Khóa luận Snort

7/25/2019 Kha lun Snort

1/106

i

Tp. HCh Minh, ngy thng nm 2013

NHIM V T NGHIP

Hv tn sinh vin: ................................................. MSSV: ......................................

Chuyn ngnh: ........................................................ Lp: .........................................

Gio vin hng dn: ................................................................................................

Ngy giao ti:.................................... Ngy np ti:........................................

1. Tn ti:

...............................................................................................................................................

...............................................................................................................................................

2. Cc sliu, ti l iu ban u

...............................................................................................................................................

...............................................................................................................................................

3. Ni dung thuyt minh v tnh ton

...............................................................................................................................................

...............................................................................................................................................

...............................................................................................................................................

...............................................................................................................................................

...............................................................................................................................................

4. Sn phm

...............................................................................................................................................

...............................................................................................................................................

Trng i Hc S Phm KThut Tp.HCM

Khoa o To Cht Lng Cao

-----***----

Cng Ha X Hi ChNgha Vit Nam

c lpTdoHnh phc

----***----

Trng ngnh Gio vin hng dn


2/106

ii

NHN XT CA GIO VIN HNG DN

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

Gio vin hng dn


3/106

iii

NHN XT CA GIO VIN PHN BIN

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

..................................................................................................................................................

Gio vin phn bin


4/106

1

LI CM N

Sau nhiu thng tm hiu, nghin cu v ci t, ti Tm hiu v xy dng h

thng phng chng v pht hin xm nhp sdng Snort/Snortsamv c bn

hon thnh. Trong thi gian thc hin ti em nhn c nhiu sgip

tbn b, cc anh chv thy c.

Em xin chn thnh gi li cm n n sgip , sng vin v ng h tinh thn

ca gia nh v b bn hon thnh ti ny.

Em cng xin chn thnh cm n qu thy c ti trng i hc S Phm KThut Tp. HCh Minh, v Khoa o to Cht lng cao to iu kin cho

em c nghin cu v hc tp. c bit em xin chn thnh c m n thy Nguyn

ng Quang lun nhit tnh nhc nh, c thc em lm vic chm ch, thy ch

bo v gi em nhiu bi bo co em c ththam kho v hon thnh ti. Thy

c nhng gp v cni dung v trnh by em c th hon thnh bi bo co

mt cch tt nht

Mc d rt cgng hon thnh ti mt cch tt nht, nhng chc chn

ti svn cn tn ti nhng thiu st. Em lun mong mi nhn c cc gp , cc

tho lun vcc vn ny.

Sinh vin thc hin

Nguyn Vn Quang


5/106

2

TM TT

Xy dng h thng phng chng v pht hin xm nhp l mt gii php nhm

nng cao tnh bo mt ca h thng. Xy dng h thng pht hin xm nhp khng

nhm mc ch thay th h thng tng la m ch gipb sung, thu thp tht nhiu

thng tin cho qu trnh ngn chn cc cuc tn cng.

Ngoi cc khi nim, k thut pht hin hin xm nhp ca mt h thng pht hin

xm nhp. Kha lun cn tm hiu v mt h thng pht hin xm nhp da trn

mng l Snort v mt m-un SnortSam kt hp vi iptables nhm mc ch ngnchn tn cng.

Mc tiu chnh ca kha lun l hiu r nht v cu trc ca tp lut Snort. Hnh

thnh t duy phn tch h thng thay v trin khai h thng. T xy dng ra cc

tp lut cho nhng tnh hung c th ca tng h thng.

Ni dung chnh ca kha lun c th chia thnh 3 phn chnh:

Phn 1:Bao gm cc ni dung chnh v h thng pht hin xm nhp, m hnh, kthut pht hin

Phn 2:Chi tit k thut v h thng pht hin xm nhp mng Snort/SnortSam.

Kin trc ca h thng Snort, cu trc lut ca Snort.

Phn 3:Phn tch mt vi dng tn cng, phn tch cc lut tng ng. Demo h

thng.

T kha: pht hin xm nhp, h thng pht hin xm nhp, pht hin da trn s

bt thng, pht hin da trn mu, Snort, SnortSam, SYN Flood, Apache Killer


6/106

3

ABSTRACT

For enchanced security of system, we implement a intrusion detection system and

intrusion prevention system for our system. Deploy IDS/IPS dont replace firewall

system so supplenment and collected many infomations for prevention attacks.

Graduation thesis is researched about define, intrusion detection technology of

intrusion detection system (IDS). It still is researched about Snort, SnortSam with

iptables for prevention attacks.

Main objectives of graduation thesis is system administrator have knowledge about

rule syntax, analytics system. Build own Snort rule for him system.

Content of graduation thesis include three main part :

Part 1:Intrusion detection, network diagram, intrusion detection technology.

Part 2:Snort/SnortSam, Snort architecture, Snort rule syntax.

Part3:Analytics a few attacks, analytics a few rules for attack and demo.

Keywords: intrusion detection, intrusion detection system, anomaly based intrusion

detection, misuse/signature based intrusion detection, Snort, SnortSam, SYN Flood,

Apache Killer.


7/106

4

MC LC

DANH MC HNH V ..................................................................................................... 7

DANH MC TVIT TT ............................................................................................ 9

PHN I: T VN ...................................................................................................10

PHN II: GII QUYT VN ................................................................................... 3

CHNG 1: HTHNG PHT HIN XM NHP (IDS) ...................................... 5

1.1. Gii thiu .................................................................................................................. 5

1.2. Hthng pht hin xm nhp l g? ...................................................................... 5

1.2.1. Network-based IDS........................................................................................... 7

1.2.2. Host-based IDS.................................................................................................. 8

1.3. Cc kthut pht hin xm nhp ........................................................................10

1.3.1. Anomaly Based Intrusion Detection .............................................................10

1.3.2. Misuse/Signature Based Intrusion Detection...............................................12

1.4. t IDS trong hthng mng...............................................................................13

CHNG 2: GII THIU VSNORT/SNORTSAM ...............................................15

2.1. Snort l g? ..............................................................................................................15

2.2. Trin khai hthng Snort .....................................................................................15

2.2.1. Yu cu phn cng ..........................................................................................16

2.2.2. Hiu hnh v cc gi phn mm khc .....................................................17

2.3. c im ca Snort................................................................................................17

2.3.1. Packet Sniffer (Decoder) ................................................................................19

2.3.2. Preprocessors ...................................................................................................20

2.3.3. Detection Engine .............................................................................................21


8/106

5

2.3.4. Thnh phn cnh bo/logging........................................................................23

2.4. Cc chhot ng ca Snort ...........................................................................24

2.4.1 Chsniffer v chlog ...........................................................................24

2.4.2 ChNIDS .....................................................................................................25

2.5. Gii thiu v SnortSam .........................................................................................26

2.5.1. Snort Output Plug-in .......................................................................................27

2.5.2. Blocking Agent................................................................................................28

CHNG3: PREPROCESSORS V OUTPUT PLUG-INS....................................30

3.1. Preprocessors ..........................................................................................................30

3.1.1. Frag3 .................................................................................................................31

3.1.2. Stream5 .............................................................................................................35

3.1.4. HTTP Inspect ...................................................................................................39

3.2. Output ......................................................................................................................40

CHNG 4: LUT TRONG SNORT ..........................................................................42

4.1. Rule Header ............................................................................................................43

4.1.1. Rule Action ......................................................................................................43

4.1.2. Protocol.............................................................................................................44

4.1.3. IP Address ........................................................................................................44

4.1.4. Port ....................................................................................................................444.1.5. iu hng.......................................................................................................45

4.1.6. Activate/Dynamic rule....................................................................................45

4.2. Rule Options ...........................................................................................................46

4.2.1. General..............................................................................................................46

4.2.2. Payload .............................................................................................................48


9/106

6

4.2.3. Non-Payload ....................................................................................................51

4.2.3. Post-detection ..................................................................................................57

CHNG 5: PHN TCH MT SLUT TRONG SNORT .................................61

5.1. Kho st lut scan ..................................................................................................61

5.2 Win.Trojan.Ibabyfa.dldr.........................................................................................64

5.3. TCP-SYN Flood .....................................................................................................65

5.4 Apache Killer (CVE-2011-3192) ..........................................................................67

CHNG 6: CI T V CU HNH SNORT .......................................................71

6.1 S hthng .........................................................................................................71

6.2. Ci t Snort v SnortSam ....................................................................................72

6.3. Thnghim cc kiu tn cng .............................................................................83

KT QUT C ...................................................................................................86

PHN KT LUN ...........................................................................................................88

TI LIU THAM KHO................................................................................................91


10/106

7

DANH MC HNH V

Hnh 1.1: OSSEC c trin khai trn cc Server. ..................................................... 9

Hnh 1.2: Cc mu khc thng. .................................................................................10

Hnh 1.3: Phn tch chuyn trng thi.........................................................................12

Hnh 1.4: Cc vtr t IDS trong hthng mng. ...................................................14

Hnh 2.1: Kin trc ca Snort. .....................................................................................18

Hnh 2.2: Cc gi tin i vo Sniffer............................................................................19

Hnh 2.3: Gii m gi tin. .............................................................................................20

Hnh 2.4: Qu trnh xl Preprocessors. .................................................................21

Hnh 2.5: Gi tin c xl Detection Engine bng cc lut. ............................22

Hnh 2.6: Thnh phn cnh bo v logging. ..............................................................24

Hnh 3.1: Qu trnh tin xl. .....................................................................................31

Hnh 3.2: Phn loi cc hiu hnh..........................................................................34

Hnh 3.3: ngha cc tham s cu hnh ton cc. ....................................................36

Hnh 3.4: ngha cc tham s cu hnh TCP. ...........................................................38

Hnh 3.5: ngha cc tham s cu hnh UDP. ..........................................................38

Hnh 3.6: ngha cc tham s cu hnh ICMP. ........................................................38

Hnh 3.7: ngha cc tham s cu hnh IP. ...............................................................38

Hnh 4.1: Cu trc lut trong Snort. ............................................................................43

Hnh 4.2: Bng reference..............................................................................................47

Hnh 4.3: Bng ipopts. ..................................................................................................52

Hnh 4.4: Bng flag .......................................................................................................53

Hnh 4.5: Bng Type ca ICMP Header.....................................................................55


11/106

8

Hnh 4.6: Gi trCode ca ICMP Header ..................................................................56

Hnh 4.7: Tham sca tkha detection_filter. .......................................................59

Hnh 5.1: Giao thc bt tay ba bc. ..........................................................................66

Hnh 5.2: SYN Flood ....................................................................................................66

Hnh 5.3: HTTP Request bnh thng. .......................................................................68

Hnh 5.4: HTTP Request to bi Apache Killer........................................................68

Hnh 6.1: M hnh trin khai trong thc tvi mt vng DMZ. ............................71

Hnh 6.2: M hnh thc nghim. .................................................................................71

Hnh 6.2: Bng danh sch cc my trong hthng mng. .......................................71

Hnh 6.3: M hnh xl ca Snort, MySQL, Base...................................................72


12/106

9

DANH MC T VIT TT

CNSS Committee on National Security Systems

IDS Intrusion Detection System

IPS Intrusion Prevention System

NIDS Netword-base IDS

HIDS Host-based IDS

ICMP Internet Control Message ProtocolIP Internet Protocol

TCP Transmission Control Protocol

UDP User Datagram Protocol

DoS Denial-of-Service

DDoS Distributed Denial-of-Service

GNU/GPL GNU General Public License

ACID Analysis Console for Intrusion Databases

BASE Basic Analysis and Security Engine

ISP Internet Service Provider

FDDI Fiber Distributed Data Interface

ACL Access Control List

HTTP Hypertext Transfer Protocol


13/106

10

PHN I

T VN


14/106

1

Tnh cp thit ca ti.

X hi ngy cng pht trin, Internet tr thnh mt phn khng th thiu i vi

tng c nhn, doanh nghip, cc t chc, trng hc cng nh chnh ph. Internet

du nhp vo Vit Nam c hn 15 nm, tr thnh cng c, phng thc gip

cho cc doanh nghip tip cn vi khch hng, cung cp dch v, qun l d liu

ca t chc mt cch hiu qu v nhanh chng.

Cng vi s pht trin theo chiu hng tt, cc cuc tn cng v xm nhp mng

ca nhng k xu cng pht trin theo. Khng ch trn th gii m Vit Nam vn

an ton thng tin v ang tr thnh vn nng bng. S a dng v phc

tp trong cc loi hnh tn cng gy ra nhiu kh khn cho vic ngn chn vphng chng.

Thng mi in t Vit Nam cng pht trin th cng tr thnh mc tiu ca

nhiu attacker hn. Thng mi in t tr thnh mc tiu c nhiu gi tr thu

li hn, hp dn cc attacker b nhiu cng sc hn trong vic xm nhp v ph

hoi.

Mt h thng phng chng v pht hin xm nhp s gip ngi qun tr c thlun lun theo di v thu thp nhiu thng tin ng gi cho qu trnh chng li cc

hnh thc tn cng v xm nhp .

Mc tiu nghin cu.

Nghin cu chung v h thng pht hin xm nhp, cc c im, kin trc ca mt

h thng pht hin xm nhp, c bit l cc k thut pht hin xm nhp ang

c p dng.

Nghin cu v h thng pht hin xm nhp Snort, cch ci t, cu hnh, trin khai

trong h thng mng.

Phn tch cc du hiu ca cc hnh thc tn cng, hnh thnh nn cc lut tng

ng vi c im ca cc dng tn cngv xm nhp

Nghin cu, trin khai SnortSam nh mt add-on ca Snort nhm chn cc cuc

xm nhp c ch nh.


15/106

2

i tng nghin cu.

i tng nghin cu ca ti l h thng pht hin xm nhp ni chung. H

thng pht hin xm nhp Snort, add-ons ca Snort l SnortSam.

Nghin cu v hnh thnh cc tp lut i vi cc dng tn cng, xm nhp c th.

Phng php nghin cu.

Nghin cu v l thuyt pht hin xm nhp thng qua cc ti liu cc bi bo co.

Nghin cu l thuyt v Snort thng qua ti liu t trang ch ca Snort, ti liu

hng dn cho ngi s dng t Sourcefire v cc ngun ti liu khc.

Nghin cu v SnortSam thng qua ti liu v hng dn s dng t tr ang ch caSnortSam.

Trin khai h thng trn my o Virtualbox, xy dng h thng mng n gin m

t mt h thng mng nh trong thc t. Trin khai cc dch v nh trong m hnh

mng cnh.

Tm hiu v cc phng thc xm nhp, tn cng v khai thc l hng, cng c v

cch thc thc hin.Trin khai tn cng, xm nhp, khai thc l hng. Sau c log, phn tch gi tin

bt c, chuyn ha thnh cc lut nhm pht hin v ngn chn.


16/106

3

PHN II

GII QUYT VN


17/106

4

Ni dung

Cc ni dung chnh trong phn ny bao gm: h thng pht hin xm nhp, Snort,SnortSam, cu trc v cch vit cc lut trong Snort. Ci t trin khai Snort trong

h thng mng, demo tn cng v pht hin.

Chng 1, H thng pht hin xm nhp (IDS), tng quan v h thng pht hin

xm nhp, k thut pht hin xm nhp, phn loi cc h thng ph hin xm nhp .

t h thng IDS trn h thng mng nh th no.

Chng 2,Gii thiu v Snort/S nortSam.Chng 3, Preprocessors v Output Plug-ins, tin x l trong Snort v phn

output.

Chng 4, Lut trong Snort, cu trc ca mt lut trong Snort.

Chng 5, Phn tch mt s lut trong Snort, trnh by mt s dng tn cng v

tp lut km theo.

Chng 5, Ci t v cu hnh Snort/SnortSam.

Chng 6, Demo pht hin xm nhp v phng chng datrn Snort/SnortSam.


18/106

5

CHNG 1

H THNG PHT HIN XM NHP (IDS)

1.1. Gii thiu

K thut pht hin xm nhp khng phi l mt k thut mi. V n c p

dng nhiu trong cc lnh vc khc nhau ch khng ch ring lnh vc an ton thng

tin ca mng my tnh. V d n gin nht mc th thy v k thut pht hin

xm nhp l h thng cnh bo bng chung trn t con. Nguyn l hot ng

rt n gin, h thng c bt nn v nu c ai chm vo chic t th ci sh cnh bo rng c k ang xm nhp.

Tng t nh cc h thng tng la, h thng pht hin xm nhp c xy dng

bo v cc ti nguyn ca h thng mng trc nhng attacker khng mong

mun. Vy ti sao li cn mt IDS trong khi c mt h thng tng la ri? Nh

trong ti Tm hiu v Firewall v trin khai trn ClearOS ta bit rng

ging nh trong th gii thc tng lac dng ln ging nh con ngi xy

tng, thu v s, mua kha ca ngn cn k trm xm nhp vo h thng ca

mnh. Tuy nhin d c bo v nh th no cng khng m bo rng chng ta c

th bit ht cc phng php m k trm c th tn cng c. V vy ngoi h

thng ngn chn k xm nhp ra (tng la) cn c th trin khai cc h thng cnh

bo nh chung bo ng, camera quan st, h thng cnh bo...

Tng t nh vy trong h thng mng, khng ai c th chc chn rng cc phn

cng v cc ch bo v khcc th chn c ht cc cuc tn cng cng nh

bit c ht cc phng php caattacker. Chnh v vym cn xy dng mt h

thng IDS pht hin cc du hiu bt thng, cnh bo khi c biu hin bt

thng v gim st cc hot ng ra vo h thng phn tch v ngn chn kp

thi (Monitor and Logging).

1.2. H thng pht hin xm nhp l g?


19/106

6

Theo nh ngha trong ti liu CNSSI-4009 ca y ban An ninh Quc gia ca Hoa

K th intrusion ngha lhnh ng truy cp tri php bng cch vt qua c

ch bo mt ca h thng.

Computer Intrusion l hnh ng c tnh truy cp vo mt my tnh mc d

khng c s cho php hoc tm cch vt qua quyn truy cp ( c) c thm

quyn truy cp vo cc ti nguyn khc v thu thp thng tin.

Intrusion Detectionl qu trnh theo di cc s kin xy ra trong mt h thng

my tnh hoc trong mt h thng mng. Sau phn tch cc du hiu ca cc s

c c th xy ra. Cc s c c th l hnh ng vi phm cc chnh sch bo mt

hoc cc tiu chun v an ninh ca h thng hoc cng c th l cc mi e da nh thng ca doanh nghip. Nguyn nhn xy ra cc s c ny c th l do cc phn

mm c hi nh virus, worm, trojan, spyware... cng c th l hnh ng c xm

nhp t Internet hoc vt qu quyn truy cp thng thng. Tuy vy cng c

nhng nguyn nhn khch quan v d nh ngi s dng g nhm a ch ca mt

my tnh v c gng truy cp vo mt h thng m mnh khng c php.

Intr usion Detection Systems (IDS) c th l mt thit b phn cng (cc thit b

pht hin xm nhp ca Cisco (Cisco IDSM-2 hoc Cisco IPS 4200 Series

Sensors)) hoc cngc th l mt ng dng phn mm gip gim st my tnh, h

thng mng trc cc hnh ng e da n h thng hoc vi phm chnh sch an

ninh v bo co li cho ngi qun tr h thng. Mt h thng pht hin xm nhp

ci t trn h thng mng ging nh mt h thng cnh bo chng trm (burglar

alarm) trong mt ngi nh.

Mt s h thng pht hin xm nhp cn kim lun c chc nng ngn chn ccmi e da tuy nhin iu c th khng cn thit v cng khng phi l chc

nng chnh ca ca mt h thng gim st.

Mt h thng pht hin xm nhp c bn s xc nh cc mi nguy hi, ghi li

thng tin v chng v sau bo co li cc thng tin .

Ni ngn gn v chc nng ca mt h thng pht hin xm nhp l gim s t

(lu lng mng), cnh bo (bo co tnh trng mng cho h thng v ngi qun


20/106

7

tr), bo v (dng cc thit lp mc nh v cu hnh t ngi qun tr m c

nhng hnh ng chng li s xm nhp)

IDS c th c phn loi theo chc nng thnh 2 loi l Network-based IDSv

Host-based IDS. Mi loi c mt cch tip cn ring bit theo di v bo v d

liu v mi loi cng c nhng u nhc im ring.

1.2.1. Network-based IDS

H thng pht hin xm nhp da trn mng hot ng nh mt thit b c lp trn

mng. N thng c t cc segment mng hoc cc im kt ni gia cc

vng mng khc nhau. Nh n c th gim st lu lng mng t nhiu host

khc nhau trong vng mng . NIDS c th l mt thit b phn cng hoc phnmm.

V cu trc th NIDS thng bao gm mt tp hp cc cm bin (sensors) c

t cc im khc nhau trong h thng mng. Cc cm bin ny s thc hin gim

st lu lng mng, thc hin phn tch cc b lu lng mng v bo co v

cho trung tm qun l (Center Management Console).

Mt s NIDS: Snort, Suricata, cc NIDS ca Cisco, Juniper...

u im ca NIDS:

Qun l c c mt network segment (gm nhiu host). Chi ph thp v

c th gim st c mt h thng mng ln vi ch vi thit b(mng c

thit k tt).

Trong sut i vi c ngi dng v cc attacker.

Ci t v bo tr n gin, khng nh hng ti mng.

Nhc im ca NIDS:

NIDS c th gp kh khn trong vic x l tt c cc gi tin trn mt

mng c kch thc ln v mt lu thng cao. iu ny dn n NIDS

c th s khng th pht hin ra mt cuc tn cng khi mng ang trng

thi over-whelming (qu ti).


21/106

8

B hn ch bi switch. Trn cc mng chuyn mch hin i, cc switch

c s dng nhiu chia mng ln thnh cc segment nh d qun

l. V th dn n NIDS khng th thu thp c thng tin trong ton h

thng mng. Do ch kim tra trn segment m n kt ni trc tip nn nkhng th pht hin tn cng trn mt segment khc. Vn ny dn n

vic doanh nghip phi mua mt s lng ln cm bin nu mun bao

ph ton h thng mng ca h, lm tng chi ph.

NIDS khng th phn tch c cc thng tin b m ha (SSL, SSH...).

Mt s h thng NIDS c th gp kh khn vi dng tn cng phn mnh

gi d liu (fragmenting packets).

NIDS khng th phn bit c mt cuc tn cng thnh cng hay tht

bi. N ch c th phn bit c c mt cuc tn cng c khi

xng. iu ny ngha l bit c cuc tn cng thnh cng hay

tht bi ngi qun tr phi iu tra cc my ch v xc nh n c b

xm nhp hay khng?

1.2.2. Host-based IDS

H thng pht hin xm nhp da trn my ch hot ng trn mt my trm n.

HIDS s s dng cc ti nguyn ca my ch theo di lu lng truy cp v

pht hin cc cuc tn cng nu c. Bng cch ny HIDS c th theo di c tt c

cc hot ng trn host nh tp tinlog v nhng lu lng mng ra vo host.

Ngoi ra n cn t heo di h iu hnh, lch s s sch, cc thng ip bo li ca

my ch.

Khng phi hu ht cc cuc tn cng u thng qua h thng mng, nn khngphi lc no NIDS cng c th pht hin c cuc tn cng trn mt host. V d,

k tn cng c quyn physical access, t c th xm nhp vo host m khng

cn to ra bt c network traffic no.

Mt u im ca HIDS so vi NIDS l n c th ngn chn cc cuc tn cng

phn mnh (Fragmentation Attacks). Bi vy nn HIDS thng c ci t trn


22/106

9

cc trn cc my ch xung yu ca t chc, cc server trong vng DMZ (do l mc

tiu tn cng chnh).

HIDS cng thng theo di nhng g thay i trn h thng nh cc thuc tnh ca

h thng tp tin, cc thuc tnh (kch thc, v tr, quyn) ca tp tin, pht hin

tp tin mi c tora hay xa i.

Mt s HIDS: Symantec ESM, OSSEC, Tripwire ...

Hnh 1.1: OSSEC c trin khaitrn cc Server.

u im ca HIDS: Pht hin cc cuc tn cng nn cc my ch m NIDS khng th pht

hin ra.

C th gim st cc lung traffic b m ha.

Khng b nh hng bi cc thit b chuyn mch (switch).

Nhc im ca HIDS:

Kh qun l hn do phi ci ln tt c cc host cn bo v nn vic cu

hnh, qun l, cp nht l mt khi lng ln cng vic cn thc hin.

NIDS khng t h pht hin vic qut mng (network scan bng nmap) do

ch gim st trn host m n c ci t.

C th b v hiu ha bi tn cng t chi dch v (DoS).


23/106

10

Chim ti nguyn h thng: Do ci t trn my cn bo v nn n s s

dng ti nguyn ca h thng nh RAM, CPU, Hard Disk dn n c th

lm gim hiu sut ca vic gim st.

HIDS s cht khi h iu hnh ca host b cht.

1.3. Cc k thut pht hin xm nhp

phn ny s tm hiu v nhng k thut c s dng trn IDS pht hin ra

cc cuc xm nhp. V c bn c 2 k thut c s dng pht hin s xm

nhp l:

Pht hin s bt thng (Anomaly Based ID)

Pht hin s lm dng/du hiu(Misuse/Signature Based ID).

1.3.1. Anomaly Based Intrusion Detecti on

u tin, d thng ( anomaly) cn c bit n nh s sai khc, s ring bit

vi nhng mu c sn trong d liu hoc khng ph hp vi nhng khi nim, hnh

vi thng thng ca h thng. Hnh di l mt v d v s khc thng ca O1,

O2, O3 v c hnh vi v cu to so vi N1 v N2.

Hnh 1.2: Cc mu khc thng.

K thut pht hin da trn s bt thng c thit k nhm pht hin cc mu

hnh vi(patterns of behavior) khc xa vi nhng hnh vi thng thng sau gn

c l c th xm nhp i vi nhng hnh vi ny.

u im:


24/106

11

Mt IDS c xy dng da tn k thut pht hin bt thng c th pht

hin ra cc hnh vi khng bnh thng v do n c th pht hin ra

triu chng ca cccuc tn cng m khng cn bit chi tit, c th v

loi tn cng . Ni n gin l n c th pht hin ra cc cuc tn cngcha tng c bit n.

Pht hin s bt thngc th c s dng cung cp cc thng tin,

m cc thng tin ny c th c xy dng cc du hiu (signature) s

dng trong k thut misuse detector.

Nhc im:

Phng php tip cn s bt thng thng to ra mt s lng ln cc

bo ng sai do khng th on c hnh vi ca ngi s dng v h

thng mng.

Phng php tip cn s bt thng yu cu phi thng xuyn c

o to t cc bn ghi ca h thng nhm bit c u l cc hnh vi

bnh thng.

Pht hin xm nhp da trn s bt thng rt hu hiu trong vic pht hin cccuc tn cng nh:

Lmdng giao thc v cng dch v.

Tn cng tchi dch v.

Buffer Overflow.

Cc bin php v k thut c s dng trongpht hin bt thngbao gm:

Pht hin giao thc bt thng (Protocol Anomaly Detection). Giao thc

bt thng ngha l nhng trng hp vi phm cc nh dng, cc tiu

chun cc hnh vi c quy nh thnh chun Internet t trc . V

d: Kch thc gi tin ICMP ti a l65,535 bytes attacker c tnh gi

mt gi tin c kch thc ln hn kch thc tiu chun nhm gy ra

li trn bm.


25/106

12

Pht hin xm nhp da trn qu trnh t hc: Qu trnh ny gm 2 bc,

bc 1 sau khi h thng c thit lp th c ho h thng chy t do v to

h s v cc hot ng mng vi trng thi bnh thng. Sau thi gian

khi to, h thng s i vo qu trnh lm vic, h thng s tin hnh theodi v pht hin cc hot ng bt thng da trn vic so snh trng thi

hin ti vi trng thi h s c to.

Pht hin xm nhp da trn s thng k bt thng (Statistical Anomaly

Based Intrusion Detection). K thut ny nhn mnh vic o m cc hot

ng bnh thng trn mng. V d ng nhp qu s ln quy nh, s tin

trnh hot ng qu mc trn CPU, s lnggi tin c gi qu mc

1.3.2. Misuse/Signature Based Intrusion Detection

Bng cch so snh du hiu ca cc i tng ang quan st vi du hiu ca cc

hnh thc xm nhp bit trc. Hai k thut c s dng trong phng pht

pht hin xm nhp da trn du hiu l:

Expression matching (biu thc ph hp).

State transition analysis (phn tch chuyn trng thi).

Hnh 1.3: Phn tch chuyn trng thi.


26/106

13

u im:

t bo sai v c bit l rt hiu qu i vi cc hnh thc xm nhp

c bit n.

Nhanh chng v ng tin c y trong vic xc nh cng c v k thut tn

cng. T ngi qun tr h thng c th nhanh chng a ra cc bin

php x l kp thi.

Nhc im:

hiu qu trong vic pht hin xm nhp th phng php ny phi

thng xuyn cp nht du hiu ca cc hnh thc xm nhp mi.

Cc du hiu dng pht hin nu khng c thit k cht ch th c

th s khng th pht hin ra cc cuc tn cng bin th.

1.4. t IDS trong h thng mng

Vn cn quan tm khi sdng IDS l t n u trong hthng mng sao

cho cc cm bin c t c thnhn thy tt ccc lu lng di chuyn trn h

thng mng.

bit nn t cc cm bin u c thtrli mt vi cu hi nh sau:

Cc ti nguyn cn bo vl g?

H thng mng c thit k nh th no, hnh mng thit k theo

kiu bus, vng hay kiu sao hay kiu kt hp?

Mun t cm bin trc tng la (lc trc) hay sau tng la (khng

lc)?

Hthng mng sdng thit bg hub, switch?

Router nh tuyn t nh thno trong hthng mng?

Tm li, nn t cm bin ni no m n c th thy c lng traffic cng

nhiu cng tt. c thl vtr kt ni gia cc segment vi nhau.

Mt im lu l cc IDS trong m hnh di c gn vo cc hub m bo

khng b st bt c lu lng mng no. Tuy nhin c th gn cc IDS ny vo


27/106

14

port gim st trn switch (span port, port monitoring), khi d liu i qua switch

n s gi mt bn sao ti cc IDS.

Hnh 1.4: Cc v tr t IDS trong h thng mng.


28/106

15

CHNG 2

GII THIU V SNORT/SNORTSAM

2.1. Snort l g?

Snort l mt h thng phng chng v pht hin xm nhp da trn mng (IPS/IDS)

ngun mc pht trin bi Sourcefire. Kt hp vic kim tra du hiu, giao thc

v du hiu bt thng, Snort c trin khai rng khp trn ton th gii. Vi

hng triu lt download v hn 400.000 lt ngi dng ng k, Snort tr

thnh tiu chun cah thng phng chng v pht hin xm nhp.

Chc nng chnh ca Snort l packet sniffing,packet loggingv network-based

intrusion detection.

Ti sao Snort li tr nn ph bin nh vy.

D dng cu hnh: Snort lm vic nh th no, tp tincu hnh u, cc

lut nh th no ngi qun tr u c th bit v cu hnh theo mnh

c. K c vic to ra cc lutmi.

Snort l phn mm m ngun m: Snort c pht hnh di giy php

GNU/GPL iu ny c ngha l bt c ai cng c th s dngSnort mt

cch min ph d l doanh nghip hay ngi dng c nhn. Ngoi ra v

l phn mm m ngun m nn Snort c mt cng ng ngi s dng

ln, sn sng h tr nucbt c thc mc g.

Chy trn nhiu nn tng khc nhau: Khng ch chy trn cc h iuhnh ngun m nh GNU/Linux m Snort cn c th chy c trn cc

nn tng thng mi nh Microsoft Windows, Solaris, HP-UX...

Snort thng xuyn c cp nht: Cc lut ca Snort thng xuyn

c b sung v cp nht cc hnh thc xm nhp mi. Ngi s dng c

th d dng ti v thttp://www.snort.org.

2.2. Trin khai h thng Snort
http://www.snort.org/http://www.snort.org/http://www.snort.org/http://www.snort.org/


29/106

16

2.2.1. Yu cu phn cng

Rt kh a ra mt yu cu chung nht cho phn cng ci t Snort v iu

ny cn ph thuc vo nhiu yu t khc nhau. Hai yu t cn quan tm n vic

la chn phn cng cho h thng Snort l lu lng traffic trn h thng v yu

cu x l, lu tr i vi h thng Snort. Yu cu phn cng ca h thng i vi

mt doanh nghip ln nh cc ISP s khc rt nhiu so vi mt mng small home.

xc nh phn cng ci t Snort cho h thng c th tr li mt vi cu hi

sau xc nh c iu :

H thng mng l mng small home, small bussiness, large enterprise hay

l mt ISP. Lu lng traffic thng thng trong h thng l bao nhiu?

Lu lng traffic gia h thng internal v mng Internet bn ngoi l

khong bao nhiu? V ngc li?

Ni lu tr cc cnh bo (alerts) ca Snort l u?

Thi gian lu tr cc cnh bo ny l bao lu?

C mun lu tr cc gi tin lin quan n cc cnh bo ny hay khng?

Tuy Snort khng c bt k yu cu phn cng c bit no tuy nhin nu phn cng

mnh th s mt s li im. V Snort l mt h thng pht hin xm nhp da trn

mng nn nuc mt a cng c dung lng lu tr ln v tc quay nhanh th

h thng Snort s hot ng mt cch trn tru hn. V d i vi mt mng doanh

nghip c th chia phn vng /varvi dung lng l 100 GB. Ngoi ra nu c yu

cu cao th c th s dng RAID lu tr.

Bn s cn mt card mng (NIC) c tc cao vic sniffer cc gi tin tr nn ddng hn. V d nu tc card mng di 100Mb/s th nn s dng mt card

mng tc 100Mb/s. Nu tc card mng qu thp th Snort c th b l

mt vi gi tin v dn n thng tin thu thp b sai khc. Ngoi ra nn c thm mt

card mng khc kt ni ti ngi qun tr thng qua giao thc SSH hoc qua Web

Interface, trnh vic s dng chung vi card mng sniffer gi tin.


30/106

17

Nu h thngmngln, s lng cm bin (sensor) nhiu nn cn nhc vic tng

RAM cho h thng h thng khng b lag khi x l qua nhiu thng tin gi v.

2.2.2. H iu hnh v cc gi phn mm khc

Snort c th chy trn nhiu nn tng h iu hnh khc nhau. Snort c th chy

trn cc nn tng x86 nh GNU/Linux, FreeBSD, OpenBSD, NetBSD v Windows.

Ngoi ra n cn h tr c kin trc Sparc vi cc nn tng h iu hnh nh:

Solaris, MacOS-X, HP-UX...

Ngoi h iu hnh, nuc nh compile Snort t source code th cn m bo

cc phn mm sau c ci t trn h thng.

autoconf v automake.

gcc.

lex v yacc hoc GNU flex v bison.

libpcap.

Hu ht cc phn mm ny u c th download tihttp://www.gnu.org/ v libpcap

c th download tihttp://www.tcpdump.org

Ngoi ra nu c nh ci cc Snort add-on hoc cc cng c qun l v d nh mt

add-on ph bin Analysis Console for Intrusion Detection (ACID) Web interface

th cn ci t thm Apache Web Server (nn s dng giao thc SSL bo mt),

PHP v c s d liu lu tr cc cnh bo th cn ci MySQL hoc PostgreSQL.

Mt vi add-on ph bin:

ACID.

Oinkmaster. SnortSnarf.

SnortReport.

Snorby.

Nu qun tr t xa thng qua giao thc SSH th cn cu hnh SSH.

2.3. c im ca Snort
http://www.gnu.org/prep/ftp.htmlhttp://www.gnu.org/prep/ftp.htmlhttp://www.gnu.org/prep/ftp.htmlhttp://www.tcpdump.org/http://www.tcpdump.org/http://www.tcpdump.org/http://www.tcpdump.org/http://www.gnu.org/prep/ftp.html


31/106

18

chNIDS, sau khi cc gi tin i vo v vt qua packet sniffer, d liu s

c gi thng qua bt kpreprocessor no c cu hnh trong snort.conf . D

liu tip tc i qua detection engine, kim tra xem c ph hp vi cc lut trong tp

tinsnort.conf hay khng? Cc gi ph hp sc gi n thnh phn cnh bo vghi li ( alert and logging) vt qua bt koutput plug-in c chn, sau n s

c ghi li (log) hoc cnh bo ty theo cu hnh.

Kin trc ca Snort gm 4 phn c bn sau:

The Sniffer (Packet Decoder).

The Preprocessors.

The Detection Engine. The Output.

Hnh di y cung cp mtci nhn d hiu v kin trc v quy trnh x l ca

Snort. Tng tng n nh mt my phn loi ng xu.

Hnh 2.1: Kin trc ca Snort.

Tinxu c a vo (packet c a vo t trc mng chnh)

Tin xu c gi thng qua mt ci mng xc nh xem n c phi l

xu hay khng v c gi n li hay khng (preprocessors)

Tip n tin xu c sp xp theo loi. V d phn loi theo gi tr ca

ng xu (Detection Engine).

Cui cng nhim v ca ngi qun tr l xc nh xem lm g vi n

(ghi li v lu vo c s d liu).


32/106

19

Preprocessors, detection engine v alert system u l cc plug-ins. iu ny gip

cho cho vic chnh sa h thng theo mong mun ca ngi qun tr mt cch d

dng.

2.3.1. Packet Sniffer (Decoder)

Packet Sniffer l mt thit b phn cng hoc phn mm c t vo trong mng.

Chc nng ca n tng t nh vic nghe ln trn in thoi di ng, nhng thay v

hot ng trn mng in thoi n nghe ln trn mng d liu. Bi v trong m hnh

mng c nhiu giao thc cao cp nh TCP, UDP, ICMP... nn cng vic ca packet

sniffer l n phi phn tch cc giao thc thnh thng tin m con ngi c th

c v hiu c. Packet Sniffer c th c s dng vi cc mc ch nh:

Phn tch mng v troubleshooting.

Performance network and bechmarking.

Nghe ln mt khu clear-text v nhng d liu khc.

M ha lu lng mng c th trnh c vic sniffer cc gi tin. Ty vo mc

ch m packet sniffer c th s dng cho mc ch tt hoc xu.

Hnh 2.2: Cc gi tin i vo Sniffer.

Khi Snort nhn cc gi tin t qu trnh sniffer n s i vo qu trnh gii m .

Chnh xc th ni m gi tin i vo b gii m ph thuc vo lp lin kt m trc

c c. Snort h tr mt s lp lin kt tpcap: Ethernet, 802.11, Token ring,

FDDI, Cisco HDLC, SLIP, PPP v OpenBSDs PF. trn lp lin kt Snort h tr

gii m cc giao thc khc nhau, bao gm IP, ICMP, TCP, UDP (chi tit trong m

ngun src/decode.c)


33/106

20

Bt k l lp lin ktno ang c s dng, tt c cc b gii m s u lm vic

theo mt kiu chung. i vi trng hp cc lp c th, con tr trong cu trc ca

gi tin s c thit lp tr ti mt phn khc ca gi tin. Da vo cc thng tin

gii m c, n s gi cc lp cao hn v gii m cho n khi khng cn b giim no na.

Hu ht cc mng hin nay trin khai Snort l mng Ethernet nn s xt th mt v

d gii m mt gi tin trong mng ny. u tin khi gi tin i vo n s phi i qua

chc nng DecodeEthPkt. Sau , overlaying cu trc Ethernet ln u ca phn d

liu, a ch MAC ngun v ch v loi tng tip theo (ether_type) s c bit.

Da trn gi tr ether_type, b giiar m tip theo s c gi. Gi s gi tr ca

ether_type l 2048 (ETHERNET_TYPE_IP) th tng tip theo l tng IP v nn gi

b gii m DecodeIPv tip tc n khi khng cn b gii m no.

DecodeIPv6

IPv6

DecodeEthPkt

Ethernet

DecodeIP

IP

DecodeARP

ARP

DecodeIPX

IPX

DecodeIPOptions

IP Options

DecodeTCP

TCP DecodeUDP DecodeICMP

DecodeVLAN

802.1Q

DecodePPPoEPkt

PPP Over Ethernet

DecodeTCPOptions

TCP Options

DecodeIPOnly

Embedded IP

Hnh 2.3: Gii m gi tin.

2.3.2. Preprocessors


34/106

21

Preprocessors l plug-in cho php phn tch c php d liu theo nhng cch khc

nhau. Nu chy Snort m khng c bt c cu hnh no v preprocessors trong tp

tin cu hnhs ch thy tng gi d liu ring r trn mng. iu ny c th lm

IDS b qua mt s cuc tncng, v nhiu loi hnh tn cng hin i c tnh phnmnh d liu hoc c tnh t phn c hi ln mt gi tin v phn cn li ln gi

tin khc (k thut ln trn).

D liu s c a vo Preprocessors sau khi i qua b gii m gi tin (packet

decoder). Snort cung cp mt lot cc Preprocessors v d nh:Frag3 (mt module

chng phn mnhgi tin IP),sfPortscan(module c thit k chng li cc cuc

trinh st, nh scan port, xc nh dch v, scan OS), Stream5 (module ti gp cc

gi tin tng TCP)

thi im hin ti Snortc 10 preprocesstor c m t trong hng dn ca

Snort ti a ch (http://manual.snort.org/node17.html).

Hnh 2.4: Qu trnh x l Preprocessors.

2.3.3. Detection Engine

u vo l cc gi tin c sp xp qu trnh preprocessors. Detection engine

l mt phn ca h thng pht hin xm nhp da trn du hiu. Detection engine s

ly d liu t preprocessors v kim trachng thng qua cc lut. Nu cc lut
http://manual.snort.org/node17.htmlhttp://manual.snort.org/node17.htmlhttp://manual.snort.org/node17.htmlhttp://manual.snort.org/node17.html


35/106

22

khp vi d liu trong gi tin, n s c gi ti h thng cnh bo, nu khng n

s b b qua nh hnh pha di.

d hnh dungc th hiu v d v vic phn loi ng xu. Thng thng c cc

ng xu: 1 xu, 2 xu, 5 xu. Nu xut hin tin giy 10 xu th n s bi b i.

Cc lutc th c chia thnh 2 phn:

Phn Hearder: gm cc hnh ng (log hay alert), loi giao thc (TCP,

UDP, ICMP...), a ch IP ngun, a ch IP ch v port.

Phn Options: l phn ni dung ca gi tin c to ra ph hp vi

lut.

Lut l phn quan trng m bt c ai tm hiu v Snort cn phi nm r. Cc lut

trong Snort c mt c php c th. C php ny c th lin quan n giao thc, ni

dung, chiu di, hearder v mt vi thng s khc. Mt khi hiu c cu trc cc

luttrong Snort, ngi qun tr c th d dng tinh chnh v ti u ha chc nng

pht hin xm nhp ca Snort. T c th nh ngha cc lutph hp vitng

mi trng v h thng mng.

Hnh 2.5: Gi tin c x l Detection Engine bng cc lut.


36/106

23

2.3.4. Thnh phn cnh bo/logging

Cui cng sau khi cc lut ph hp vi d liu, chng s c chuyn ti thnh

phn cnh bo v ghi li (alert and loggin component). C ch log s lu tr cc gi

tin kch hot cc lut cn c ch cnh bo s thng bo cc phn tch b tht bi.

Ging nh Preprocessors, chc nng ny c cu hnh trong tp tin snort.conf, c

th ch nh cnh bo v ghi li trong tp tin cu hnh nu mun kch hot.

D liu l gi tr cnh bo, nhngc th chn nhiu cch gi cc cnh bo ny

cng nh ch nh ni ghi li cc gi tin. C th gi cnh bo th ng qua SMB

(Server Message Block) pop-up ti my trm Windows, ghi chng di dng

logfile, gi qua mng thng qua UNIX socket hoc thng qua giao thc SNMP.Cnh bo cng c th lu tr di dng c s d liu SQL nh MySQL hoc

PostgerSQL. Thm ch mt vi h thng ca cc hng th 3 c th gi cnh bo

thng qua SMS ti in thoi di ng.

C rt nhiu cc add-on gip ngi qun tr nhn cc cnh bo cng nh phn tch

cc d liu mt cch trc quan.

The Analysis Console for IntrusionDetection (ACID): c bit nh

mt add-on phn tch c php log da trn PHP, search engine v l mt

front-end phn tch log ca Snort.

http://www.andrew.cmu.edu/user/rdanyliw/snort/

SGUIL (Snort GUI for Lamerz) l mt cng c phn tch tuyt vi khc.

Oinkmaster: l mt Pert script gip cp nht cc lut ca Snort v

comment nu khng mun sau mi ln cp nht.

IDS Pol icy Managerl mt giao dinqun ldnh cho Windows XP. SnortSnarf: L mt chng trnh vit bng Pert gip to v cung cp cc

bn bo co loggn ymt cch tng hpdi dng HTML.

Swatch: http://swatch.sourceforge.net l mt cng c gim st syslog

theo thi gian thc v gi cnh bo bng email.
http://www.andrew.cmu.edu/user/rdanyliw/snort/http://www.andrew.cmu.edu/user/rdanyliw/snort/http://swatch.sourceforge.net/http://swatch.sourceforge.net/http://swatch.sourceforge.net/http://www.andrew.cmu.edu/user/rdanyliw/snort/


37/106

24

BASE: http://sourceforge.net/projects/secureideas/ Basic Analysis and

Security Engine l mt plug-in phn tch v truy vn cc cnh bo ca

Snort rt ng gi.

Hnh 2.6: Thnh phn cnh bo v logging.

2.4. Cc ch hot ng ca Snort

2.4.1 Ch sniffer v ch log

chy Snort chsniffer sdng tham s-v.

$ snort v

Ty chn ny ch cho php hin th cc IP v TCP/UDP/ICMP header, ngoi ra

khng cn thm g khc. Nu mun hin th thm d liu tng ng dng phi

thm ty chnd.

$ snort vd
http://sourceforge.net/projects/secureideas/http://sourceforge.net/projects/secureideas/http://sourceforge.net/projects/secureideas/


38/106

25

Ty chn ny scho php hin thcphn dliu v tiu ca gi tin. Nu mun

hin thnhiu hn cc thng tin khc v dnh phn header tng data-link thm

ty chn e.

$ snort vdehoc$ snort d v e

u im ca snort so vi cc ng dng bt gi tin khc l:

C th lu cc tp tin log sau khi sniffer gi tin xung c s d liu nh

MySQL hoc PostgreSQL.

Tp tin log c th hin thdng ASCII theo tng a chIP ring bit, gip

d dng phn tch.

Ngoi ra tp tin log cng c thc lu trdi dng tp tin nhphn theo

nh dng ca tcpdump.

chy Snort chlogger sdng tham s-l.

$ snort dev l /home/user/log

Cu lnh trn cho php sau khi bt cc gi tin, lu trchng di dng tp tin log.

Ngoi ra c th lu trcc tp tin log da trn cc a chIP truy cp. V dcu

lnh sau s cho php ta bt, in ra mn hnh v lu trli cc gi tin TCP/IP cng

vi tiu tng data-link, dliu ca gi tin ca tt ccc gi tin i vo ta ch

ca lp mng C.

$ snort dev l /hom/user/log -h 192.168.1.0/24

Trng hp mun chy snort chlogger lu trcc tp tin log dng nhphn

c thsdng ty chnb, v sdng ty chnr c cc tp tin nhphn c

ghi li.

$ snort l /log b

$ snort dv r packet.log

2.4.2 Ch NIDS

khi chy Snort ch pht hin xm nhp mng khng cn bt tt ccc gi

tin.


39/106

26

$/snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf

Tham s-c c sdng chnh tp tin cu hnh ca snort. Mc nh cc tp

tin log sc lu tr ti /var/log/snort. Khi chy chNIDS c th

bty chnv tng tc , do khng cn thit phi bt cc gi tin v in ra mnhnh.

2.5. Gi i thiu vSnortSam

Chc nng ca Snort chl pht hin xm nhp v cnh bo cho ngi qun trbit

v nhng xm nhp , n khng th ngn chn cc cuc tn cng . thc hin

c chc nng ngn chn mt cch chng (active response) c thsdng cc

plug-in dnh cho Snort nh SnortSam, Fwsnort hay snort_inline lm iu ny.

Cc plug-in s thay i hoc chn cc lu lng mng da trn a ch IP

(SnortSam), da trn giao thc tng Transport (Fwsnort) hay tng Application

(Snort_inline).

Mt im cn lu l mt hthng ngn chn xm nhp ngoi vic ngn chn cc

gi tin i vo h thng n cn c th thay i trc tip cc gi tin khi chng

c chuyn qua mng. Bi vy Fwsnort v snort_inline c xp vo h thngngn chn xm nhp (IPS) cn SnortSam chc xp vo hthng phn ng ch

ng (Active Response System)

Ni dung phn ny s tm hiu v SnortSam mt plug-in ca Snort cho php t

ng chn cc a chIP da trn cc tng la nh:

Checkpoint Firewall-1

Cisco PIX firewalls

Cisco Routers (sdng ACL)

Former Netscreen, now Juniper firewalls

IP Filter (ipf), trn cc dng Unix-like OS v dFreeBSD

FreeBSD's ipfw2 (phin bn 5.x)

OpenBSD's Packet Filter (pf)


40/106

27

Linux IPchains

Linux IPtables

Linux EBtables

WatchGuard Firebox firewalls

8signs firewalls trn Windows

MS ISA Server firewall/proxy trn Windows

CHX packet filter

Ali Basel's Tracker SNMP thng qua SNMP-Interface-down plug-in.

SnortSam bao gm hai phn ring bit. Mt phn l mt tp hp ca cc sa i

trong tp tin m ngun, mrng Snort bng cch thm mt m-unoutput mi

l: alert_fwsam. Phn cn li l mt tc nhn sgiao tip trc tip vi tng la gi

l agent. Tc nhn ny c tht ngay trn chnh cc tng la nu tng la l

iptables, hoc trn pf nu h thng l BSD hoc trn Checkpoints Firewall-1 nu

hthng l Windows. i vi cc tng la phn cng nh Cisco PIX th tc nhn

ny ca SnortSam phi t trn mt my ring bit rnh ring giao tip vi PIX.V phng thc hot ng. Snort sgim st cc lung lu lng trn mng, v khi

mt lut ca Snort c kch hot (gp mt traffic ph hp), Snort sgi u ra cho

m-unfwsam. M-un fwsam sau s gi mt tin nhn m ha ti cho agent

c t trn tng la. Agentny skim tra xem tin nhn c phi c gi

ti tmt ngun c thm quyn hay khng, nu ng n sgii m thng ip va

nhn c v kim tra xem cc a chIP no c yu cu chn. SnortSam sr

sot xem cc a ch IP c nm trong danh sch trng (white-list) hay khng.

Nu IP khng nm trong danh sch trng, SnortSam syu cu tng la chn

a chIP trong mt khong thi gian c nh ngha ttrc.

2.5.1. Snort Output Plug-in

Phn Output yu cu chnh sa ctp tin cu hnh v lut ca Snort. Phn output

ny sgiao tip vi agent trn tng la thng qua giao thc TCP hot ng port

898. Phn output plug-in ny htrm ha giao tip vi phn agent vi mt kha


41/106

28

c nh ngha trc trong tp tin cu hnh. Thut ton m ha SnortSam ang

sdng l Twofish.

i vi tp tin cu hnh snort.conf thm dng ny vo:

output alert_fwsam: 192.168.10.1/sn0r3sam

i vi cc lut sthm ty chnfwsam v thi gian vo sau mi lut. V d, mun

chn mt a ch IP no vi khong thi gian l mt gi s thm chui

:fwsam:src, 1 hour;

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS

(msg:"WEB-CGI /wwwboard/passwd.txt access";

flow:to_server,established;

uricontent:"/wwwboard/passwd.txt"; nocase;

reference:arachnids,463; reference:cve,CVE 1999-0953;

reference:nessus,10321; reference:bugtraq,649;

classtype:attempted-recon; sid:807; rev:7; fwsam: src, 1

hour;)

2.5.2. Blocking Agent

Phn ny s c trch nhim tng tc trc tip vi cc tng la thay cho phn

output plug-in trn Snort. Nu Snort pht hin mt cuc tn cng ph hp vi bt

kmt quy tc no nh trong v dtrn n st hit lp mt phin m ha TCP

gi mt thng ip cha cc IP ngun tcc gi tin gy ra cnh bo + thi gian m

a chIP bcm.

V phin m ha TCP sgiao tip thng qua port 898 (hoc bt cport no c

cu hnh) nn cm m bo l tng la cho php giao tip trn port ny. Trng thica tt ccc a ch IP bcm sc t trong tp tin /var/log/snortsam.state.

Tp tin cu hnh ca SnortSam t ti /etc/snortsam.confdi y l mt s ty

chn quan trng c thc sdng trong tp tin cu hnh.

accept: Cho php cc cm bin c th ca Snort c thgiao tip vi phn

agent trn tng la. Nhiu cm bin cng c thc cu hnh vi ty chn

ny cng vi cc kha dng m ha ring: accept /,


42/106

29

defautlkey: Thit lp kha mc nh c sdng cho tt ccc cm bin.

port: Thit lp port lng nghe tcc cm bin ca Snort. Mc nh l port

TCP 898.

dontblock: Chnh mt host hoc mt mng m SnortSam sbqua ngayckhi pht hin mt cuc tn cng tngun ny.

logfile: Chnh ng dn lu logfile m SnortSam s ghi. Tp ny cng

lit k tt ccc a chIP m SnortSam chn km theo thi gian chn.

daemon: Chy agent nh mt dch v.

bindip: Gii hn phn agent trn tng la lng nghe trn mt a chIP vi

mt card mng nht nh. iu ny lm gim khnng tn cng cc agent v

gii hn sng kt ni ti cc agent .

: Chnh loi tng la cthm agent ang chy

trn v cng giao tip m cc lut nn thm vo.

keyinterval : Ty chn ny cho php cc agent yu c u hoc to cc

kha m ha mi sau mi khong thi gian no . Mc nh nu khng

thit lp l 4 ting.

email : : Ty chn ny chophp xc nh my ch email. Khi mt a ch no b block, SnortSam s

gi thng bo ti a ch email c cu hnh.

V d:

accept 192.168.20.3, sn0r3sam

bindip 192.168.20.1

iptables eth0

logfile /var/log/snortsam.log

daemon


43/106

30

CHNG 3

PREPROCESSORS V OUTPUT PLUG-INS

3.1. Preprocessors

Nh trong chng pha trn, chng ta c nhng hiu bit c bn v cu trc v

cch lm vic ca Snort. Ngoi ra cng c ci nhn tng qut v preprocessors trong

Snort. Vy chc nng chnh ca preprocessor l g?

Preprocessors c gii thiu ln u trong phin bn 1.5 ca Snort. Ban u n

c bit n vi chc nng bnh thng ha cc giao thc mng. Ngy nay,

preprocessor khng chm nhim chc nng bnh thng ha cc giao thc na

m n cn c thpht hin xm nhp da trn s bt thng v to ra nhng

cnh bo ring. Trong thc tSnort ni bt vi chc nng pht hin xm nhp da

theo mu v cc du hiu c sn. Cc plug-inpreprocessors c bsung vo ngoi

mc ch to u ra cho detection engine m n cn c chc nng to ra cc cnh

bo thng qua vic pht hin cc im bt thng trong cc lu lng mng i vohthng.

Phn ny stm hiu mt vi tin xl quan trng, c bit l cc tin xl ti hp

cc gi tin, mt hnh thc c thgip cc attacker ln trn khi cc ht hng pht

hin xm nhp.

Cc preprocessors cc khu ch khi pht hin cc cuc tn cng phn mnh gi

tin nhm mc ch nh la h thng pht hin xm nhp nh Tiny FragmentAttack, Overlaping Fragment Attack, Teardrop Fragment Attack.


44/106

31

Hnh 3.1: Qu trnh tin xl.

3.1.1. Frag3


45/106

32

Trong tin xl frag3 c mt khi nim mi c a ra l target-based.

tng ca thut ngny nh sau: Mt IDS c t trong h thng mng, nhng

IDS ny hon ton khng bit c cc hiu hnh trn cc my trm trong h

thng mng m n theo di. Cc gi tin phn m nh sau c ghp li ti ccmy trm ny. Vn t ra l nu cc attacker bit c mc tiu ca chng l

mt my trm ci t hiu hnh Linux. Chng ctnh phn mnh dliu sao cho

nu ti hp cc mnh ny trn hiu hnh Windows th khng c bt chiu ng

g, nhng nu hiu hnh Linux ti hp cc phn mnh th sgy ra mt l

hng c thkhai thc c.

iu quan trng l nu IDS c iu chnh ti hp cc phn mnh nh trn h

iu hnh Windows th IDS skhng thpht hin c cuc tn cng nh trn. V

attacker nh la c IDS v xm nhp vo c hthng mng m khng gp

bt trc g.

tng t ra l cu hnh sao cho IDS c thkim sot c cc hiu hnh ci

t trn cc my trm trong hthng mng. Nu c bt kgi tin no c gi ti

my trm , IDS sphn tch v ti hp cc phn mnh nh hiu hnh ti my

trm .

Cu hnh: C hai chthtin xl trong vic cu hnh Frag3 l cu hnh ton cc

v cu hnh ng c. C thc nhiu cu hnh ng c nhng chduy nht mt cu

hnh ton cu.

Cu hnh ton cu:

Tn tin xl: frag3_global

Cc ty chn (cc ty chn ny c phn cch bng du phy ,)

- max_frags : S lng ti a cc phn mnh c theo

di ng thi. Mc nh l 8192.

- memcap : B nh tqun, mc nh l 4MB. Con s ny

thhin bnh ln nht m Frag3 c php sdng.

- prealloc_memcap :

-

prealloc_frags :


46/106

33

- disabled:

Cu hnh ng c:

Tn tin xl: frag3_engine

Cc ty chn (cch nhau bi khong trng)

-

timeout : Thi gian timeout ca phn mnh. Nhng

phn mnh tn ti trn hthng sau thi gian ny sbhy. Mc nh l

60s.

- min_ttl : Gi tr TTL ti thiu chp nhn c cho mt

phn mnh gi tin. Mc nh l 1, chp nhn gi trt1-255.

-

detect_anomalies: Pht hin cc phn mnh dthng.

-

bind_to : Danh sch cc a ch IP b rng buc vi

cu hnh ny. Tin x l ny sch x l vi cc a chch c trong

danh sch ny. Mc nh l tt c.

- overlap_limit : Gii hn s phn mnh chng cho

trn mi gi tin. Mc nh gi trl 0 ngha l khng gii hn. Yu cu

ty chn detect_anomalies phi c thit lp trc .

- min_fragment_length : nh ngha kch thc nh

nht ca mt phn mnh (kch thc phn payload) c chp nhn.

Nhng phn mnh c kch thc nhhn hoc bng sbcoi l c hi

v sc mt hnh ng xl. Mc nh gi trl 0 khng gii hn, gi

tr ti thiu l 0. Ty chn ny cng yu cu ty chn

detect_anomalies c thit lp trc.

-

policy :La chn ch chng phn mnh da trn mctiu. Gm cc loi nh first, last, bsd, bsd-right, linux, windows v

solaris. Mc nh l bsd.


47/106

34

Platform Type Platform Type

AIX 2 BSD Linux 2.4 (RedHat

7.1-7.3)

Linux

AIX 4.3 8.9.3 BSD MacOS First

Cisco IOS Last OpenBSD Linux

FreeBSD BSD OS/2 BSD

HP JetDirect BSD-right OSF1 V4.0,5.0,5.1 BSD

HP-UX B.10.20 BSD SunOS 4.1.4 BSD

HP-UX 11.00 First SunOS

5.5.1,5.6,5.7,5.8First

IRIX 6.2, 6.3 BSD Tru64 Unix

V5.0A,V5.1

BSD

IRIX64 6.4 BSD Windows

(95/98/NT4/W2K/XP)

Windows

Hnh 3.2: Phn loi cc hiu hnh.

Output: Frag3 c khnng pht hin tm loi khc nhau ca dthng. Phn output

da trn cc gi tin v lm vic vi tt ccc choutput khc ca Snort. Cc

cnh bo output ny c thtm thy trong

/preproc_rules/preprocessor.rules ca tp tin m ngun Snort vi

gid=123.

V d:

preprocessor frag3_global: prealloc_nodes 8192

preprocessor frag3_engine: policy linux, bind_to

192.168.1.0/24

preprocessor frag3_engine: policy first, bind_to

[10.1.47.0/24,172.16.8.0/24]

preprocessor frag3_engine: policy last, detect_anomalies


48/106

35

3.1.2. Stream5

Tin xl Stream5 cng l mt m-un ti hp TCP da trn mc tiu. N c kh

nng theo di cc phin ca cgiao thc TCP v UDP. Vi tin xl ny, cc lut

flow v flowbits c thc sdng cho clu lng TCP v UDP.

Stream5 cng tng tnh Frag3, tc l IDS s x l cc lung d liu da vo

mc tiu. Stream5 sxl vic chng cho dliu v cc du hiu bt thng ca

kt ni TCP.

Mt sv dvvic nhn dng sbt thng trn giao thc TCP nh: dliu tn

ti trong gi SYN, d liu nhn c vt qu kch thc ca ca sTCP.

a. Cu hnh ton cc

preprocessor stream5_global:

Ty chn M t

track_tcp Theo di phin TCP. Mc nh l yes

max_tcp

S phin TCP ti a c ng thi theo di. Mc

nh l 262144, ti a l 1048576, ti thiu l1.

memcap

B nh cho lu tr gi tin TCP. Mc nh l"8388608" (8MB), ti a l "1073741824" (1GB), tithiu l "32768" (32KB).

track_udp Theo diphin UDP. Mc nh l yes.

max_udp

S phin UDP ti a c ng thi theo di. Mcnh l "131072", ti a l "1048576", ti thiu l"1".

track_icmp Theo di phin ICMP. Mc nh l no.

max_icmp

S phin ICMP ti a c ng thi theo di. Mcnh l "65536", ti a l "1048576", ti thiu l "1".

track_ip Theo di phin IP. Mc nh l no


49/106

36

max_ip S phin IP ti a c ng thi theo di. Mc nhl "16384", ti a l "1048576", ti thiu l "1".

disabled

Ty chn v hiu ha stream5, mc nh ty chn

ny c tt.

flush_on_alertTng thch ngc. y ra mt TCP stream khi mtcnh bo c to ra. Mc nh c tt.

show_rebuilt_packetsIn/hin th cc gi tin sau khi c xy dng li(debug). Mc nh c tt.

prune_log_max

In ra mt thng bo khi mt phin chm dt hoc

tiu tn nhiu hn s bytes c quy nh. Mc nhl "1048576" (1MB), ti thiu l "0" (disabled) hocnu khng b v hiu ha th ti thiu l "1024" vti a l 1073741824".

Hnh 3.3: ngha cc tham scu hnh ton cc.

b. Cu hnh cho giao thc TCP

preprocessor stream5_tcp:

Ty chn M t

bind_to Dy a ch IP s c p dng chnh sch ny.Mc nh lbt k a ch no.

timeout Thi gian ch ca mt phin. Mc nh l 30,ti thiu l 1 v ti a l 86400 (khong 1ngy).

policy Chnh sch ny p dng cho h iu hnh mctiu no.

overlap_limit Gii hn s lng gi tin chng cho nhau trnmt phin. Mc nh l 0 (khng gii hn) tia l"255".

max_window S TCP window ti a cho php. Mc nh l


50/106

37

0 (khng gii hn) v ti a l "1073725440"(65535 dch tri14). Ty chn ny c s dng chng DoS.

require_3whs []

Mt phin thit lp ch hon thnh khi thc hinqu trnh bt tay 3 bc, mc nh n c tt.S giy ch thi gian gia hn ca mt phin hinti. Ti thiu l 0 (khng xem xt thi gianthit lp) v ti a l86400.

detect_anomalies Pht hin v cnh bo s bt thng ca giaothc TCP. Mc nh n c tt.

check_session_hijacking Kim tra kiu tn cng TCP Session Hijackingbng cch kim tra a ch MAC ca hai u ktni c ging trong qu trnh bt tay ba bc haykhng.

dont_store_large_packets Khng lu cc gi tin qu ln vo buffer trongqu trnh ti phn mnh.

dont_reassemble_async Khng i cc gi tin ti hp nu lu lng

mng khng c tm thy c hai hng.

max_queued_bytes Hn ch s bytes i cho vic ti phn mnh trnmt phin TCP. Mc nh l "1048576" (1MB).Gi tr "0" c ngha l khng gii hn v gi tr ti thiu khc 0 l 1024, ti a l"1073741824" (1GB).

max_queued_segs Hn ch s segments i cho vic ti phn mnh

trn mt phin TCP. Mc nh l 2621. Gi tr"0" ngha l khng gii hn, ti thiu l 2 vti a l "1073741824" (1GB).

ports

Ch nh danh sch cc port client, server hocc hai pha trong vic ti phn mnh gi tin. Mcnh l cc port:21 23 25 42 53 80 110 111 135136 137 139 143 445 513 514 1433 1521 24013306.


51/106

38

protocol

Ch nh danh sch cc dch v client, serverhoc c hai pha trong vic ti phn mnh gi tin.Mc ch l cc dch v:ftp telnet smtpnameserver dns http pop3 sunrpc dcerpc netbios-ssn imap login shell mssql oracle cvs mysql.

Hnh 3.4: ngha cc tham s cu hnh TCP.

c. Cu hnh cho giao thc UDP

preprocessor stream5_udp: [timeout ],

[ignore_any_rules]

Ty chn M t

timeout Thi gian ch ca mt phin. Mc nh l30, ti thiu l 1 v ti a l 86400.

ignore_any_rulesKhng x l bt k lut no any any.Mc nh c tt.

Hnh 3.5: ngha cc tham s cu hnh UDP.

d. Cu hnh cho giao thc ICMP

preprocessor stream5_icmp: [timeout ]

Ty chn M t


Hnh 3.6: ngha cc tham s cu hnh ICMP.

e. Cu hnh cho giao thc IP

preprocessor stream5_ip: [timeout ]

Ty chn M t


Hnh 3.7: ngha cc tham s cu hnh IP.


52/106

39

V d1:

preprocessor stream5_global: max_tcp 8192, track_tcp yes,

track_udp yes, track_icmp no

preprocessor stream5_tcp: policy first,

use_static_footprint_sizes

preprocessor stream5_udp: ignore_any_rules

V d2:

preprocessor stream5_global: track_tcp yes

preprocessor stream5_tcp: bind_to 192.168.1.0/24, policy

windows

preprocessor stream5_tcp: bind_to 10.1.1.0/24, policy linux

preprocessor stream5_tcp: policy solaris

3.1.3. sfPortscan

M-un sfPortscan c pht trin bi Sourcefire, n c thit knhm pht hin

cc hnh thc thm d h thng trc khi tn cng. Trong giai on trinh st h

thng, attacker s xc nh cc giao thc mng, dch vmy chhoc h iu hnh

mc tiu. Giai on cha phi l giai on xm nhp nhng attacker c ththu thp

c nhiu thng tin hu ch chun bcho qu trnh xm nhp. Mt cng cqut

cng cc kmnh m v phbin hin nay n Nmap. Nmap y cc kthut

qut cng hin nay v sfPortscan c thit knhm chng li nhng kthut qut

cng tNmap.

3.1.4. HTTP Inspect

HTTP trthnh mt trong nhng giao thc ph bin v thng dng trn Internet.

Nn y m mt giao thc rt c cc attacker a chung. Attacker c thsdng

s linh hot ca cc Web server cgng n thn v che du hnh vi tn cng

trc cc NIDS. V dtrong mu sau, cc mu pht hin nh trong Snort schc

thpht hin c dng foo/bar m khng thpht hin cfoo\bar.

http://www.abc/foo/bar/xyz.php
http://www.abc/foo/bar/xyz.phphttp://www.abc/foo/bar/xyz.phphttp://www.abc/foo/bar/xyz.php


53/106

40

http://www.abc/foo\bar\xyz.php

Ngoi ra Attacker cn c th sdng v s cc kthut m ha da trn m hex

vi uft-8. http_inspect schx l trn tng gi tin, iu ny c ngha l nhng

chui m n xl phi c ti hp trc bng tin xlstream5.

V ddi y v cc phng thc GET, chng u c chung mt chc nng ging

hnhau, c cc webserver xl ging hnhau.

GET /../../../../etc/passwd HTTP /1.1

GET %2f..%2f..%2f..%2f..%2fetc%2 fpasswd HTTP /1.1

GET

%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%

73%77%64

HTTP /1.1

Trn y l mt v d v tn cng directory traversal, hay cn gi vi cc tn

khc nh dot-dot-slash,directory clumbing. L hnh thc tn cng truy cp n

nhng file v th mc m c lu bn ngoi webroot. M t h thng pht hin xm

nhp hiu c phng thc GET ca giao thc HTTP nn n scho php requestny. Tuy nhin vn l c v hn cch m ha cc chui c hi dn n vic nu

ta cu hnh mt IDS nhm pht hin chui c hi ny da trn signature th

khng thm bo s pht hin c ht. Mt cch khc l bnh thng ha

chui ny, sau so snh n vi mt danh sch known bad pht hin.

3.2. Output

M-un ouput c thm vo Snort t phin bn 1.6. Chng cho php Snort cnhiu cu hnh linh hot hn trong vic nh dng v trnh by dliu u ra cho

ngi qun trh thng. Cc m-un output ny sc khi chy khi mt skin

cnh bo hoc yu cu ghi log c gi, sau qu trnh tin xl v pht hin thng

qua detection engine.

Trong tp tin cu hnh ca Snort ta c thcu hnh nhiu m-un u ra khc nhau

v cc m-un ny sc gi t htkhi c mt skin no xy ra. Mc nh
http://www.abc/foo/bar/xyz.phphttp://www.abc/foo/bar/xyz.phphttp://www.abc/foo/bar/xyz.php


54/106

41

cc cnh bo v cc tp tin log sc ghi vo th mc /var/log/snorthoc

bt kth mc no m ngi qun trcu hnh.

Snort htrnhiu m-un output khc nhau bao gm:

alert_syslog: Cu hnh ny cho php Snort sgi thng bo ti syslog.

alert_fast:Cc cnh bo ca Snort sc in ra mt cch nhanh chng nht.

y l mt phng php ghi cc cnh bo nhanh hn hn so vi alert_full v n

khng cn in ra tt cphn header ca gi tin v bi v n chin ra trong mt tp tin

duy nht.

alert_full: Cc cnh bo sc in ra vi y phn header ca cc gi

tin. Mc nh thng tin sc lu ti /var/log/snort hoc mt th mc c ch

nh. Snort sto ra cc th mc con cha cc cnh bo ng vi mi IP, iu ny

lm cho hot ng ca Snort chm i do n khng c khuyn khch sdng.

alert_unixsock:Ty chn ny yu cu thit lp mt UNIX domain socket v

gi cnh bo ti n. Cc chng trnh hoc cc tin trnh mrng slng nghe trn

socket gip cho vic nhn cc cnh bo cc cc gi d liu trong thi gian thc.

log_tcpdump:Ty chn cu hnh ny cho php Snort ghi cc t p tin log nh

dng tp tin ca chng trnh tcpdump. iu ny c bit hu ch trong vic tng

hp v phn tch cc thng tin vi s lng ln. C rt nhiu cng cc thc

c nh dng ny ln n rt hu ch.

csv:y l mt nh dng lu trdng text vi cc trng c phn cch nhau

bi du phy. nh dng ny gip ta c thddng import vo cc c sdliu.

unified v unified2:L hai nh dng u ra thng nht, phin bn unified2

l phin bn ci tin ca unified. u im ca phng php lu tr vi cc nh

dng u ra thng nht l: cho php ddng trong vic lu trv qun l, c tc

nhanh hn hn so vi cc phng php khc, tp tin xut ra kh c thchnh sa

ni dung.

log_null:Ty chn ny hu ch trong mt strng hp mun to ra mt vi

quy tc cnh bo lu lng truy cp mng m khng mun ghi ra cc tp tin log.


55/106

42

CHNG 4

LUT TRONG SNORT

Gii thiu

Lut trong Snort ta c th hiu mt cch n gin n ging nh cc quy tc v

lut l trong th gii thc. Ngha l n s c phn m t mt trng thi v hnh ng

g s xy ra khi trng thi ng. Mt trong nhng im ng gi nht ca Snort

l kh nng cho php ngi s dng c th t vit cc lut ca ring mnh hoc

ty bin cc lut c sn cho ph hp vi h thng mng ca mnh. Ngoi mt c s

d liu ln m ngi s dng c th download t trang ch ca Snort, ngi qun

tr c th t pht trin cc lut cho h thng ca mnh. Thay v phi ph thuc vo

nh cung cp, mt c quan bn ngoi, hoc phi cp nht khi c mt cuc tn cng

mi hay mt phng php khai thc l hng mi c pht hin. Ngi qun tr c

th vit ring mt lut dnh cho h thng ca mnh khi nhn thy cc lu lng

mng bt thng v so snh vi b lut c cng ng pht trin. u im ca

vic t vit cc lut l c th ty bin v cp nht mt cch cc k nhanh chng khi

h thng mng c s bt thng.

V d:Nuc ngi c gng mca t thci s h..

Phn tch y ta hnh ng ci h s c thc hin nu c du hiu l c

ngi c gng m ca t.

Trong h thng mng cng vy, ta khng th s dng ngn ng t nhin hng ngy m t du hiu hay trng thi ca h thng mng c. V d:Nu c mt kt ni

SSH c a ch IP Public kt ni ti my ch web th chn li . Mc d y l mt

m t kh c th, tuy nhin Snort li khng th hiu c. Lut trong Snort s gip

ta d dng m t du hiu ny theo ngn ng m Snort c th hiu c.

bit cch vit mt lut t cc d liu ca h thng ta cn phi hiu cu trc ca

lut trong Snort nh th no. Mt lut trong Snort c chia thnh hai phn l


56/106

43

phn header v options. Phn header bao gm: rule action, protocol, a ch ip

ngun, a ch ip ch, subnetmask, port ngun, port ch. Phn options bao gm

cc thng ip cnh bo, thng tin cc phn ca gi tin s c kim tra xc nh

xem hnh ng no s c p dng.

4.1. Rule Header

Rule Header

Hnh 4.1: Cu trc lut trong Snort.

4.1.1. Rule Action

Phn Header s cha cc thng tin xc nh ai, u, ci g ca mt gi tin, cng

nh phi lm g nu tt c cc thuc tnh trong lut c hin ln. Mc u tin

trong mt lut chnh l phn rule action, rule action s ni cho Snort bit phi

lm g khi thycc gi tin ph hp vi cc lut c quy nh sn. C 5 hnh

ng mc nh trong Snort l: alert (cnh bo), log (ghi li log), pass (cho qua),

active (kch hot), dynamic. Ngoi ra nuchy Snort ch inline cn c thm

cc ty chn b sung nh drop, reject v sdrop.

alert- to ra cnh bo s dng phng php la chn trc v sau

ghi log li cc gi tin.

log- ghi log li cc gi tin.

pass-b qua gi tin .

active- cnh bo v sau bt mt dynamic rule khc kim tra thm

iu kin ca gi tin.

dynamic - duy tr trng thi nhn ri cho n khi c kch hot bi

mt active rule sau hnh ng nh mt log rule

Rule

ActionProtocol Src/Des Port

Rule Option


57/106

44

drop- chn gi tin v ghi log li.

reject- chn gi tin, ghi log li v gi tr v mt thng ip.

sdrop- chn gi tin nhng khng ghi log li.

hnh ng do user t nh ngha.

4.1.2. Protocol

Trng tip theo trong lut l protocol. C 4 giao thc m Snort hin ang phn

tch cc hnh vi bt thng l TCP, UDP, ICMP v IP.

4.1.3. IP Address

Mc tip theo ca phnheader l a ch IP. Cc a ch ny dng kim tra

ni i v ni n ca mt gi tin. a ch ip c th l a ch ca mt my n

hoc cng c th l a ch ca mt lp mng. T kha anyc s dng nh

ngha mt a ch bt k.

Mt a ch ip s c vit di dng ip_address/netmask. iu ny c ngha l nu

netmask l /24 th lp mng l lp mng C, /16 l lp mng B hoc /32 l ch

mt my n. V d: a ch 192.168.1.0/24 c ngha l mt di my c a ch IP t

192.168.1.1-192.168.1.255.

Trong hai a ch IP trong mt lut Snort th s c mt a ch IP ngun v mt a

ch IP ch. Vic xc nh u l a ch ngun, u l a ch ch ph thuc vo

.

Ngoi ra ton t phnh c th c p dng cho vic nh a ch IP. C ngha l

khi s dng ton t ny th Snort s b qua vic kim tra a ch ca gi tin .

Ton t l !.Ngoi ra ta c th nh ngha mt danh s ch cc a ch IP bngcch vit lin tip chng cch nhau bi mt du ,.

V d:

alert tcp any any ![192.168.1.0/24, 172.16.0.0/16] 80

(msg:\ Cho phep truy cap)

4.1.4. Port


58/106

45

Port c th c nh ngha bng nhiu cch. Vi t kha anyging nh a ch

IP ch c th s dng bt k port no. Gn mt port c nh v d nh gn kim

tra port 80 http hocport 22 ssh . Ngoi ra ta cng c th s dng ton t ph nh

b qua mt port no hoc lit k mt di cc port.

V d:

log udp any any 192.168.1.0/24 1:1024 -port bt k ti dy port t 1

- 1024.

log udp any any 192.168.1.0/24 :6000 - port bt k ti dy port nh

hn 6000.

log udp any any 192.168.1.0/24 500: - port bt k ti dy port ln

hn 500.

log udp any any 192.168.1.0/24 !6000:6010-port bt k ti bt k

port no, b qua dy port t 6000 6010.

4.1.5. iu hng

Ton t hng ch ra u l hng ngun, u l hng ch. Phn ach IP

v port pha bn tri ca ton t c coi nh l a ch ngun v port ngun,

phn bn phi c coi nh a ch ch v port ch. Ngoi ra cn c ton t

Snort s xem cp a ch/port ngun v ch l nh nhau. Ngha l n s ghi/phn

tch c hai pha ca cuc hi thoi.

V d:

log tcp !192.168.1.0/24 any 192.168.1.0/24 23

4.1.6. Activate/Dynamic rule

Cp lut ny cung cp cho Snort mt kh nng rt mnh m. Active rule ging nh

alert rule nhng khc mt im l n c thm trng: activates. Dynamic rule ging

nh log rule nhng n c th trng: activated_byv count.

V d:


59/106

46

activate tcp !$HOME_NET any $Home_Net 143 (flags:PA;

content: |E8C0FFFFFF|/bin; activates:1; msg:IMAP buffer

overflow!;)

dynamic tcp !$HOME_NET any $HOME_NET 143 (activated_by:1;count:50;)

4.2. Rule Options

Rule options chnh l trung tm ca vic pht hin xm nhp. Ni dung cha cc

du hiu xc nh mt cuc xm nhp. N nm ngay sau phn Rule Header v

c bc bi du ngoc n (). Tt c cc rule options s c phn cch nhau

bi du chm phy ;, phn i s s c tch ra bi dy hai chm :.

C 4 loi rule options chnh bao gm:

- General : Ty chn ny cung cp thng tin v lut nhng khng c bt c

nh hng no trong qu trnh pht hin.

-

Payload: Ty chnlin quan n phn ti trong mt gi tin.

- Non-payload: Bao gm cc ty chn khng lin quan n phn ti ca gi

tin (header).

-

Post-detection : Cc ty chn ny s gy ra nhng quy tc c th sau khi

mt lut c kch hot.

4.2.1. General

a. msg

msg l mt t kha ph bin v hu ch c s dng khi mun gn thm mt

chui vn bn vo log v cnh bo. Chui vn bn s c bc trong du ngoc

kp . Nu mun th hin k t c bit th thm du \ ng trc.

V d:

msg: Chui vn bn c t y.

b. reference

reference l mt t kha c s dng khi mun tham chiu thng tin t mt h

thng khc trn Internet.


60/106

47

System URL Prefix

bugtraq http://www.securityfocus.com/bid

cve http://cve.mitre.org/cgi-bin/cevname.cgi?name=

nessus http://cgi.nessus.org/plugins/dump.php3?id=

arachnids http://www.whitehats.com/info/IDS (down)

mcafee http://vil.nai.com/vil/content/v_

osvdb http://osvdb.org/show/osvdb

url http://

Hnh 4.2: Bng reference.

Cu trc:

reference:, ; [reference:, ;]

V d:

alert tcp any any -> any 7070 (msg:"IDS411/dos-realaudio";

flags:AP;content:"|fff4 fffd 06|";\

reference:arachnids,IDS411;)

alert tcp any any -> any 21 (msg:"IDS287/ftp-wuftp260-

venglin-linux"; flags:AP; content:"|31c031db 31c9b046 cd80

31c031db|"; reference:arachnids,IDS287;

reference:bugtraq,1387; reference:cve,CAN-2000-1574;)

c. sid

T khasidc s dng xc nh duy nht mt lut trong Snort. Ty chn ny

cho php output plug-in c th nh danh cc lut mt cch d dng. Ty chn ny

nn c s dng vi t kha rev.


61/106

48

>= 1000, 000 s dng cho cc lut cc b.

d. rev

T kha rev c s dng nh danh cc sa i trong lut ca Snort . T kha

ny thng c s dng phn bit cc phin bn lut khc nhau.

e. classtype

T kha classtype dng phn loi cc hnh thc tn cng km theo u tin

ca loi tn cng . Cc hnh thc c nh ngha trong tp tin

classification.config.

config classification: , ,

config classification: web-application-attack,Web Application

Attack,1

config classification: network-scan, Detection of a Network

Scan,3

config classification: misc-activity,Misc activity,3

f. priority

c s dng gn mc nghim trng ca mt quy tc.Trng classtype gn

gi tr u tin mc nh ca mt loi tn cng tuy nhin ta c th ghi u tin

vi t kha ny.

Cu trc:

priority:;

V d:alert tcp any any -> any 80 (msg:"WEB-MISC phf attempt";\

flags:A+; content:"/cgi-bin/phf"; priority:10;)

4.2.2. Payload

a. content

T kha contentcho php ngi s dng thit lp cc lut cho php tm kim cc

chuic th trong phn ti ca gi tin v kch hot cc cnh bo da trn cc d


62/106

49

liu .Ni dung c th dng ASCII, m nh phn hoc s kt hp ca c hai.D

liu nh phn phi c bc trong k t | | (ng ng) v c biu din dng

s thp lc phn.

V d:

alert tcp any any -> any 139 (content:"|5c

00|P|00|I|00|P|00|E|00 5c|";)

alert tcp any any -> any 80 (content:!"GET";)

b. nocase

S dng kt hp vi t kha content tm kim cc ni dung m khng phn bit

ch hoa ch thng.

c. rawbyte

T kha rawbytescho php cc lut xem xt cc gi d liu th cha c gii m.

V d:

alert tcp any any -> any 21 (msg:"Telnet NOP"; content:"|FF \

F1|"; rawbytes;)

d. depth

T kha depthc s dng xc nh khong cch bao xa m lut s tm

kim ti. Ti thiu l 1 v ti a l 65535. c s dng kt hp vi t kha

content gii hn ni dung tm kim, kt hp vi t kha offsetth ta s xc nh

c mt khong d liu so snh vi mu trong content.

e. offsetT kha offsetc s dng xc nh im bt u tm kim mu trong mt

gi tin. T kha ny cho php gi tr t -65535 ti 65535.T kha offset c s

dng kt hp vi t kha content gii hn khong khng gian tm kim.

V d:

alert tcp 192.168.1.0/24 any -> any any (content: \"HTTP";

offset: 4; depth: 40; msg: "HTTP matched";)


63/106

50

C mt sth vhai lut sau:

content:"GET"; offset:0; content:"downloads"; offset:13;

content:"GET"; content:"downloads";

f. distance

T kha distancec s dng trong trng hp mun b qua bao nhiu byte t

ni dung tm kim trc .

V d:

content:"GET"; depth:3; content:"downloads"; distance:10;

Lut trn c ngha l sau khi tm c chui GET trong 3 byte u tin catrng dliu, lut sdi chuyn thm 10 byte so vi v tr cui cng ca GET v

sau mi tm kim download.

g. within

T kha within c s dng m bo rng c nhiu nht N byte gia cc mu

ni dung tm kim. N gn ging vi t kha depthnhng n khng bt u t u

ca gi tin nh depthm bt u t mu trc .V d:

content:"GET"; depth:3 content:"download"; distance:10 \

within:9;

Lut ny tng t nh lut trn, tm GET trong 3 byte u tin ca trng d

liu, di chuyn thm 10 byte bt u t GET v tm khp download. Tuynhin,

download phi xut hin trong 9 byte tip theo.h. uricontent

Tng t nh t kha contentngoi tr vic n c s dng tm kim chui

trong trng URI.

V d:

log tcp any any -> any 80 (content: "Logging PHF"; \

uricontent:"/cgibin/phf";)


64/106

51

i. pcre(http://www.pcre.org/)

PCRE l t vit tt ca Perl Compatible Regular Expressions c th dch l biu

thcchnh quy tng thch vi Perl. Perl l mt ngn ng kt xut v bo co thc

dng dng x l v thao tc trn cc chui k t.

V d:

alert tcp any any -> any 80 (content:"/foo.php?id="; \

pcre:"/\/foo.php?id=[0-9]{1,10}/iU";)

Luttrn thc hin mt tm kim trong HTTP URI m khng phn hoa thng phn

pha sau ca chui foo.php?id=.

4.2.3. Non-Payload

a.ttl

T kha ttlc s dng kim tra gi tr time-to-live trong IP Header. T kha

ttlc s dng pht hin mt hnh ngc gng traceroute mng.

Cu trc:

ttl:[, =, =];

ttl:[]-[];

V d:

ttl:


65/106

52

d.ipopts

T kha ipoptsc s dng kim tra trng IP Option trong IP Header. Trng

ny c kch thc 20bit v c cc gi tr sau:

rr Record Router

eol End of list

nop No Op

ts Time Stamp

Documents

Khóa luận Snort