh 2 trong phn 2
Hnh 3: Host base IDS : Hnh 3 trong phn 2
Hnh 4: Cu trc IP Header : Hnh 4 trong phn 2
Hnh 5: Cu trc TCP Header : Hnh 5 trong phn 2
Hnh 6: Xem ARP Cache : Hnh 1 trong phn 3
Hnh 7: M hnh mng tng quan : Hnh 1 trong phn 4
Hnh 8: M hnh mng chi tit : Hnh 2 trong phn 4
Hnh 9 : Qun l vi Webmin : Hnh 1 trong phn 6
Hnh 10 : Qun l BASE : Hnh 2 trong phn 6
Hnh 11 : Sn phm demo - Hnh 1 trong phn 5
- Trang 5 -
CC THUT NG VIT TT
IDS Intrusion Detection System : H thng pht hin xm nhp
NIDS: Network Intrusion Detection System.
HIDS: Host Intrusion Detection System.
DIDS: Distributed Intrusion Detection System.
ADOdb: l mt th vin mc tru tng dnh cho PHP v Python da trn
cng khi nim vi ActiveX Data Objects ca Microsoft.
DdoS Distribute Denial of Service. T chi dch v phn tn.
LAN Local Area Network: mng my tnh cc b.
Sensor: B phn cm bin ca IDS.
Alert: Cnh bo trong IDS.
TCP-Transmission Control Protocol : Giao thc iu khin truyn vn.
Slow Scan: l tin trnh qut chm.
SSL Secure Sockets Layer.
SSH- Secure Shell:giao thc mng thit lp kt ni mng mt cch bo mt.
IPSec: IP Security.
DMZ demilitarized zone : Vng mng vt l cha cc dch v bn ngoi ca
mt t chc.
CPU : Central Processing Unit- n v x l trung tm.
UNIX: Unix hay UNIX l mt h iu hnh my tnh.
Host: Host l khng gian trn cng lu d liu dng web v c th truy
cp t xa.
Protocol: Giao thc
Payload: ti ca mt gi tin trn mng.
Attacker: K tn cng.
- Trang 6 -
ADSL:: Asymmetric Digital Subscriber Line ng dy thu bao s bt i

xng.
WLAN: Wireless Local Area mng cc b khng dy.
Iptables : H thng tng la trong linux.
ACID Analysis Console for Intrusion Databases Bng iu khin phn tch
d liu cho h thng pht hin xm nhp
BASE Basic Analysis and Security Engine B phn phn tch gi tin
Software: Phn mm
OS : Operating System : h iu hnh
OSI : Open Systems Interconnection : m hnh 7 tng OSI
- Trang 7 -
LI GII THIU
Do s lng xm phm ngy cng tng khi Internet v cc mng ni b cng ngy
cng xut hin nhiu khp mi ni, thch thc ca cc vn xm phm mng
buc cc t chc phi b sung thm h thng khc kim tra cc l hng v bo
mt. Cc hacker v k xm nhp to ra rt nhiu cch c th thnh cng trong
vic lm sp mt mng hoc dch v Web ca mt cng ty.
Nhiu phng php c pht trin bo mt h tng mng v vic truyn
thng trn Internet, bao gm cc cch nh s dng tng la (Firewall), m ha, v
mng ring o(VPN). H thng pht hin xm nhp tri php (IDS-Intrusion
Detection System) l mt phng php bo mt c kh nng chng li cc kiu tn
cng mi, cc v lm dng xut pht t trong h thng v c th hot ng tt vi cc
phng php bo mt truyn thng.
Chng em chn thnh cm n thy inh Xun Lm tn tnh hng dn gip
chng em hon thnh n tt nghip ny. Mc d c gng hon thnh ti
nhng y l mt lnh vc cn kh mi l v ang pht trin mnh nn cn nhiu
thiu st.
Chng em rt mong c tip nhn nhng kin, nhn xt t qu thy c.
Chng em xin chn thnh cm n.
Cc sinh vin thc hin :
1. Hunh Tin Pht : S in thoi : 0986.440.748
Email: phathuynh@daihoc.com.vn
2. Trn Quang Lm : S in thoi : 0984.055.050
Email: lamtran@daihoc.com.vn
- Trang 8 -
PHN 1 : TNG QUAN
- Trang 9 -
1.1 L do chn ti
Chng em thc hin n ny vi mong mun khng ch nghin cu nhng c
trng c bn ca h thng pht hin xm nhp tri php vi vai tr l phng php bo
mt mi b sung cho nhng phng php bo mt hin ti, m cn c th xy dng c
mt phn mm IDS ph hp vi iu kin ca Vit Nam v c th ng dng vo thc
tin nhm m bo s an ton cho cc h thng v cht lng dch v cho ngi dng.
IDS khng ch l cng c phn tch cc gi tin trn mng, t a ra cnh bo n
nh qun tr m n cn cung cp nhng thng tin sau:
Cc s kin tn cng.
Phng php tn cng.
Ngun gc tn cng.
Du hiu tn cng.
Loi thng tin ny ngy cng tr nn quan trng khi cc nh qun tr mng mun thit
k v thc hin chng trnh bo mt thch hp cho mt cho mt t chc ring bit.
Mt s l do thm IDS cho h thng tng la l:
Kim tra hai ln nu h thng tng la cu hnh sai.
Ngn chn cc cuc tn cng c cho php thng qua tng la.
Lm cho n lc tn cng b tht bi.
Nhn bit cc cuc tn cng t bn trong.
1.2 Phn tch hin trng

- Trn 90% cc mng c kt ni ang s dng IDS pht hin l hng bo mt
my tnh.
- 4/7/02, Vin An ninh my tnh bo co c n 80% thit hi ti chnh vt qua
455 triu la b gy ra bi s xm nhp v m nguy him.
- Hng triu cng vic b nh hng do s xm nhp.
- Trang 10 -
- Nu s dng mt phn mm chng virus th bn phi xem xt n vic b sung thm

mt IDS cho chin lc bo mt ca mnh. Hu ht cc t chc s dng phn mm chng
virus khng s dng IDS.
- Ngy nay do cng ngh ngy cng pht trin nn khng c mt gii php bo mt
no c th tn ti lu di. Theo nh gi ca cc t chc hng u v cng ngh thng tin
trn th gii, tnh hnh an ninh mng vn trn bt n v tip tc c coi l nm bo
ng ca an ninh mng ton cu khi c nhiu l hng an ninh nghim trng c
pht hin, hnh thc tn cng thay i v c nhiu cuc tn cng ca gii ti phm cng
ngh cao vo cc h thng cng ngh thng tin ca cc doanh nghip.
- Ly v d vi h iu hnh Vista c th b tn cng bi mt l hng "blue screen of
death" hay vn thng c gi l mn hnh xanh cht chc. Hacker c th gi ti h
thng mt yu cu cha cc m lnh tn cng trc tip vo h thng ca Vista v lm
ngng li mi hot ng.
- H thng pht hin xm nhp tri php IDS l mt phng php bo mt c kh
nng chng li cc kiu tn cng mi, cc v lm dng, dng sai xut pht t trong h
thng v c th hot ng tt vi cc phng php bo mt truyn thng. N c
nghin cu, pht trin v ng dng t lu trn th gii v th hin vai tr quan trng
trong cc chnh sch bo mt.
1.3 Xc nh yu cu
Yu cu bt buc:
1. IDS l g?
2. Cc thnh phn ca IDS.
3. Cc m hnh IDS.
4. Cc ng dng IDS ph bin hin nay.
5. Trin khai m hnh IDS demo trong mng LAN.
Yu cu m rng : xy dng ng dng demo thnh phn cm bin v cnh bo ca
mt IDS.
- Trang 11 -
1.4 Gii hn v phm vi nghin cu

-
Tm hiu h thng mng my tnh cc b ca cc t chc, doanh nghip v c
tham gia kt ni internet.

-
Tm hiu cc nguy c xm nhp tri php i vi h thng mng.
Tm hiu cc k thut ca vic pht hin v ngn chn xm nhp.
Tm hiu Snort IDS Software.
1.5 ngha thc tin ca ti

-
Nghin cu cc vn k thut ca h thng pht hin v ngn chn xm nhp.
Phn tch, nh gi c cc nguy c xm nhp tri php i vi h thng mng.
a ra mt gii php an ninh hu ch cho h thng mng ca t chc, doanh
nghip.
- Trang 12 -
PHN 2 : TM HIU IDS
- Trang 13 -
2.1 Khi nim

H thng pht hin xm nhp (Intrusion Detection System IDS) l h thng phn
cng hoc phn mm c chc nng gim st lu thng mng, t ng theo di cc s
kin xy ra trn h thng my tnh, phn tch pht hin ra cc vn lin quan n an
ninh, bo mt v a ra cnh bo cho nh qun tr.
2.2 Cc thnh phn v chc nng ca IDS

IDS bao gm cc thnh phn chnh :
Thnh phn thu thp thng tin gi tin.
Thnh phn pht hin gi tin.
Thnh phn x l(phn hi).
Hnh 1: M hnh kin trc h thng pht hin xm nhp (IDS)

2.2.1 Thnh phn thu thp gi tin
Thnh phn ny c nhim v ly tt cc gi tin i n mng. Thng thng cc
gi tin c a ch khng phi ca mt card mng th s b card mng hu b nhng
card mng ca IDS c t ch thu nhn tt c. Tt c cc gi tin qua chng
u c sao chp, x l, phn tch n tng trng thng tin. B phn thu thp gi
tin s c thng tin tng trng trong gi tin, xc nh chng thuc kiu gi tin no,
dch v g... Cc thng tin ny c chuyn n thnh phn pht hin tn cng.
- Trang 14 -
2.2.2 Thnh phn pht hin gi tin

thnh phn ny, cc b cm bin ng vai tr quyt nh. Vai tr ca b cm
bin l dng lc thng tin v loi b nhng thng tin d liu khng tng thch t
c t cc s kin lin quan ti h thng bo v, v vy c th pht hin c cc
hnh ng nghi ng.
2.2.3 Thnh phn phn hi

Khi c du hiu ca s tn cng hoc thm nhp, thnh phn pht hin tn cng s
gi tn hiu bo hiu (alert) c s tn cng hoc thm nhp n thnh phn phn ng.
Lc thnh phn phn ng s kch hot tng la thc hin chc nng ngn chn
cuc tn cng hay cnh bo ti ngi qun tr. Di y l mt s k thut ngn
chn:
Cnh bo thi gian thc
Gi cc cnh bo thi gian thc n ngi qun tr h nm c chi tit cc
cuc tn cng, cc c im v thng tin v chng.
Ghi li vo tp tin
Cc d liu ca cc gi tin s c lu tr trong h thng cc tp tin log. Mc
ch l nhng ngi qun tr c th theo di cc lung thng tin v l ngun
thng tin gip cho module pht hin tn cng hot ng.
Ngn chn, thay i gi tin
Khi mt gi tin khp vi du hiu tn cng th IDS s phn hi bng cch xa
b, t chi hay thay i ni dung ca gi tin, lm cho gi tin tr nn khng bnh
thng.
2.3 Phn loi IDS
2.3.1 Network Base IDS (NIDS)
H thng IDS da trn mng s dng b d v b cm bin c ci t trn ton
mng. Nhng b d ny theo di trn mng nhm tm kim nhng lu lng trng
vi nhng m t s lc c nh ngha hay l nhng du hiu.
- Trang 15 -
Hnh 2: Network IDS

2.3.1.1 Li th ca Network-Based IDS
Qun l c c mt network segment (gm nhiu host).
Ci t v bo tr n gin, khng nh hng ti mng.
Trnh DOS nh hng ti mt host no .
C kh nng xc nh li tng Network (trong m hnh OSI).
c lp vi OS.
2.3.1.2 Hn ch ca Network-Based IDS
C th xy ra trng hp bo ng gi.
Khng th phn tch cc gi tin c m ha (vd: SSL, SSH, IPSec)
NIDS i hi phi c cp nht cc signature mi nht thc s an ton.
- Trang 16 -
C tr gia thi im b tn cng vi thi im pht bo ng. Khi bo
ng c pht ra, h thng c th b tn hi.
Khng cho bit vic tn cng c thnh cng hay khng.
2.3.2 Host Base IDS (HIDS)
HIDS thng c ci t trn mt my tnh nht nh. Thay v gim st hot
ng ca mt network segment, HIDS ch gim st cc hot ng trn mt my tnh.
Hnh 3: Host base IDS

2.3.2.1 Li th ca Host IDS
C kh nng xc nh ngi dng lin quan ti mt s kin.
HIDS c kh nng pht hin cc cuc tn cng din ra trn mt my.
C th phn tch cc d liu m ho.
Cung cp cc thng tin v host trong lc cuc tn cng din ra.
- Trang 17 -
2.3.2.2 Hn ch ca Host IDS

Thng tin t HIDS l khng ng tin cy ngay khi s tn cng vo host ny
thnh cng.
Khi h iu hnh b "h" do tn cng, ng thi HIDS cng b "h".
HIDS phi c thit lp trn tng host cn gim st .
HIDS khng c kh nng pht hin cc cuc d qut mng (Nmap,
Netcat)
HIDS cn ti nguyn trn host hot ng.
HIDS c th khng hiu qu khi b DOS.
a s chy trn h iu hnh Window. Tuy nhin cng c 1 s chy
c trn UNIX v nhng h iu hnh khc.
2.4 C ch hot ng ca IDS
IDS c hai chc nng chnh l pht hin cc cuc tn cng v cnh bo cc cuc tn
cng . C hai phng php khc nhau trong vic phn tch cc s kin pht hin cc
v tn cng: pht hin da trn cc du hiu v pht hin s bt thng. Cc sn phm
IDS c th s dng mt trong hai cch hoc s dng kt hp c hai.
2.4.1 Pht hin da trn s bt thng
Cng c ny thit lp mt hin trng cc hot ng bnh thng v sau duy tr
mt hin trng hin hnh cho mt h thng. Khi hai yu t ny xut hin s khc bit,
ngha l c s xm nhp.
V d: Mt a ch IP ca my tnh A thng thng truy cp vo domain ca cng
ty trong gi hnh chnh, vic truy cp vo domain cng ty ngoi gi lm vic l mt
iu bt thng.
2.4.2 Pht hin thng qua Protocol
Tng t nh vic pht hin da trn du hiu, nhng n thc hin mt s phn
tch theo chiu su ca cc giao thc c xc nh c th trong gi tin.
- Trang 18 -
Sau y l cu trc ca mt gi tin:

IP Header
Hnh 4: Cu trc IP Header

Thuc tnh Source Address v Destination Address gip cho IDS bit c ngun
gc ca cuc tn cng.
- Trang 19 -
TCP Header
Hnh 5: Cu trc TCP Header.

Cc h thng IDS khc nhau u da vo pht hin cc xm nhp tri php v
nhng hnh ng d thng. Qu trnh pht hin c th c m t bi 3 yu t c
bn nn tng sau:
Thu thp thng tin: Kim tra tt c cc gi tin trn mng.
S phn tch : Phn tch tt c cc gi tin thu thp cho bit hnh ng
no l tn cng.
Cnh bo : hnh ng cnh bo cho s tn cng c phn tch trn.
- Trang 20 -
2.4.3 Pht hin nh qu trnh t hc

K thut ny bao gm hai bc. Khi bt u thit lp, h thng pht hin tn cng
s chy ch t hc v to ra mt h s v cch c x ca mng vi cc hot ng
bnh thng. Sau thi gian khi to, h thng s chy ch lm vic, tin hnh
theo di, pht hin cc hot ng bt thng ca mng bng cch so snh vi h s
thit lp. Ch t hc c th chy song song vi ch lm vic cp nht h s
ca mnh nhng nu d ra c tn hiu tn cng th ch t hc phi dng li cho ti
khi cuc tn cng kt thc.
2.5 Cc ng dng IDS ph bin hin nay

Trong hon cnh hin nay, vi tn xut tn cng v xm nhp ngy cng ph bin th
khi mt t chc kt ni vi internet khng th p dng cc phng php phng chng tn
cng, xm nhp s dng firewall ch l mt trong nhng bin php cn bn, s khai trong
cng tc phng chng xm phm thng tin. S dng IDS s gp phn tng cng sc
mnh cho nh qun tr v cnh bo kp thi mi thi im din bin bt thng qua
mng. C th, IDS c th cnh bo nhng hnh ng sau:
Hnh ng download d liu trong h thng LAN bng ftp t cc my ip l.
Hnh ng chat vi cc my ip l.
Hnh ng truy xut 1 website b cng ty cm truy cp m nhn vin cng ty
vn c tnh truy xut.
Hnh ng truy xut cc website vo gi cm.
Hnh ng chng sniff s dng phng php ARP Spoofing.
Thc hin chng Dos vo my server thng qua li trn b m.
- Trang 21 -
PHN 3 : CC PHNG THC TN

CNG V CCH PHNG CHNG
- Trang 22 -
3.1 Cc phng thc tn cng

3.1.1 ARP Spoofing
y l mt hnh thc tn cng Man in the middle (MITM) hin i c xut s lu
i nht (i khi cn c bit n vi ci tn ARP Poison Routing), tn cng ny
cho php k tn cng nm trn cng mt subnet vi cc nn nhn ca n c th nghe
trm tt c cc lu lng mng gia cc my tnh nn nhn. y l loi tn cng n
gin nht nhng li l mt hnh thc hiu qu nht khi c thc hin bi k tn
cng.
3.1.2 Syn Flood
Syn flood l 1 dng tn cng t chi dch v, k tn cng gi cc gi tin kt ni
SYN n h thng. y l 1 loi tn cng rt ph bin. Loi tn cng ny s nguy
him nu h thng cp pht ti nguyn ngay sau khi nhn gi tin SYN t k tn cng
v trc khi nhn gi ACK.
3.1.3 Zero Day Attacks
Zero-day l thut ng ch s tn cng hay cc mi e da khai thc l hng ca
ng dng trong my tnh ci m cha c cng b v cha c sa cha.
"Windows
Vista/7:SMB2.0
NEGOTIATE
PROTOCOL
REQUEST
Remote
B.S.O.D." l nguyn vn tiu m t m tn cng vit bng Python m Gaffie a

ln blog bo mt Seclists.org. Cuc tn cng nhm vo li xut pht t System
Message Block phin bn 2.0 (SMB2) vn c trong Windows Vista, Windows 7 v
Windows Server 2008. i su vo li do Gaffie cng b, nguyn nhn chnh xut pht
t cch thc driver srv2.sys x l cc yu cu t my khch trong khi phn tiu
(header) ca "Process Id High" cha ng mt k t "&"(m hexa l 00 26). Cuc
tn cng khng cn n chng thc nhn dng, ch cn cng 445 c th truy xut. Mi
lo ngi y l cng 445 thng c m mc nh trong phn cu hnh mng ni b
(LAN) ca Windows.
- Trang 23 -
3.1.4 DOS - Ping Of Death

Khi tn cng bng Ping of Death, mt gi tin echo oc gi c kch thc ln hn
kch thc cho php l 65,536 bytes. Gi tin s b chia nh ra thnh cc segment nh
hn, nhng khi my ch rp li, host ch nhn thy rng l gi tin qu ln i vi
buffer bn nhn. Kt qu l, h thng khng th qun l ni tnh trng bt thng ny
v s reboot hoc b treo.
VD : ping 192.168.1.20 l 65000
3.2 Cc phng thc phng chng
3.2.1 ARP Spoofing : m ha ARP Cache
Mt cch c th bo v chng li vn khng an ton vn c trong cc ARP
request v ARP reply l thc hin mt qu trnh km ng hn. y l mt ty
chn v cc my tnh Windows cho php bn c th b sung cc entry tnh vo
ARP cache. Bn c th xem ARP cache ca my tnh Windows bng cch m
nhc lnh v nh vo lnh arp a.
Hnh 7: Xem ARP Cache

C th thm cc entry vo danh sch ny bng cch s dng lnh arp s <IP
ADDRESS> <MAC ADDRESS>.
Trong cc trng hp, ni cu hnh mng ca bn khng my khi thay i, bn
hon ton c th to mt danh sch cc entry ARP tnh v s dng chng cho cc
client thng qua mt kch bn t ng. iu ny s bo m c cc thit b s
lun da vo ARP cache ni b ca chng thay v cc ARP request v ARP reply.
- Trang 24 -
3.2.2 Syn Flood

Syn flood l 1 dng tn cng ph bin v n c th c ngn chn bng on
lnh iptables sau:
iptables -A INPUT p tcp --syn m limit --limit 1/s --limit -burst 3 -j RETURN
Tt c cc kt ni n h thng ch c php theo cc thng s gii hn sau:
--limit 1/s: Tc truyn gi tin trung bnh ti a 1/s (giy)

--limit-burst 3: S lng gi tin khi to ti a c php l 3
Dng iptables, thm rule sau vo:
# Limit the number of incoming tcp connections

# Interface 0 incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
3.2.3 Zero Day Attacks
+ Cp nht bn v li.
+ Lc d liu t cng TCP 445 bng tng la (iptables)
+ Kha cng SMB trong registry.
3.2.4 DOS Ping Of Death
- S dng cc tnh nng cho php t rate limit trn router/firewall hn ch s
lng packet vo h thng.
- Dng tnh nng lc d liu ca router/firewall loi b cc packet khng mong
mun, gim lng lu thng trn mng v ti ca my ch.
V d : alert icmp 192.168.1.0/24 any -> 172.16.1.0/24 any (msg:"Ping >
1000";dsize:>1000 ; sid:2;)
Trong v d trn th nu gi tin c kch thc ln hn 1000byte th s khng cho
Ping.
- Trang 25 -
PHN 4 : TRIN KHAI H THNG PHT

HIN XM NHP
- Trang 26 -
4.1 Cc bc thc hin

4.1.1 M hnh mng tng quan
Hnh 8: M hnh mng tng quan.

4.1.2 My Client
Ci t XP
Ci t h iu hnh Linux(Backtrack 4.0)
Ch default gateway v DNS v ip mt ngoi (192.168.1.20) ca my IDS.
Vai tr: l mt my ngoi mng LAN. Thc hin cc cuc tn cng vo my ch
Web Server v my DC.
4.1.3 My IDS
Ci t h iu hnh Linux, Snort, tng la iptables, MySQL, Apache, Basic
Analysis and Security Engine (BASE), squid proxy, join Domain vsic.com.
- Trang 27 -
Vai tr: l mt h thng pht hin v chng xm nhp mng, kim sot cc gi tin
trong mng ni b v cc gi tin t bn ngoi.
4.1.4 My Webserver
Ci t Window server 2003, ci t IIS, ASP.NET, Join Domain vsic.com.
Th mc cha source website: C:\Inetpub\wwwroot
Vai tr: l mt my ch Web Server cung cp cc dch v cn thit cho client.
4.1.5 My Windows Server 2008
+ Ci t h iu hnh Windows Server 2008 SP1, nng cp ln Domain vi tn
vsic.com.
+ Vai tr : dng thc hin Demo bng phng thc Zero day attack.
4.2 Cu hnh IDS
4.2.1 M hnh mng chi tit
Hnh 9: M hnh mng chi tit.
- Trang 28 -
4.2.2 Cc bc cu hnh cnh bo v ngn chn mt vi ng dng ca IDS trn

Snort kt hp Iptables
4.2.2.1 Tn cng bng phng thc Dos li SMB 2.0
Bc 1 : Kim tra cu hnh v kt ni gia cc my.
Bc 2 : S lc v li SMB.
Bc 3 : Dng phn mm WireShark bt gi tin.
Bc 4 : Tin hnh tn cng my Server.
Bc 5 : Xem kt qu tn cng.
Bc 6 : Kch hot Snort v iptable (rule SMB.rules) Ph lc phn 7.3.1.6
v 7.3.2.5
Bc 7 : Thc hin li cuc tn cng.
Bc 8 : Xem kt qu tn cng.
4.2.2.2 Truy cp Web tri php theo IP v tn min
Bc 2 : Client duyt Website vsic.com : bnh thng .
Bc 3 : Kch hot Snort v iptable (rule nganchanwebsite.rules) Ph lc
phn 7.3.1.2 v 7.3.2.3
Bc 4 : Client duyt Website vsic.com li : khng kt ni c.
Bc 5 : Client duyt Website Microsoft.com : bnh thng .
Bc 6 : M rule cm Micrsoft .
Bc 7 : Client duyt website microsoft.com : khng kt ni c.
4.2.2.3 Truy cp Website vo gi cm.
Bc 1 : Kim tra cu hnh va kt ni gia cc my
Bc 2 : Client duyt Web vsic.com vo gi cm : bnh thng
Bc 3 : Kch hot Snort v iptable (rule giocam.rules)
Bc 4 : Client duyt Website vsic.com li: khng kt ni c
- Trang 29 -
4.2.2.4 Truy cp theo phng thc FTP

Bc 1 : Kim tra cu hnh v kt ni gia cc my
Bc 2 : Client truy cp bng phng thc FTP vo my ch Webserver :
truy cp c bnh thng.
Bc 3 : Kch hot Snort v iptable (rule ftp.rules) Ph lc phn 7.3.1.3
v 7.3.2.4
Bc 4 : Client truy cp bng phng thc FTP vo my ch Webserver :
khng truy cp c
4.2.2.5 Tn cng theo phng thc Ping Of Death
Bc 2 : Client thc hin Ping qua my ch Webserver vi gi tin 32 byte.
Bc 3 : Kch hot Snort v iptable (rule ping.rules) Ph lc phn 7.3.1.5
v 7.3.2.6
Bc 4 : Client tin hnh Ping li my ch Webserver vi gi tin 2000 byte.
Bc 5 : Xem kt qu.
4.2.2.6 Hnh ng chat vi cc my ip l.
Bc 1 : My Client chat vi my Web server (yahoo message)
Bc 2 : Kch hot Snort v iptable (rule chat.rules) Ph lc phn 7.3.1.7
v 7.3.2.7
Bc 3 : My Client chat vi my Web server-> b ngn cn (xem hnh)>Login li th khng c n
4.2.2.7 Hnh ng chng sniff s dng phng php ARP Spoofing.
Bc 1: Kim tra cu hnh v a ch MAC ca my Web Server v
modem.
Bc 2 : Kch hot Snort (B tin x l - Preprocessor) Ph lc phn 7.7
- Trang 30 -
Bc 3 : Ti my attacker, thc hin gii mo a ch card MAC ca my

web server v modem.
Bc 4: M Base xem kt qu.
Bc 5 : Kim tra a ch card MAC ca my Webserver v modem.
4.2.3 Ci t webmin qun l Snort
Qun l Snort trn giao din web. Truy cp a ch:
https://localhost.localdomain:10000
4.2.4 To CSDL Snort vi MySQL
C s d liu dng cha cc cnh bo(log) ca h thng. Trong bng
acid_event cha ng cc cnh bo. Bng sensor cha a ch ca my ci t
IDS.
4.2.5 Ci t BASE
Base dng xem cc cnh bo trn giao din web. Truy cp ti
http://192.168.1.20/base
- Trang 31 -
PHN 5 : XY DNG NG DNG DEMO

THNH PHN SENSOR V ALERT CA
MT IDS
- Trang 32 -
5.1 Inotify
Inotify l mt Linux kernel subsystem (nhn ca h thng Linux) c pht trin bi
John McCutchan, Robert Love v Amy Griffis. Inotify c chc nng gim st s thay i
ca d liu: tng gim dung lng, sa, xa, to mi mt th mc, tp tin,v thm ch c
mt hot ng unmount, t Inotify c th thng bo nhng s thay i n mt
ng dng c lp trnh sn(API). Ta cng c th theo di ngun gc v im n ca di
chuyn ca th mc tp tin. s dng Inotify, ta cn ci t Linux vi kernel 2.6.13
hoc phin bn mi hn.
5.2 Lp trnh API kt hp vi Inotify

API l vit tt ca Application Programming Interface (giao din lp trnh ng dng).
API cung cp hu ht cc tnh nng thng dng cho tt c cc chng trnh chy trn
nn Window v Linux. Hu ht cc hm API thng c cha trong file /sys/inotify.h
trong th mc h thng. Kt hp lp trnh API vi Inotify ta c th nm bt c cc bin
c xy ra trn file system.
- Trang 33 -
5.3 Sn phm
Hnh 11 : Sn phm demo

thc hin c:
+ S dng ngn ng C kt hp vi cc hm trong inotify nm bt s thay i ca
file system.
+ Tm hiu v cc li gi hm v b to s kin trong inotify.
Cha thc hin c:
+ To mt giao din cho Inotify nm bt cc bin c xy ra trn file system.
+ Sn phm ch chy c trn pha Server (IDS-Linux)
- Trang 34 -
PHN 6 : TNG KT
- Trang 35 -
Thng qua qu trnh tm hiu v nghin cu, chng em rt ra mt s nhn xt

sau:
H thng pht hin xm nhp (IDS) tuy ch mi xut hin sau ny nhng hin
ng vai tr khng km phn quan trng. IDS gip con ngi khm ph, phn tch
mt nguy c tn cng mi. T n ngi ta vch ra phng n phng chng. mt
gc no , c th ln tm c th phm gy ra mt cuc tn cng. Mt t chc
ln khng th no thiu IDS.
6.1 Nhng vn t c
Nm bt c c ch hot ng ca h thng pht hin xm nhp IDS.
Ci t v cu hnh mt h thng pht hin xm nhp trn mng cc b da trn
m ngun m Snort, iptables, squid proxy.
Vn dng nhng hiu bit nghin cu c v DoS/DDoS vit lut cho Snort,
iptables.
S dng c cc sn phm phn tch cnh bo trong Snort nh: MySQL, ACID,
BASE.
6.2 Nhng vn cha t c

Vn v tn cng rt rng ln, hin nhng cch thc tn cng mi ngy cng
tr nn tinh vi v phc tp hn.
i vi Snort, hin c rt nhiu sn phm i km hot ng rt hay nh:
Snort_inline, Fsnort(Firewall Snort), cha c p dng trit .
Tp lut ca Snort ngy cng c pht trin nn cn phi cp nht.
Cha kt hp phn mm Mod Security bo v Web server.
- Trang 36 -
6.3 Hng m rng ti

- i vi mng khng dy, cu trc vt l mang li s an ton nhng c ch truyn tin
khng dy gia cc node mng li ko theo nhng l hng bo mt, do vy lun cn phi
chng thc gia cc ngi dng trong mng.
- Cch lm vic ca IDS trong mng WLAN c nhiu khc bit so vi mi trng
mng LAN truyn thng. Trong mi trng mng c dy ta c ton quyn qun l i
vi cc loi lu lng c truyn trn dy dn. Trong WLAN, khng kh l mi trng
truyn dn, tt c mi ngi trong phm vi ph sng ca tn s theo chun 802.11 u c
th truy cp vo mng. Do cn phi c s gim st c bn trong v bn ngoi mng
WLAN.
- Mt khc bit na l wireless IDS cn cho mng my tnh trin khai WLAN v
c nhng ni cha trin khai WLAN. L do l d kh nng b tn cng t mng WLAN
vo mng LAN cha r rng nhng l mt mi e da thc s. S e da ny c
coi l ch lin quan n ai s dng WLAN nhng s thc th ton b t chc mng LAN
u nn gim st lu lng lu chuyn trong mng WLAN chc chn loi b s e
da t khng gian xung quanh. Mt iu lun phi tm n l cc AP gi mo bt k
ta ang dng mng khng dy hay mng LAN truyn thng.
- Trang 37 -
PHN 7 : PH LC
- Trang 38 -
7.1 Ti liu tham kho

- [1] Intrusion Detection Systems with Snort: Advanced IDS Techniques Using
Snort, Apache, MySQL, PHP, and ACID By Rafeeq Ur Rehman May 08, 2003
0-13-140733-3.
- [2] Snort 2.1 Intrusion Detection Second Edition Featuring Jay Beale
and Snort Development Team Andrew R. Baker, Brian Caswell, Mike Poor
Copyright 2004 by Syngress Publishing ISBN: 1-931836-04-3.
- [3] Snort User Manual 2.8.5 Martin Roesch Chris Green, October 22, 2009
Sourcefire, Inc.
- [4] Syngress Intrusion.Prevention.and.Active.Response.(2005)
- [5] Guide to Intrusion Detection and Prevention Systems Recommendations of
the National Institute of Standards and Technology Karen Scarfone Peter Mell
- [6] Managing Security with Snort and IDS Tools OReilly-By Kerry J. Cox,
Christopher Gerg
- [7] Snort cookbook OReilly By Kerry J. Cox, Christopher Gerg
- [8] Snort IDS and IPS Toolkit-Featuring Jay Beale and Members of the Snort
Team-Andrew R. Baker Joel Esler
- [9] ModSecurity Handbookby Ivan Risti Copyright 2009, 2010 Ivan Risti
- [10] Ci t v cu hnh Iptables - Nguyn Hng Thi
- [11] Firewalls, Nat & Accounting Linux iptables Pocket Reference- O'REILLY
GREGOR N. PURDY.
- [12] Linux Firewalls - Attack Detection and Response with iptables, psad, and
fwsnort-MICHAEL RASH.
- Trang 39 -
Cc trang web:
Ting Vit:
Nc ngoi:
http://www.hvaonline.net
http://www.google.co.uk
http://nhatnghe.com/forum
http://www.snort.org
http://quantrimang.com.vn
http://www.openmaniak.com/inline.php
http://forum.saobacdau-acad.vn
http://sectools.org/
http://forum.t3h.vn
http://linux.org/
http://ipmac.vn/forum
http://ibm.com
http://vnexperts.net
http://support.microsoft.com
http://kmasecurity.net
http://www.winids.com
7.2 Phn mm IDS-Snort

7.2.1 Gii thiu Snort
Snort c ci t trn mng lm nhim v gim st nhng packet vo ra h
thng mng. Khi Snort pht hin mt cuc tn cng th n c th phn ng bng nhiu
cch khc nhau ty thuc vo cu hnh m ngi qun tr mng thit lp, chng hn
nh n c th gi thng ip cnh bo n nh qun tr hay loi b gi tin khi pht
hin c s bt thng trong cc gi tin . Snort s dng cc lut c lu tr trong
cc file text, c th c chnh sa bi ngi qun tr. Mi lut i din cho mt cuc
tn cng. File cu hnh chnh ca Snort l snort.conf. Khi c mt packet n h thng
n s c p vo tp lut, nu c s so trng snort s phn ng.
Snort bao gm mt hoc nhiu cm bin v mt server c s d liu chnh.Cc
cm bin c th c t trc hoc sau firewall:
Gim st cc cuc tn cng vo firewall v h thng mng.
C kh nng ghi nh cc cuc vt firewall thnh cng.
- Trang 40 -
7.2.2 Snort l mt NIDS

Khi c s dng nh l mt NIDS, Snort cung cp kh nng pht hin xm nhp
gn nh l thi gian thc. Chng ta s xem rt nhiu cch m Snort c th c s
dng nh l mt NIDS v tt c cc ty chn cu hnh c th.
7.3 Cu hnh cc Rules c bn ca Snort v Iptables
7.3.1 Rules Snort
7.3.1.1 Cnh bo ping.
Alert icmp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"ICMP Pinger";
classtype:attempted-recon; sid:465;)
- Trong :
Alert: l hnh ng cnh bo.
Icmp: l giao thc bt cnh bo.
$EXTERNAL_NET: l a ch ch ca cuc tn cng. Ngi dng c th
nh ngha (var $EXTERNAL_NET 192.168.1.0/24 )
Any: l port m gi tin i qua (bt c port no).
$HOME_NET: l a ch gi tin i n ca cuc tn cng. Ta c th nh
ngha a ch ny cho ph hp vi mng ni b m ta ang qun l.
7: l port m lnh ping gi gi tin echo qua.
Msg: xut cu thng bo trong log hoc trn giao din qun l cnh bo.
Classtype: dng phn loi cnh bo.
Sid: s id ca cu rule cnh bo, mi rule c mt sid khc nhau.
7.3.1.2 Cnh bo truy cp website.
alert tcp $HOME_NET any -> 192.168.1.10 80(msg:"Vsic access"
;content:"vsic.com"; nocase; sid:5531;)
7.3.1.3 Cnh bo truy cp FTP.
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP login";
flow:from_server,established; sid:491;)
7.3.1.4 Cnh bo truy cp Telnet.
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23
(msg:"TELNET login"; flow:to_server,established; sid:500;)
- Trang 41 -
7.3.1.5 Cnh bo gi tin ICMP c kch thc ln.

alert icmp 192.168.1.0/24 any -> 172.16.1.0/24 any (msg:"Ping >
1000";dsize:>1000 ; sid:2;)
7.3.1.6 Cnh bo Dos li SMB 2.0
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS
Windows SMB process ID high"; flow:to_server, established; content:"|00 26|";
offset:5; depth:96; classtype:attempted-dos; sid:15930;)
7.3.1.7 Cnh bo chat vi cc my c IP l

alert tcp any any <> any 5101 (msg:"CHAT Yahoo IM message";
flow:established; content:"YMSG"; nocase; metadata:policy ; classtype:policyviolation; sid:2457)
7.3.1.8 Ngn chn cc trang Web c ni dung xu
alert tcp any any <> 192.168.1.0/24 80 (content: "bad.htm"; msg: "Not for
children!"; react: block, msg, proxy 8000;)
7.3.2 Rules Iptables
7.3.2.1 Ngn chn ping.
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j DROP
- Trong :
RH-Firewall-1-INPUT: Ngi dng nh ngha.
ACCEPT: iptables chp nhn chuyn data n ch.
DROP: iptables kha nhng packet.
-A RH-Firewall-1-INPUT: nhng gi tin i vo t firewall
-p: protocol l icmp
-m icmp --icmp-type: m t dng ca icmp nh echo, request
Any: port ca icmp
- Trang 42 -
-j : jump lnh chuyn ti cu lnh tip theo

DROP : v cui cng l chn gi tin.
-s: a ch ngun.
--dport: cng ch ca gi tin.
state --state NEW: Kim tra trng thi:
ESTABLISHED: thit lp connection
NEW: bt u thit lp connection
7.3.2.2 NAT inbound v NAT outbound
- Nat in
iptables -t nat -A PREROUTING -d 192.168.1.20 -i eth0 -p tcp -m tcp --dport
80 -j DNAT --to-destination 172.16.1.40:80
- Nat out
echo '1' > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 172.16.1.40 -d 192.168.1.10 -o eth0 -j
MASQUERADE
7.3.2.3 Ngn chn truy cp website
- Theo port, host v giao thc : dng Iptables
-A RH-Firewall-1-INPUT -s 192.168.1.10 -p tcp -m tcp --dport 80 -j DROP
- Chn theo host : dng Squid Proxy
acl hostdeny src 192.168.1.10/24
http_access deny hostdeny
- Chn theo tn min web : dng Squid
acl webdeny dstdomain vsic.com
hay acl webdeny dstdomain "/etc/squid/webdeny"
http_access deny webdeny
- Theo gi : dng Squid Proxy
acl time_acl1 time MTWHF 8:00-10:00
- Trang 43 -
http_access deny webdeny time_acl1

7.3.2.4 Ngn chn truy cp FTP
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j
DROP
7.3.2.5 Ngn chn Dos li SMB 2.0
A RH-Firewall-1-INPUT -p tcp -m state --state ESTABLISHED -m string -hex-string "|00 26|" --algo bm -m tcp --dport 445 -j DROP
7.3.2.6 Ngn chn gi tin ICMP c kch thc ln.
A RH-Firewall-1-INPUT -p icmp --icmp-type any -m length --length 1000: -j
DROP
7.3.2.7 Ngn chn chat vi cc my c IP l
-A RH-Firewall-1-INPUT -p tcp -m state --state ESTABLISHED -m string -string "YMSG" --algo bm -m tcp --dport 5101 -j DROP
7.4 Hng dn chi tit cu hnh Snort
File cu hnh /etc/snort/snort.conf
var HOME_NET 172.16.1.0/24
var EXTERNAL_NET !$HOME_NET
var RULE_PATH /etc/snort/rules
output database: log, mysql, user=snort password=123456 dbname=snort
host=localhost.
Bc 1 : Ci t Snort
#./configure --with-mysql --enable-dynamicplugin
#make & make install
Bc 2 : Cu hnh snort
- To cc th mc hot ng cho snort
mkdir /etc/snort
- Trang 44 -
mkdir /etc/snort/rules
mkdir /var/log/snort
- Chp cc file cu hnh
cd etc/
cp * /etc/snort
- To nhm & ngi dng cho snort
groupadd snort
useradd -g snort snort -s /sbin/nologin
- Set quyn s hu v cho php Snort ghi log vo th mc cha log
chown snort:snort /var/log/snort/
Bc 3 : Cu hnh v pht hin xm nhp
3.1 File bo ng trong th mc /var/log/Snort
V d phn tch mt bo ng ca Snort
y l tn ca bo ng:
[**] [1:1418:3] SNMP request tcp [**]
y l phn header v thng tin ca packet l nguyn nhn gy ra bo ng:
03/24-15:07:35.827022 192.168.1.2:49641 -> 192.168.1.105:161 TCP TTL:44
TOS:0x0 ID:37753 IpLen:20 DgmLen:40 Seq: 0x4EB5A7C6 Ack: 0x0 Win:
0x400 TcpLen: 20
3.2 File Snort.conf
File Snort.conf iu khin mi th m Snort thy c, lm cch no n c th
chng li cc cuc tn cng, nhng rules no c s dng khi thy nghi ng, v
lm cch no n c th pht hin ra c nhng du hiu nguy him tm tng mc
d n khng c cc tn hiu nhn dng c th so snh.
V d file Snort.conf
Thit lp mng v cu hnh cc bin
Cu hnh phn gii m (decoder) v pht hin
- Trang 45 -
Cu hnh tin x l (preprocessor)

Cu hnh phn output
File c tr ti
7.5 Thit lp mng v cu hnh cc bin
ch nh 1 a ch ip, n gian ch lm theo cch sau:
Var HOME_NET 192.168.1.1
Var HOME_NET [192.168.1.1,192.168.14.1,10.0.0.2]
Ta cng c cch khc ch nh lun c mng:
Var HOME_NET 10.10.10.0/24
Hoc cng c th gp c 2 cch trn vo chung 1 nhm:
Var HOME_NET [192.168.1.1,10.10.10.0/24,172.168.1.5/16,187.1.1.1/19]
Nu mun ch nh khng dng cc ip ny ngoi tr th dng thm du !
Var EXTERNAL_NET !$HOME_NET
ch nh cho cc port cng lm tng t v dng
Var ORACLE_PORTS 1521
Hoc cc port khng phi l port 80
Var SHELLcode_PORTS !80
Cc bin mc nh trong Snort.conf
HOME_NET : ch nh a ch mng ca mnh ang bo v
EXTERNAL_NET: cc mng bn ngoi.
Cc bin ch nh cc server ang chy cc service phc v cho h thng
DNS_SERVERS : a ch ca my DNS.
SMTP_SERVERS : a ch ca my Mail Server.
HTTP_SERVERS : a ch ca my Web server
SQL_SERVERS : a ch ca my cha c s d liu.
TELNET_SERVERS : a ch ca my lm telnet
- Trang 46 -
Cc port mc nh cc bin khc:

HTTP_PORTS : Port 80
7.6 Cu hnh option ca file Snort.conf
Option
M t
config order: pass, alert, log, activation, or Thay i cc gi tr iu khn ca rules

dynamic
config alertfile: alerts
Thit lp output ca file bo ng
config decode_arp
Bt chc nng arp decoding (Snort -a)
config dump_chars_only
Bt chc nng character dumps (Snort C)
config dump_payload
Hin thng tin lp application(Snort -d).
config decode_data_link
gii m Layer2 headers (Snort -e).
config bpf_file: filters.bpf
Ch nh dng b lc BPF (Snort -F).
config set_gid: 30
Thay i GID n GID khc (Snort -g)
config daemon
Chy Snort ch daemon (Snort -D)
config interface: <interface name>
Thit lp interface (Snort -i).
config alert_with_interface_name
Ch nh interface cn bo ng(Snort -I)
config logdir: /var/log/Snort
Thit lp li th mc log (Snort -l).
config umask: <umask>
Thit lp umask khi chy (Snort -m).
config pkt_count: N
Thot ra sau N packets (Snort -n).
config nolog
Tt ch log (Snort -N).
config verbose
S dng ch xem chi tit (Snort -v)
- Trang 47 -
7.7 Cu hnh tin x l (preprocessor)

Tin x l phc v cho nhiu mc ch. N bnh thng ho traffic cho cc
services, chc chn rng d liu trong cc packet Snort ang theo di s c c hi tt
nht so snh vi cc tn hiu nhn dng (signatures ) m Snort uc trang b.
V d :
- preprocessor arpspoof
- preprocessor arpspoof_detect_host: 192.168.1.1 00:19:cb:4b:52:9b
- preprocessor arpspoof_detect_host: 192.168.1.1 00:19:cb:4b:52:9b
- Ta cho Snort bit a ch MAC ca my trong LAN, khi b tn cng gi mo
a ch MAC, Snort s so snh gi tr ny v cnh bo cho ngi qun tr.
Flow
Flow preprocessor c mt module l flow-portscan. Flow theo di tt c traffic
v gi cc track kt ni gia h thng v port l, khi c 1 flow l mi thng tin s
chuyn qua hash (lm cho cc track nh hn , nhanh hn trong tracking cc a ch
IP v PORTS) c lu tr trong bng b nh dnh sn. Cc option cho flow
preprocessor
Frag
Khi mt packet i t mng ny qua mng khc, n thng cn phn mnh
thnh cc packet nh hn, bi v mng th 2 s gii hn kch thuc ca packet v
tt nhin nh hn mng u tin. V tt c cc packet nh s uc sp xp li khi
n ni. Mt trong nhng phng php ca attacker l dng cc packet nh la
firewall hoc IDS.
Stream4
Stream4 c thit k bo v Snort t 1 dng tn cng mi ca attacker ti
cc NIDS sensor bng cch gi trn ngp cc packet cha cc chui d liu ging
- Trang 48 -
nh trong rules kch cc bo ng, cng c kh nhiu tools dng cho vic ny
nhng Snort ca c cch chng li. Stream4 c 2 nhim v chnh: sateful
inspection ( kim tra tnh nguyn vn ), awareness and session reassembly ( nhn
bit v sp xp cc session )
Tin x l cc http inspect
C nhiu cch thng tin c th nh dng sang cc http session v cng c
nhiu loi khc nhau biu din cc thng tin nh l cc http session nh
multimedia, .xml, .HTML, .asp, .php, .java,.v kt qu Snort phi gi li ni
dung ca cc HTTP conversation nh dng li data phc v cho qu trnh pht
hin tt nht.
Arpspoof
Arpspoof c thit k cho preprocessor d detech cc hot ng spoof arp bt
hp php trn local network. Cc hacker dng cc tools man-in-the-middle attacks
nh ettercap hoc arpspoof nghe trm gia cc my trong mng ni b. cu
hnh administrator phi bit a ch MAC ca card mng, iu ny th qu d dng:
V d:
preprocessor arpspoof
preprocessor arpspoof_detect_host: 192.168.1.1 F0:AB:GH:10:12:53
File Inclusion
Trong file Snort.conf, cu lnh include ch cho Snort c cc file sau t include
c lu trong filesystem ca Snort sensor, ging nh trong lp trnh vy
V d :
include $RULE_PATH/bad-traffic.rules
- Trang 49 -
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
Cc rules trn ta c th download trn internet, khi down v ta mun phn
nhm hoc chnh sa, u tin cc rules ta c th cu hnh trong file
classification.config, file reference.config gm cc links ti web site vi cc thng
tin cho tt c cc alerts, include n rt hu tch , nhanh gn
V d:
# include classification & priority settings
# include classification.config
# include reference systems
include reference.config
Ci t tp rule cho SNORT
tar -xzvf snortrules-snapshot-2.8.tar.gz
cd rules
cp * /etc/snort/rules
7.8 Thit Lp Snort khi ng cng h thng
To mt lin kt mm (symbolic link) ca file snort binary n /usr/sbin/snort
ln -s /usr/local/bin/snort /usr/sbin/snort
cp /snort/snort-2.8.4.1/rpm/snortd /etc/init.d/
cp /snort/snort-2.8.4.1/rpm/snort.sysconfig /etc/sysconfig/snort
t quyn li cho file snort :
chmod 755 /etc/init.d/snortd
chkconfig snortd on
service snortd start
- Trang 50 -
7.9 Qun l snort bng webmin

- Ci webmin :
rpm ivh webmin-1.400.noarch.rpm
Log vo Webmin, chn chc nng Webmin Modules, import thm Snort module
vo Webmin:
7.10 To CSDL snort vi MySQL

#service mysqld start
Trc tin ta cn set password cho root trong MySQL.
#mysqladmin -u root password 123456
#mysql p
To password cho ti khon snort
mysql> use mysql;
mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY '123456';
- Trang 51 -
To CSDL cho snort.

mysql> create database snort;
mysql> GRANT CREATE, INSERT, SELECT, DELETE, UPDATE ON snort.*
to snort@localhost;
mysql> flush privileges;
mysql> exit
To cc table t /snort/snort-2.8.4.1/schemas/create_mysql cho database snort (th
mc gi nn snort)
mysql -u root -p < /snort/snort-2.8.4.1/schemas/create_mysql snort
mysql -p
show databases;
use snort;
show tables;
Quan st cc tables
7.11 Ci t BASE v ADODB
Web server v PHP ci t sn ta cn ci thm vi gi pear cho PHP.
cd snort/snort-2.8.4.1
pear install Image_Graph-alpha Image_Canvas-alpha Image_Color
Ci t ADODB
cp adodb480.tgz /var/www/html/
cd /var/www/html/
tar -xzvf adodb480.tgz
Ci BASE
#cp /snort/base-1.4.4.tar.gz /var/www/html/
#tar -zxvf base-1.4.4.tar.gz
#mv base-1.4.4/ base/
- Trang 52 -
#cd base
#cp base_conf.php.dist base_conf.php
#vi base_conf.php
Restart Snort
#service snortd restart
#service httpd restart
- Trang 53 -
THE END
- Trang 54 -

IDSReportdiendandaihocvn 827

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

IDSReportdiendandaihocvn 827

Transféré par

Droits d'auteur :

Formats disponibles

MC LC

DANH MC CC HNH V TRONG BO CO ..................................................... 5

PHN 2 : TM HIU IDS ........................................................................................... 13

2.3.2.2 Hn ch ca Host IDS ................................................................................. 18

PHN 3 : CC PHNG THC TN CNG V CCH PHNG CHNG ....... 22

PHN 4 : TRIN KHAI H THNG PHT HIN XM NHP ........................... 26

4.1.3 My IDS ............................................................................................................ 27

PHN 5 : XY DNG NG DNG DEMO THNH PHN SENSOR V ALERT

PHN 6 : TNG KT ................................................................................................. 35

7.3.2.3 Ngn chn truy cp website ......................................................................... 43

DANH MC CC HNH V TRONG BO CO

ADSL:: Asymmetric Digital Subscriber Line ng dy thu bao s bt i

PHN 1 : TNG QUAN

Phng php tn cng.

Kim tra hai ln nu h thng tng la cu hnh sai.

Lm cho n lc tn cng b tht bi.

Nhn bit cc cuc tn cng t bn trong.

1.2 Phn tch hin trng

- Nu s dng mt phn mm chng virus th bn phi xem xt n vic b sung thm

1.4 Gii hn v phm vi nghin cu

Tm hiu h thng mng my tnh cc b ca cc t chc, doanh nghip v c

tham gia kt ni internet.

Tm hiu cc nguy c xm nhp tri php i vi h thng mng.

Tm hiu cc k thut ca vic pht hin v ngn chn xm nhp.

Tm hiu Snort IDS Software.

1.5 ngha thc tin ca ti

Nghin cu cc vn k thut ca h thng pht hin v ngn chn xm nhp.

Phn tch, nh gi c cc nguy c xm nhp tri php i vi h thng mng.

a ra mt gii php an ninh hu ch cho h thng mng ca t chc, doanh

PHN 2 : TM HIU IDS

2.1 Khi nim

2.2 Cc thnh phn v chc nng ca IDS

Thnh phn thu thp thng tin gi tin.

Thnh phn pht hin gi tin.

Thnh phn x l(phn hi).

Hnh 1: M hnh kin trc h thng pht hin xm nhp (IDS)

2.2.2 Thnh phn pht hin gi tin

2.2.3 Thnh phn phn hi

Hnh 2: Network IDS

Hnh 3: Host base IDS

2.3.2.2 Hn ch ca Host IDS

Sau y l cu trc ca mt gi tin:

Hnh 4: Cu trc IP Header

Hnh 5: Cu trc TCP Header.

2.4.3 Pht hin nh qu trnh t hc

2.5 Cc ng dng IDS ph bin hin nay

PHN 3 : CC PHNG THC TN

3.1 Cc phng thc tn cng

B.S.O.D." l nguyn vn tiu m t m tn cng vit bng Python m Gaffie a

3.1.4 DOS - Ping Of Death

Hnh 7: Xem ARP Cache

3.2.2 Syn Flood

--limit 1/s: Tc truyn gi tin trung bnh ti a 1/s (giy)

Dng iptables, thm rule sau vo:

# Limit the number of incoming tcp connections

PHN 4 : TRIN KHAI H THNG PHT

4.1 Cc bc thc hin

Hnh 8: M hnh mng tng quan.

Hnh 9: M hnh mng chi tit.

4.2.2 Cc bc cu hnh cnh bo v ngn chn mt vi ng dng ca IDS trn

4.2.2.4 Truy cp theo phng thc FTP

Bc 3 : Ti my attacker, thc hin gii mo a ch card MAC ca my

PHN 5 : XY DNG NG DNG DEMO