n 2 : Pht sinh mu cho h thng pht hin xm nhpLI CM Nu tin, chng em xin chn thnh cm n Thy Mai Xun Ph, tn tnh hng dn, ng gp kin v cung cp ti liu tham kho cn thit chng em c th hon thnh bi lm mt cch tt nht.Chn thnh cm n n Trng i Hc Cng Nghip TP H Ch Minh, cng cc thy c trong khoa Cng ngh thng tin bin son ti liu, sch v v to iu kin mi trng tt nht chng em c th hc hi, trao i, tham kho ti liu v tm kim thng tin phc v cho vic thc hin n ca mnh.Nhng thiu st l kh trnh khi, nhm chng em mong nhn c kin ng gp ca tt c cc thy c v bn b c th hon thnh tt hn nhng n sau.

Chng em xin chn thnh cm n!!!

TP.H Ch Minh, ngy 21 thng 11 nm 2013 Nhm sinh vin thc hin

NHN XT CA GIO VIN HNG DN TP.HCM, ngy.thng.nm 2013 Gio vin hng dn

Ths.Mai Xun Ph

NHN XT CA GIO VIN PHN BIN TP.HCM, ngy.thng.nm 2013 Gio vin phn bin

Ths.Nguyn Ha

PHN CNG CNG VIC

H v tnCng vic

Hunh Quang Sang Tm hiu chi tit v IDS Tm hiu ng dng Snort Trin khai, ci t, vn hnh NIDS Tm hiu c ch pht sinh mu Xy dng h thng pht sinh mu cho IDS

Hong Th Bch Dng Tm hiu chi tit v Honeypot Tm hiu cc ng dng Honeywall, Sebek.. Trin khai, ci t, vn hnh Honeynet Tm hiu c ch pht sinh mu Xy dng h thng pht sinh mu cho IDS

MC LCNo table of contents entries found.

TNG QUANAn ninh h thng l mt trong nhng lnh vc m hin nay ang kh c quan tm, khng ch gi gn trong c quan hay cng ty, x nghip m trong c phm vi ton cu. Vi tc pht trin mnh m ca Cng ngh thng tin, bn cnh nhng li ch m n mang li, th nguy c tn cng nhm ph hoi h thng, xm nhp mng nh cp thng tin hay thay i d liu vi nhng mc ch xu vn tn ti v ngy cng ln mnh. Theo thng k ca t chcCERT(Computer Emergancy Response Team) s v tn cng ngy cng tng. Nm 1989 c khong 200 v, n nm 1991 c 400 v, nm 1994 tng ln n 1330 v, c ti 8064 l hng c pht hin vo nm 2006 (tng 35% so vi nm 2005) v s cn tng mnh trong thi gian ti. Ti Vit Nam, ch tnh t u nm 2013 n nay c khong 2405 website ca cc c quan, doanh nghip b xm nhp, c bit nht l trong thng 7 va qua, hng lot website ca cc bo in t ln b tn cng bng phng thc t chi dch v (DDoS) nh Tui tr, VietNamNet, Dn Trkhin nhiu bo trong tnh trng nghn truy cp, t lit trong thi gian ngn.V vy, vic trin khai mt h thng an ninh m bo c ch bo mt tt, trnh c cc nguy c tn cng, ph hoi, m bo an ton thng tin l thc s rt cn thit trong thi i cng ngh hin nay.C nhiu phng php chng li s tn cng ca hacker, m bo an ton cho h thng my tnh nh Firewall hay vic m ha thng tin Tuy nhin, khi hacker chim mt h thng my tnh lm cng c tn cng cc my tnh khc, hoc cc cuc tn cng xut pht t bn trong mng ni b, th Firewall khng th pht hin v ngn chn. Trong trng hp ny, IDS c xem l gii php tt nht v IDS c th pht hin ra cc cuc tn cng, cho d cc cuc tn cng l xut pht t bn trong hay bn ngoi mng ni b. S kt hp gia IDS v h thng HoneyPot cng c xem l mt gii php c hiu qu cao, c th pht hin ra cc cuc tn cng v truy tm c th phm : HoneyPot vi mc ch li ko hacker tn cng vo h thng gi c b tr bn cnh h thng tht nhm thu thp cc k thut tn cng, thng tin v hacker v ghi li Log. IDS kt hp vi Honeypot thm cc log m Honeypot bt c vo danh sch signature trong IDS, da vo cc du hiu trong signature, t IDS c th pht hin cc cuc tn cng ph hoi h thng, thc hin cc chc nng gim st - cnh bo - bo vm bo an ton cho h thng mng, hn ch ti a nhng s c c th gp phi v gp phn gip h thng pht trin mt cch n nh, lu di. c th hiu r hn v khi nim, chc nng, cc bc thu thp k thut, c ch hot ng, pht sinh muca HonneyPot v IDS. Nhm chng em nghin cu v thc hin n Pht sinh mu cho h thng pht hin xm nhp vi :Mc tiu ti : Nm vng v IDS, hiu c c ch hot ng ca IDS v cch pht sinh mu. Nm r khi nim, phn loi, chc nng v cc bc hot ng ca h thng HoneyPot. Trin khai c h thng Honeypot v xy dng h thng pht sinh mu (signature) cho IDS t log ca Honeypot.Phng php nghin cu : Nhm ch yu tm kim ti liu trn sch v, cc bi bo, mng Internet. Tham kho kin ng gp ca thy c v bn b. Nghin cu thng qua nhng ti liu ting anh do thy c cung cp.i tng nghin cu : H thng Honeypot, IDS ng dng Snort, Honeywall, SebekCu trc bo co gm 4 chng : Chng I : Tng quan v IDS Chng II : Tng quan HoneyPot Chng III: Trin khai NIDS v Honeynet Chng IV: Xy dng h thng pht sinh mu cho IDS

Chng I : Tng quan v IDSHin nay c nhiu phng php c ng dng v pht trin m bo an ninh cho h thng mng my tnh nh Firewall, m ha v IDS (h thng pht hin xm nhp) cng l mt trong nhng phng php trnh c cc cuc tn cng t hacker bng cch gim st ti nguyn my tnh v gi cnh bo v cc hot ng bt thng hoc cc mu l hiu r hn, trong chng Tng Quan V IDS ny, nhm s trnh by chi tit v khi nim IDS, c ch hot ng v cc chc nng c bn ca chng cng nh ngha, tm quan trng m h thng IDS em li cho an ninh mng. 1. Gii thiu IDS:a. Khi nim :H thng pht hin xm nhp (Intrusion Detection System IDS) l mt h thng lm nhim v gim st, thu thp thng tin v lu thng trong mng. T ng theo di cc s kin xy ra trong h thng my tnh, sau phn tch pht hin ra cc vn an ninh kh nghi, thng bo cho ngi qun tr.H thng IDS pht hin tn cng da vo cc du hiu tn cng bit hoc bng cch so snh lu lng mng hin ti vi lu lng mng bnh thng ca h thng tm ra cc du hiu khc thng, to cnh bo cho nh qun tr kha cc kt ni ang tn cng. IDS cn c th phn bit c mt cuc tn cng l xut pht t bn trong mng ni b hay l t bn ngoi (hacker). b. Chc nng :H thng pht hin xm nhp IDS c cc chc nng c bn sau : Gim st lu lng mng v gim st cc hnh ng kh nghi. Cung cp cho nh qun tr nhng thng tin v s tn cng, xm nhp nh phng php tn cng, cng c tn cng... To cnh bo cho h thng v nh qun tr khi c nhng hnh ng kh nghi ang thc hin tn cng vo h thng. IDS c th pht hin ra cc cuc tn cng ph hoi da vo cc du hiu bit hoc so snh thng lng mng hin ti vi thng lng mng bnh thng trc . Phn bit c tn cng l t bn ngoi hay xut pht t bn trong mng ni b. p ng yu cu truy cp thng tin ca nhng ngi dng hp php v ngn chn nhng ngi dng bt hp php truy cp bng cch dng nhng thit lp mc nh v s cu hnh t nh qun tr chng li k xm nhp v ph hoi.2. Cc thnh phn c bn ca IDS :Mt h thng IDS c ba thnh phn c bn l : Thu thp gi tin, phn tch gi tin v thnh phn phn hi.

Thnh phn c bn ca IDS Thnh phn thu thp gi tin (Information Collection)Thnh phn ny c nhim v kim tra cc gi tin lu thng trn mng. NIC card c t ch promiscuous mode, nn tt c cc gi tin i qua chng u c ghi li, x l, ...ri sau c chuyn n thnh phn phn tch gi tin. Thnh phn pht hin gi tin (Detection)y l thnh phn quan trng nht ca h thng pht hin xm nhp IDS. thnh phn ny, cc cuc tn cng hay cc gi tin cha m c s b pht hin bng cc phng php pht hin xm nhp ca h thng nh da vo s bt thng, da vo mu (Signature) Thnh phn phn hi h thng (Response)Khi c du hiu xm nhp hay tn cng ph hoi vo h thng th thnh phn pht hin tn cng s gi tn hiu bo hiu c s tn cng n thnh phn phn ng. Sau thnh phn phn ng s kch hot chc nng chn cuc tn cng, xm nhp Firewall v thng bo cho ngi qun tr c bin php phng chng kp thi.3. Phn loi IDS :C hai loi IDS l Host Based IDS (HIDS) v Network Based IDS (NIDS) :a. Networks Based IDS :Networks Based IDS hay NIDS c th l mt thit b phn cng hoc phn mm, c ci t gim st hot ng, theo di ton b d liu trao i trn mt phn on mng gm nhiu host.NIDS s kim tra gi tin, qut header ca cc gi tin, v c th kim tra ni dung ca cc gi pht hin ra cc on m nguy him hay cc dng tn cng khc nhau. Trong h thng NIDS, cc sensor c t ti cc im c th, nhng v tr trng yu l c th gim st lu lng trn ton mng, phn tch cc gi tin pht hin tn cng, v vy chi ph tng i thp. Tuy nhin, khi lu lng mng hot ng mc cao, c th s xy ra hin tng nghn mng. NIDS cng khng th phn tch c cc lu lng m ha nh SSH, SSL

hnh trn, thit b mu l ni NIDS c ci t, n nm gia h thng internet bn ngoi v mng ni b bn trong, v ch cn 1 NIDS l c th gim st ton b my tnh trong h thng mng.b. Host Based IDS :Host Based IDS hay HIDS l mt phn mm, c ci t trn mt my tnh cc b nht nh, thay v gim st hot ng trn ton mng nh NIDS, th HIDS ch gim st hot ng, gim st lu lng, quan st file log trn mt host, pht hin cc cuc tn cng trc tip n mt host c th.HIDS c th phn tch cc lu lng c m ha. c ci t trn nhiu kiu my khc nhau nh my ch, my trmv vy HIDS linh hot hn NIDS.Khi gi tin i n my ch host, n s c phn tch v forward nu khng c cha m c. Tuy nhin HIDS c nhc im l ch ph cao hn so vi NIDS, do n phi c thit lp trn tng host mun gim st, vic qun l, cp nht, cu hnh cng tr nn kh khn hn. HIDS c ci t trn cc host, nn n s ph thuc vo h iu hnh ca my . HIDS ch yu pht hin cc cuc tn cng bng cch s dng cc thng tin lu trong file log.HIDS c thit k hot ng ch yu trn h iu hnh Windows.

Nhng thit b mu vng trong hnh l nhng host c t HIDS.4. C ch hot ng ca IDS :IDS c rt nhiu chc nng, trong hai chc nng chnh ca h thng IDS l pht hin cc cuc tn cng v to ra cnh bo bo hiu cho h thng hay ngi qun tr v cc cuc tn cng .V pht hin mt hot ng l bnh thng hay c mc ch tn cng ph hoi th IDS da vo hai phng php chnh l da trn s bt thng v da trn mu (signature) :a. Da trn s bt thng : phng php ny, s c mt thit lp profile cho hin trng cc hot ng bnh thng ca h thng v mt hin trng hin hnh ca h thng . Khi hin trng hin hnh c s khc bit so vi hin trng bnh thng ca h thng, c ngha l c s xm nhp. V d, cc my tnh trong h thng mng thng hot ng v thc hin gi nhn thng tin t 7h sng n 5h ti, nhng khi c mt my tnh hot ng lc 8h ti v ang thc hin gi hoc nhn d liu tc l c du hiu bt thng v kh nng ang b tn cng l rt cao.Phng php ny gip h thng c th pht hin c nhng kiu tn cng cha bit trc. hot ng chnh xc, IDS da vo phng php ny phi thc hin qu trnh gim st hot ng ca h thng lc bnh thng thng k cc s liu hot ng ca h thng, lm c s pht hin cc bt thng v sau.b. Da trn mu (Signature) :Signature cha nhng thng tin cn thit m t cc kiu tn cng bit trc. Vi phng php ny, cc gi tin i vo h thng s c so snh vi cc du hiu (signature) c lu trong d liu ca IDS, nu c s ging nhau, IDS s to ra cnh bo n nh qun tr. Hin nay, h thng pht hin xm nhp da trn du hiu ang c s dng rt ph bin, v chng d pht trin, to ra cc cnh bo chnh xc. Tuy nhin, vi mi mt cuc tn cng hay bin th ca n u phi thm du hiu v a vo c s d liu ca IDS, v vy kch c ca n tr nn rt ln.Phng php ny i hi phi duy tr mt c s d liu v cc du hiu xm nhp v c s d liu ny phi c cp nht thng xuyn mi khi c mt hnh thc hoc k thut xm nhp mi.

Chng II : Tng quan v HoneypotsHoneypots l mt cng ngh mi trong lnh vc an ninh mng my tnh, vi nhim v gi dng h thng tht, quan st cc cuc tn cng ca hacker, m bo an ton cho ti nguyn h thng, Honeypots c coi l mt trong nhng h thng by rt hiu qu.Trong chng ny, nhm s trnh by cc ni dung kin thc c bn v khi nim, phn loi, mc ch ngha ca Honeypots, cng nh chc nng, vai tr, v tr t h thng v s lc v Honeynet trong nhim v m bo an ninh mng - mt loi hnh tng tc mc cao ca Honeypots.1. Khi nim, vai tr, ngha ca Honeypots :a. Khi nim :Thut ng Honeypot c nhc n ln u tin vo ngy 4 thng 8 nm 1999, trong bi bo To Build a Honeypot ca tc gi Lance Spitzner mt trong nhng ngi ng ra thnh lp d n Honeynet, gii thiu v tng xy dng h thng Honeynetnhm mc ch nghin cu cck thut tn cngca Hacker.T , c bin php ngn chn tn cng kp thi. [1]Honeypots c th c hiu nh l mt h mt by cn trng theo ngha en. Cn i vi mi trng an ton mng, th honeypots l mt h thng ti nguyn thng tin, bi v n c th gi dng bt c my ch ti nguyn no nh Mail server, FTP, Domain Name server, Web servernhng dch v m hacker quan tm, nhm thu ht s ch chng, khi chng s tn cng vo h thng gi dng ny, thay v tn cng vo h thng tht.b. Vai tr ngha :Khi hacker thc hin tn cng vo h thng gi dng ca honeypots, lc ny honeypots s quan st cc cuc tn cng ca hacker, ghi li nht k, bt cc chc nng cnh bo Mc tiu ca Honeypots l gim st v kim tra hot ng ca hacker sau khi chng ly c quyn kim sot trn cc my tnh trong Honeypots, nhm lu li du vt xm nhp ca chng v gii m cc phng php tn cng, cng nh cch thc tn cng. H thng honeypots c trin khai cng ging h thng tht th cng d dng nh la c hacker.H thng honeypots l bn sao ca mt h thng tht, nhng c nhng l hng bo mt c c tnh dng ln, v thng cha thng tin trng c gi tr nh cc ti khon ngn hng, thng tin chng khonNhm thu ht k tn cng, lm chng ch n v tn cng vo h thng gi dng ny. H thng honeypots trc tip tng tc vi hacker v khai thc nhng thng tin cn thit v chng, ngn cho chng khng tip xc c vi h thng tht, bo v an ton cho h thng, trnh c nhng mi nguy him t hacker.c. u im, nhc im ca honeypots : u im : Honeypots ch nm gi thng tin ca nhng hnh ng c hi hoc kh nghi, v vy m lng thng tin honeypot thu thp c rt t nhng thng tin c gi tr cao, d dng phn tch d liu. Do honeypots khng gim st v nm bt nhiu hot ng nn thng khng gp vn v cn kit ti nguyn. Honeypot ch gim st nhng hot ng nhm vo chnh n, v vy m n khng yu cu mt lng ln b nh hay a Honeypots l mt cng ngh n gin, d cu hnh v s dng, t li hoc cu hnh sai. N ch nm bt nhng hnh ng kh nghi m khng phn bit nhng iu g tng tc vi n, v vy c th lm vic tt trong mi trng m ha hay Ipv6. Nhc im : Bt li nht ca honeypots l n c mt lnh vc rt hp : Honeypots ch thy v nm bt nhng hot ng chng li n. Nu hacker thc hin tn cng vo cc h thng khc, honeypots s khng gim st v nm bt c nhng hot ng tn cng ny. Honeypots c th s gp ri ro, b hacker xc nh c rng l mt h thng gi. Khi , hacker s c tnh cung cp nhng thng tin sai lch cho honeypots honeypots nghin cu. Thng tin ny s lm cho honeypots a ra kt lun khng chnh xc v hacker. T hacker c th tn cng n h thng tht v gy tn hi cc h thng khc.V nhng nhc im trn, honeypots khng th thay th cc c ch bo mt khc nh tng la v h thng pht hin xm nhpnhng thay vo , Honeypot s ghi li log, t d tm c cc thng tin v hacker, lm chng c cho vic kin co. Bn cnh , h thng Honeypot cn chu cc cuc tn cng ca hacker thay cho h thng tht, m bo h thng tht an ton.2. V tr t Honeypots :C ba vng chnh t h thng Honeypots : a. External Placement (t vng ngoi) :Vng ngoi l vng nm pha trc Firewall, bn ngoi h thng mng ni b. Khng c Firewall ngn cch gia cc honeypot v h thng mng Internet bn ngoi, v vy ri ro thng cao hn so vi cc v tr khc.b. Internal Placement (t vng trong) :Honeypots nm bn trong mng ni b, c ngn cch vi Internet bng Firewall. y l v tr t honeypots tt nht c th to cnh bo sm nu c bt k hot ng khai thc no t bn ngoi vo bn trong mng, bo v mng ni b an ton, nm gi cc mi e da. Vng internal l mt vng ng tin cy. c. DMZ Placement (t vng DMZ) :Vng DMZ (De-militarizet Zone) nm ring l so vi mng ni b, vic t honeypots trn vng DMZ thng c cc cng ty la chn. N cha nhng dch v m bn ngoi c th truy cp vo c (s c gii hn). N c th c t dc theo cc my server (Mail server, Web server) trong vng DMZ v cnh bo sm cc mi e da cho v tr . DMZ c th c cc a ch IP public v private. Tuy nhin, honeypots nm trong vng DMZ khng phi l v tr tt nht cho vic cnh bo sm nu c cuc tn cng lm h hi mng ni b. y l vng tin cy mt na.So snh gia cc v tr t honeypots :V tru imNhc im

Vng ngoiD xy dng v d trin khaiiu khin d liu km.Mc ri ro cao.

Vng trongTt cho vic gim st mng ni b.H thng cnh bo sm.Ci t phc tp.

Vng DMZiu khin d liu tt.Ci t phc tp, h thng cnh bo khng c mnh, kh bo v mng ni b.

3. Phn loi :Honeypots c chia lm 2 loi : Tng tc thp : M hnh Honeypots mc tng tc thp khng cung cp cc dch v, ng dng v h iu hnh tht tng tc vi Hacker. M cc dch v, ng dng, h iu hnh ch c m phng gi, nn vic thu thp thng tin b hn ch, gii hn v dch vtuy nhin d trin khai, bo dng v mc ri ro thp do thit k ca chng n gin v cc chc nng mc c bn nht. Mt s loi hnh Honeypots mc tng tc thp nh : BackOfficer Frendly : thng c gi l BOF y l mt trong nhng honeypots n gin nht s dng, c thit k c th vn hnh trn hu ht h thng Windows hay Linux, nhng n ch yu c trin khai trn h thng Windows. Vic ci t BOF rt n gin, d cu hnh v bo tr thp. Tuy nhin, BOF c gii hn pht hin v cnh bo cc cuc tn cng ch c trn 7 cng tng ng vi 7 dch v (FTP cng 21, SMTP cng 25, HTTP cng 80, POP3 cng 110, Telnet cng 23, IMAP cng 143, Back Orifice cng UDP 31337). BOF khng ng nhp c t xa, v khng c cc tnh nng ty chnh, cu hnh. Specter : Ging BOF, Specter cng l mt loi hnh honeypots tng tc thp. Tuy nhin c nhiu chc nng hn BOF, c kh nng cnh bo v ghi li. Loi honeypots ny c th gi lp trn 14 cng. D trin khai, n gin duy tr v ri ro thp. Specter b gii hn v s lng thng tin m c th thu thp c so vi tng tc cao. Bn cnh m phng cc dch v khc nhau, Specter cn c kh nng m phng 13 h iu hnh khc nhau. Tnh nng ny ca Specter cung cp s linh hot xc nh cc mi e da vi nhng h iu hnh khc nhau. Specter khng th nghe hay theo di mt cng c s hu bi mt ng dng khc. V d, nu chy Web Server trn my tnh c nhn, Specter s khng th gim st cng 80. Honeyd : Honeyd l mt honeypots tng tc thp m ngun m, mc ch ca n l pht hin, nm bt v cnh bo cc hot ng kh nghi, n to ra a ch IP khng h tn ti, v khi hacker tm cch tn cng n IP ny, th honeyd s dng IP khng tn ti tng tc vi k tn cng, thu thp thng tin, honeyd c th gim st n hng triu IP khng tn ti cho cc kt ni. N c th lng nghe trn tt c cc cng UDP, TCP, cung cp kh nng ton quyn truy cp vo m ngun. Honeyd c th m phng cng mt lc nhiu h iu hnh khc nhau (m phng c 473 h iu hnh). c thit k cho nn tng Unix, Honeyd tng i d dng ci t v cu hnh da vo giao din dng lnh. Tuy nhin, Honeyd khng th cung cp mt h iu hnh tht tng tc vi hacker, v cng khng c tnh nng cnh bo khi pht hin xm nhp. Tng tc cao : mc tng tc ny, Honeypots c ci t, chy cc dch v, ng dng v h iu hnh tht, hon ton ging vi mt mng lm vic bnh thng. Loi ny c mc thu thp d liu, thng tin cao hn tng tc thp, tuy nhin mc ri ro cng cao (do chy cc ng dng, h iu hnh, dch v thtnn vic cu hnh trin khai rt phc tp, d xy ra li trong thit k); phc tp, tn thi gian trong vic trin khai, bo dng. V Honeynet l mt loi hnh c trng cho mc tng tc ny.

Chng III: Xy dng h thng Honeynet v NIDS phn tng quan Chng I v Chng II, ta bit Honeynet l mt loi hnh honeypot tng tc cao v NIDS (Network base IDS) l mt phn loi ca IDS , gim st lung d liu ra vo mng l ch yu. Hai h thng ny cn trin khai cu hnh nhng g? Cu hnh nh th no? V mc tiu ca vic xy dng h thng Honeynet, NIDS l g?...Trong chng tip theo ny, nhm s gii thiu chi tit hn v m hnh kin trc lm vic, vic trin khai, ci t, vn hnh honeynet v Snort. Cu hnh cho sebek, honeywall i vi honeynet v cu hnh rule, to c s d liu cho Snort i vi NIDS c th trnh c cc i tng tn cng, bo v h thng mng cng nh d liu trong h thng mt cch hiu qu nht.1. H thng HoneynetHoneynet l mt loi hnh honeypot mc tng tc cao, vi vic chy cc ng dng, dch v, h iu hnh tht, honeynet thu thp d liu cao hn, tuy nhin ri ro cng tng i ln, do vic thit k, trin khai v cu hnh rt phc tp.Mc ch xy dng honeynet l : Thu thp cc k thut, phng php tn cng, cc cng c m hacker s dng. Gip sm pht hin ra cc l hng tn ti trn h thng tht. T , sm c bin php khc phc kp thi. ng thi, kim tra an ton ca h thng mng, cc dch v mng (Web, DNS, Mail,...) v an ton, tin cy, cht lng ca cc sn phm cng ngh thng tin khc (c bit l cc H iu hnh nh: Unix, Linux, Window,...). Thu thp cc thng tin, du vt ca hacker (nh: a ch IP ca my hacker s dng tn cng, v tr ca hacker, thi gian hacker tn cng,...). c th truy tm th phm.1.1 M hnh kin trc ca Honeynet :1.1.1. Kin trc vt l :a. M hnh kin trc honeynet th h I (GenI):Honeynet u tin ra i nm 1999, c gi l Gen I.GenI Honeynet l mt h thng mng c t ring bit vi mng tht m bo an ton cho h thng. GenI Honeynet gm cc honeypot c ngn cch vi mng Internet bn ngoi bng Firewall, tt c cc lung d liu vo ra honeynet u phi qua thit b Firewall ny.H thng Firewall v h thng pht hin xm nhp (IDS) l hai h thng tch bit.

M hnh kin trc vt l Honeynet th h u tin (Gen I)Firewall s kim sot lu lng thng tin ra vo h thng v dng cc lut (rule) hoc deny, allow nhm lm cho hacker tn cng vo honeynet m khng phi l h thng mng tht. Mc ch chnh ca honeynet th h ny l nm bt cc hnh ng ca hacker. Lng thng tin m honeynet thu gi tng i ln v chng c th pht hin c nhng tn cng, cng nh cc cng ngh m hacker s dng.b. M hnh kin trc honeynet th h II, III (GenII, GenIII) :Nm 2001, th h honeynet th hai ra i. Gen III ra i cui nm 2004. Khc vi th h honeynet u tin, m hnh honeynet II v III, h thng Firewall v IDS khng cn c lp, m n c kt hp li vi nhau thnh mt h thng gateway duy nht gi l Honeywall iu khin vic kim sot d liu v thu nhn d liu.

M hnh kin trc vt l honeynet Gen II, Gen III hnh trn, Honeywall c ba card mng : eth0 ni vi Internet bn ngoi(Pha ng i ca hacker) khng c a ch IP, eth1 ni vi mng cha cc honeypot cng khng c a ch IP, nh vy m hacker kh pht hin ra chng ang tng tc vi mt h thng gi dng honeynet.c. M hnh honeynet o :Honeynet o l mt m hnh kin trc vt l mi, hot ng tng t nh honeynet th h hai v ba, vi mc ch lm gim chi ph cho h thng honeynet v d dng cho vic qun l bng cch s dng cc cng c VMWare v User Mode Linux to ra nhiu my o trn 1 h thng my tht.VMWare c th chy nhiu h iu iu hnh khc nhau cng mt lc, tuy nhin, n ch chy trn kin trc Intel. i vi User Mode Linux (UML) l gii php m ngun m, cng c tnh nng l to ra cc my o trn h thng my tht nh VMWare, tuy nhin n thng c dng cho h iu hnh Linux.Hin nay, honeynet o l m hnh c s dng ph bin nht trong cc m hnh vt l nu trn.1.1.2. Kin trc logic :Phng thc lm vic, hot ng ca honeynet c th hin qua ba chc nng chnh l : iu khin d liu (kim sot d liu) : c nhim v kim sot d liu ra vo h thng Honeynet, kim sot cc hot ng ca hacker, ngn chn hacker s dng h thng mng Honeynet tn cng hay gy tn hi cho cc h thng khc. thc hin nhim v ny, Honeynet s dng hai cng c chnh l Firewall Iptables v IDS-Snort. Thu thp d liu : c nhim v thu thp thng tin, gim st v ghi li cc hnh vi ca k tn cng bn trong h thng Honeynet. thc hin nhim v ny, Honeynet s s dng cng c Sebek client- server. Phn tch d liu : c nhim v h tr phn tch k thut thu thp c nhm a ra k thut, cng c v mc ch tn cng ca hacker. T a ra cc bin php phng chng kp thi. Honeynet s s dng cc cng c Walley, Hflow thc hin nhim v.Qu trnh hot ng ca honeynet :Cc lung d liu i vo s c honeynet kim sot bng cc chnh sch Rule ca Iptables ( Firewall Iptables cha cc rule nh ngha s cho php hoc khng cho php cc truy cp ra vo h thng v kim sot cc lung d liu i qua honeywall) bn cnh , nh ngha du hiu tn cng, honeynet da vo cc chnh sch rule ca IDS-Snort (s c trnh by mc sau). Tip tc honeynet dng cng c Sebek client server thu nhn d liu i vo h thng v chuyn tt c nhng thng tin thu nhn c vo c s d liu lu tr. Cui cng h thng s s dng cc cng c nh walley, Hflow tin hnh phn tch d liu thu thp c trong c s d liu. T a ra kt qu phn tch xem honeynet c ang b tn cng hay khng? Phng php tn cng v cng c s dng l g?...T a vo rule ca Snort, lm du hiu nhn bit tn cng cho h thng honeynet nhng ln sau.1.2 Xy dng m hnh mng chi tit cho h thng :1.3 Trin khai, ci t v vn hnh Honeynet :a. Cu hnh Honeywall :Khi xy dng mt h thng honeynet, quan trng nht l honeywall, tt c cc lung d liu ra hoc vo honeypot u phi i qua honeywall ny.Honeywall hot ng nh mt Gateway gia mng Internet bn ngoi v mng li cc honeypot, v vy cu hnh honeywall l bc quan trng nht trong vic thit lp h thng honeynet. Gm cc cu hnh c bn sau : Nhp a ch IP cho honeypot, mc nh l 10.0.0.20 (nu c nhiu my honeypot, nhp IP cho tng my honeypot cch nhau bng khong trng). y l nhng a ch m hacker s tn cng.

Nhp a ch Broadcast ca honeypot cho IP trn.

Tip theo cu hnh IP cho interface eth2 ( l ca manager). y, nhm dng a ch IP cho interface manager l 10.10.10.66

Nhp Subnetmask cho IP interface manager

Nhp Default gateway cho interface manager (10.10.10.66)

Nhp vo tn min nu c cho interface qun l (eth2 : 10.10.10.66)

G vo a ch IP ca my ch DNS local domain

Bc cu hnh tip theo h tr cho vic qun l t xa cc my honeypot l SSH. Mc nh sshd lng nghe trn cng 22 (TCP/UDP). Chn Yes/No thit lp sshd t ng bt/tt lc khi ng

Nhp vo danh sch gii hn cc cng c php kt ni qun l t xa thng qua ssh. Thng thng ch c 2 cng c php l 22 v 443.

c th phn tch d liu : enable Walley. Nhp vo danh sch cc cng TCP cho php kt ni ra bn ngoi.

Nhp vo danh sch cc cng UDP c php kt ni ra bn ngoi.

Thit lp phm vi hn ch kt ni ra bn ngoi cho UDP, TCP, ICMP v cc giao thc khc. y, nhm thit lp phm vi Hour (gi)

cho gii hn cng TCP l 20

Nh vy, trong khong thi gian 1 gi, k tn cng s gi c 20 kt ni TCP. Khi n gii hn, chng s khng th gi thm c cc kt ni. Sau 1 gi, kt ni s c thit lp li. Tng t vi UDP v cc giao thc khc. Honeywall cn c tnh nng Filtering (b lc) cho php lc cc gi tin khc nhau, cung cp kh nng kim sot d liu. Thit lp ng dn v file cha danh sch en (/etc/blacklist.txt), danh sch en l danh sch cha nhng IP s b chn.

Tng t thit lp ng dn v file cha danh sch trng (/etc/whitelist.txt). Khi mun cho php cc my honeypot trong mng honeynet c th truy cp khng gii hn n cc DNS server. Chn Yes :

Sebek l mt cng c thu thp d liu, n nm bt tt c cc hot ng trn honeypot v gi d liu n my ch. Sebek cn cu hnh cc bc sau : Xc nh a ch IP ch ca gi tin Sebek

Xc nh cng UDP ch cho cc gi sebek. Mc nh l 1101.

ng nhp vo giao din qun l (interface manager). Nhp vo trnh duyt web my qun l a ch ip ca interface manager (eth2) c thit lp l https://10.10.10.66 . Trang ng nhp hin th, ng nhp vi tn roo. Khi ng nhp thnh cng, chng ta c th qun l honeywall, xem cc d liu c thu thp, phn tch

b. Ci t Sebek client:Trong h thng Honeynet, cc my tnh honeypot cn phi ci t sebek client, vi mc ch ghi li log v cc phng php tn cng ca hacker, t a log v cho sebek server honeywall, t log bt c ny, honeywall s to cc rule snort v c th ngn chn cc cuc tn cng dng ny nhng ln sau. Nhm s dng my honeypot l Ubuntu Server 7.10 ci t sebek client, vi gi ci t l sebek-lin26-3.2.0b-bin.tar.gz Sau khi ci t Ubuntu Server v log on vo h thng, thc hin gii nn gi sebek vi lnh :tar zxf sebek-lin26-3.2.0b-bin.tar.gz i n th mc sebek-lin26-3.2.0b-bin bng lnh :cd sebek-lin26-3.2.0b-bin

Sau khi n th mc sebek-lin26-3.2.0b-bin, m file sbk_install.sh bng lnh nano sbk_install.sh Sau khi file cu hnh ca sbk_install.sh hin ra nh hnh di

Tip tc cu hnh cho ni dung file, Destination Port thm vo 1101 (tcp/udp), v Destination Mac thm vo a ch Mac ca my honeywall. y, Mac ca honeywall nhm to l : 00:0C:29:25:5E:E7 bt u ci t Sebek client, dng lnh :sudo ./sbk_install.sh

Gi sebek client c ci t thnh cng trn my honeypot.2. H thng NIDSTa bit NIDS l mt phn loi ca h thng IDS vi chc nng gim st hot ng trn ton mng vi nhiu host khc nhau.Snort l mt NIDS c pht trin bi Martin Roesch, l phn mm m ngun m, min ph v d s dng vi nhiu tnh nng. Snort c th trin khai trn nhiu h iu hnh khc nhau nh Windows, Linux, MacOS, nh v c tnh ty bin cao, n c th pht hin lin tc cc xm nhp bt hp php vo h thng.Snort c ci t trn mng lm nhim v gim st nhng gi tin ra vo h thng. Khi pht hin mt cuc tn cng, snort s gi cnh bo cho nh qun tr, hoc ngn chn, loi b gi tin ph thuc vo cu hnh m n c thit lp. Snort s dng cc rule pht hin ra cc hot ng xm nhp, khi trng vi mt trong cc rule, Snort s nh ngha l mt cuc tn cng v phn ng vi gi tin . Mi rule tng ng vi mt phng php tn cng.File cu hnh chnh ca snort l snort.conf.Snort c th c cu hnh chy ch : Sniffer (snort v): lng nghe gi tin trn mng, sau gii m v hin th chng ln mn hnh console. Packet Logger (snort l /var/log/snort): gi tin sau khi gii m s c ghi log vo tp tin c cu trc nh phn hoc ASCII. NIDS (snort c /etc/snort/snort.conf I eth0) : Snort p dng cc rule vo tt c cc gi tin bt c. Sau so snh v a ra nhng hnh ng tng ng. Inline: nhn cc gi tin t iptables, sau so snh vi rule v thng bo cho iptables x l cc gi tin (cho php allow hoc b qua deny).1.1 Nghin cu ng dng Snort1.1.1 Kin trc ca SnortSnort gm nhiu thnh phn lm vic cng vi nhau pht hin ra mt cuc tn cng c th, mi thnh phn logic c mt nhim v khc nhau.

M hnh kin trc ca Snort Packet decoder (Gii m gi tin) : Khi snort hot ng, n s thc hin bt mi gi tin no di chuyn, lu thng qua h thng. B phn ny s xc nh giao thc no ang c dng da vo card mng v dy dn, Mt gi tin sau khi c gii m s a tip vo giai on tin x lSnort s cnh bo khi n pht hin ra nhng header khng ng cu trc, bt thng. Pre-processors (Tin x l): giai on ny, Pre-processors c ba nhim v chnh : Kt hp li cc gi tin : khi mt gi tin gi i c kch thc ln, gi tin s c phn mnh thnh nhiu gi vi kch thc nh hn, giai on ny s ghp ni cc gi tin li thnh gi nguyn ven ban u Gii m v chun ha giao thc :

Detection engine (Pht hin) : cc gi tin sau khi c x l b phn pre-processors, s tip tc c a qua qu trnh detection y l qu trnh quan trng nht ca Snort. y, cc gi tin s c so snh vi rule xem gi tin c hp l hay khng, c cha nhng ni dung vi mc ch tn cng c nh ngha trong rule hay khng.Detection engine cng c th tch cc phn ca gi tin ra v p dng rule ln tng phn ca gi tin . Mt IDS c th s c nhiu rule v thng n cng nhn c rt nhiu gi tin lu thng vo h thng, khi thng lng mng qu ln, c th xy ra hin tng b st gi tin hoc phn hi khng nhanh chng, l mt trong nhng im yu ca vic x l pht hin gi tin. Logging and Alerting System (Ghi nhn v cnh bo): sau qu trnh detection, nu pht hin xm nhp, gi tin s c a tip vo log/alerting, kt qu s c ghi li thnh log v sau xut thng bo cho h thng hoc ngi qun tr, cc file log l cc file text d liu. Output Module : s thc hin cc thao tc lu kt qu xut ra khc nhau, ty thuc vo cu hnh h thng, c th ghi file log, ghi cnh bo vo c s d liu, hoc to file log dng xml1.1.2 Cc lut ca Snort :Cc lut ca Snort (rule) c to ra da vo nhng thng tin, du hiu t cc hnh ng xm nhp.Rule c th c cp nht t trang ch ca snort www.snort.org , hoc ngi dng c th t nh ngha rule, pht trin rule ty vo mc ch s dng ca mi ngi. Rule l phn ct li ca h thng IDS c th nhn bit cc cuc tn cng vo h thng.

1.1.3 Ch ngn chn Snort (Snort-Inline)Snort Inline l mt nhnh pht trin ca snort do William Metcalf

1.2 Xy dng m hnh mng chi tit cho h thngM hnh trin khai Snort (Single Snort Sensor)1.3 Trin khai, ci t v vn hnh Snort (cu hnh rules, to CSDL snort..)a. Trin khai h thng:Trin khai h thng theo m hnh trn (Hnh: )My hacker c a ch ip l: 10.0.0.50 c ci t sn nhng chng trnh h tr cho tn cng nh: nmap, hping3My Web server c a ch ip 10.0.0.10My Snort server khng c a ch ip trong sut vi hackerb. Ci t SnortLn lt ci t cc gi: Snort, mysql-server, snort-mysql (s dng apt-get)To c s d liu cho Snort vi MysqlBc 1: Login vo mysql#mysql u root p Bc 2: To user cho snortmysql>use mysql;mysql>CREATE USER snort@localhost IDENTIFIED BY 123456;Bc 3: To c s d liu cho snortmysql>Create database snort;mysql>Grant all on snort.* to snort@localhost;mysql>flush privileges;mysql>exit;Bc 4: To tables cho database Snort(Chuyn ti th mc cha bng. V d: cd /usr/share/doc/snort-mysql)#zcat create_mysql.gz | mysql u snort pBc 5: Kim tra li#mysql u root p

+------------+ | Database +------------+ | mysql | snort | test +------------+ mysql>show databases;

mysql>use snort;mysql>show tables;

+------------------+ | Tables_in_snort +------------------+ | data | detail | encoding | event | flags | icmphdr | iphdr | opt | protocols | reference | reference_system | schema | sensor | services | sig_class | sig_reference | signature | tcphdr | udphdr +------------------+ +---

Cu hnh SnortFile cu hnh: /etc/snort/snort.conf-Thay i i ch HOME_NET v EXTERNAL_NETvar HOME_NET 10.0.0.0/24var EXTERNAL_NET !$HOME_NET-Thay i ng dn ti th mc rulesvar RULE_PATH /etc/snort/rules-thay i tn c s d liuoutput database: alert, mysql, user=snort password=123456 dbname=snort host=localhost

Khi ng dch v#Services mysql restart#Services snort restartc. Vn hnh snortTo rule n gin kim tra snort-To tp tin test.rules trong th mc cha rule: #touch /etc/snort/rules/test.rules-Thm dng alert icmp any any ->any any(msg: Co nguoi dang ping; ttl: 64; sid: 1000) vo test.rules-Thm dng: include $RULE_PATH/test.rules trong snort.conf-Khi ng li dch v: #Services snort restartKhi ng snort ch cnh bo trn console#Snort -A console c /etc/snort/snort.conf l /var/log/snort/alertTin hnh ping t my hacker n my webserver (theo Hinh: )Kt qu:

KT LUN V HNG PHT TRINIDS l gii php bo mt c b sung cho Firewall. Mt IDS c kh nng pht hin ra cc on m c hot ng k c trong h thng mng ni b v Honeypot l mt h thng gi dng nh la hacker, bo v h thng tht an ton trc nhng nguy c ph hoi.Trin khai hai h thng IDS v honeypot, to ra mt h thng mng kt hp, mt mt nh la hacker nhm bo v h thng tht, ng thi ghi li log (thng tin hacker, kiu tn cng, cng c tn cng), mt mt pht sinh mu cho h thng IDS lm du hiu trnh c cc phng php tn cng ny nhng ln sau, l mt phng php bo mt em li hiu qu cao v thc s cn thit cho h thng mng my tnh, gip h thng hot ng n nh v khc phc s c mt cch nhanh nht.Qua thi gian tm hiu v thc hin n vi ti Pht sinh mu cho h thng pht hin xm nhp nhm t c mt s mc tiu : Nm vng c khi nim, phn loi, chc nng ca h thng pht hin xm nhp IDS, hiu c c ch hot ng ca IDS. Nm r khi nim, phn loi, chc nng v cc bc hot ng ca h thng HoneyPot. Cch ci t, trin khai, vai tr ngha ca Honeynet m hnh tng tc cao ca Honeypot. p dng cc log Honeypot bt c pht sinh mu (signature) cho h thng pht hin xm nhp, to cc cnh bo cho h thng khi c tn cng.Vic s hu mt h thng IDS tt, to nhng cnh bo chnh xc v pht hin ra cc cuc tn cng kp thi cn i hi ngi qun tr phi c nhng k nng cp nht v pht trin cc Rule cho h thng, m bo h thng c an ton v n nh. Tuy nhin, vic pht trin Rule bng tay mt cch th cng c th mang li nhiu sai st, khng em li hiu qu cao. V vy, vic t chc, thit k cc Rule c th t ng cp nht vo h thng IDS, pht sinh mu cho h thng pht hin xm nhp IDS mt cch t ng l cn thit, hiu qu hn cho an ton h thng, cng chnh l hng pht trin sau ny ca n, i hi vic kt ni gia IDS v honeywall ca honeynet mt cch cht ch hn, lin kt hn, m bo vic pht sinh t ng, chnh xc v an ton.

TI LIU THAM KHO1. 109802808-Do-an-Honeypots-001 2. Addison-Wesley Professional.Honeypots- Tracking Hackers3. Snort_2.9.1_CentOS4. OReilly--Managing_Security_with_Snort_and_IDS_Tools5. SaudiHoneynet-UserManual6. http://seat.massey.ac.nz/projects/honeynet/honeynet.htm7. http://www.symantec.com/connect/articles/sebek-3-tracking-attackers

37Hong Th Bch Dng Hunh Quang Sang GVHD : Ths.Mai Xun Ph