baocao linux snort1

TRNG I HC BCH KHOA

KHOA CNG NGH THNG TIN

B MN MNG V TRUYN THNG

BO CO MN HC

CHUYN II

TM HIU V KHAI THC DCH V SNORTSinh vin : o Th M Chu Phan Th Thu Hng Nhm : 78B Ngi hng dn : Ts.Nguyn Tn Khi

ti:

Nng 2011

o Th M Chu & Phan Th Thu Hng Nhm 78B

NHN XT CA GIO VIN HNG DN....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... ....................................................................................................................................................... .......................................................................................................................................................

Trang 2

Tm hiu v khai thc dch v SNORT

MC LCCHNG 1. C S L THUYT........................................................................8 1.1. Gii thiu......................................................................................................8 1.1.1. Gii thiu IDS:....................................................................................8 1.1.2. Gii thiu v SNORT:........................................................................9 1.2. Kin trc ca Snort:....................................................................................10 1.2.1. Modun gii m gi tin - Packet Decoder.........................................10 1.2.2. M un tin x l - Preprocessors...................................................11 1.2.3. Mun pht hin- Detection Engine................................................13 1.2.4. Mun log v cnh bo - Logging and Alerting System................14 1.2.5. M un kt xut thng tin - Output Module....................................14 1.2.6. Cc ch thc thi ca Snort:..........................................................15 1.3. B lut ca Snort:.......................................................................................17 1.3.1. Gii thiu..........................................................................................17 1.3.2. Cu trc lut ca Snort......................................................................18 1.3.3. Phn tiu .......................................................................................19 1.3.4. Cc ty chn.....................................................................................23 CHNG 2. THIT K V XY DNG H THNG ...................................29 2.1. Phn tch yu cu........................................................................................29 2.1.1. Ci t Server configuration tools:...................................................29 2.1.2. Ci t cc th vin Bison, Libpcap, Libpcre, LipNet.....................30 2.1.3. Ci Snort:..........................................................................................32 2.2. To database lu cc alert:..........................................................................32 2.3. Cu hnh snort:............................................................................................33 2.3.1. To group v user chy snort.......................................................33 2.3.2. To rules cho snort:...........................................................................33 2.4. Ci t BASE..............................................................................................34 CHNG 3. TRIN KHAI V NH GI KT QU ...................................36 3.1. Mi trng trin khai..................................................................................36 3.2. Mt s kt qu cc chc nng ca chng trnh........................................36 3.3. nh gi v nhn xt..................................................................................39

Trang 3


DANH MC T VIT TT

Trang 4


DANH MC BNG BIU

Trang 5


DANH MC HNH V

Trang 6


TNG QUAN V TI1. Bi cnh v l do thc hin ti

Bn cnh s pht trin nhanh chng v nhng kh nng mnh m th nhng vn ca h thng thng tin cng lm cho chng ta nhc u cng khng phi l t, trong vn nhy cm an ton thng tin khin chng ta quan tm nhiu hn c. Chng ta cn phi tng cng kh nng an ton thng tin khi b mt mt d liu do cc l hng bo mt hay b hacker, virus, trojan tn cng Mt trong nhng gii php c th p ng tt nht cho vn ny l trin khai h thng d tm xm nhp tri php - Instruction Detect System (IDS). C hai yu cu chnh khi trin khai mt IDS l chi ph cng vi kh nng p ng linh hot ca n trc s pht trin nhanh chng ca cng ngh thng tin v SNORT c th p ng rt tt c hai yu cu ny. Thy c cc chc nng ca dch v Snort chng em xin chn ti Tm hiu v khai thc dch v snort lm ti mn hc ca mnh.

2. Phng php trin khai ti Nghin cu cc ti liu lin quan ca h iu hnh Ubuntu. Nghin cu ti liu lin quan n Snort (khi nim, chc nng, cc lut, cch ci t) Trin khai ci t cu hnh server-client trn my o. Chy v kim tra hot ng ca dch v snort

3. Kt cu ca nCu trc t chc ca bi bo co bao gm: Tng quan v ti Chng 1. C s l thuyt Chng 2. Thit k v xy dng h thng Chng 3. Trin khai v nh gi kt qu Kt lun Ti liu tham kho

Trang 7


Chng 1.

C S L THUYT

1.1.

Gii thiu1.1.1.1.1.1.1.

Gii thiu IDS:Khi nim:

IDS Intrucsion Detection System / H thng pht hin xm nhp. IDS l mt h thng phng chng, nhm pht hin cc hnh ng tn cng vo mt mng. Mc ch ca n l pht hin v ngn nga cc hnh ng ph hoi i vi vn bo mt h thng, hoc nhng hnh ng trong tin trnh tn cng nh su tp, qut cc cng. Mt tnh nng chnh ca h thng ny l cung cp thong tin nhn bit v nhng hnh ng khng bnh thng v a ra cc cnh bo, thng bo cho qun tr vin mng kha cc kt ni ang tn cng ny. Thm vo cng c IDS cng c th phn bit gia nhng tn cng bn trong t bn trong t chc (t chnh nhn vin hoc khch hng) v tn cng t bn ngoi (tn cng t hacker). 1.1.1.2. Phn loi IDS:

Cch thng thng nht phn loi cc h thng IDS l da vo c im ca ngun d liu thu thp c. Trong trng hp ny, cc h thng IDS c chia lm cc loi sau: Host-based IDS (HIDS): S dng d liu kim tra t mt my trm n

pht hin xm nhp. Chc nng chnh l bo v ti nguyn trn my ch v mt s h thng nh WebHost, Mailhost Network-based IDS (NIDS): S dng d liu trn ton b lu thng

mng, cng vi d liu kim tra t mt hoc mt vi my trm pht hin xm nhp. Nhim v l ngn chn v qun l gi tin trc khi chuyn vo h thng.

Trang 8


1.1.2.

Gii thiu v SNORT:

Snort l mt sn phm m ngun m c pht trin nhm pht hin nhng xm nhp tri php vo h thng bi nhng quy tc hay lut c thit lp sn, nhng thit lp ny da vo nhng du hiu, giao thc v s d thng. Snort s dng cc lut c lu tr trong cc file text, c th c chnh sa bi ngi qun tr. Cc lut c nhm thnh cc kiu. Cc lut thuc v mi loi c lu trong cc file khc nhau. File cu hnh chnh ca Snort l snort.conf. Snort c nhng lut ny vo lc khi to v xy dng cu trc d liu cung cp cc lut bt gi mu vi phm. Tm ra cc du hiu v s dng chng trong cc lut l mt vn i hi s tinh t, v cng s dng nhiu lut th nng lc x l cng c i hi thu thp d liu trong thc t. Snort c mt tp hp cc lut c nh ngha trc pht hin cc hnh ng xm nhp v cc qun tr vin cng c th thm vo cc lut ca chnh mnh. Qun tr vin cng c th xa mt vi lut c to trc trnh vic bo ng sai. Snort bao gm mt hoc nhiu sensor v mt server CSDL chnh.Cc Sensor c th c t trc hoc sau firewall: Gim st cc cuc tn cng vo firewall v h thng mng C kh nng ghi nh cc cuc vt firewall thnh cng

C s d liu lut ca Snort ln ti 2930 lut v c cp nht thng xuyn bi mt cng ng ngi s dng. Snort c th chy trn nhiu h thng nn nh Windows, Linux, OpenBSD, FreeBSD, NetBSD, Solaris, HP-UX, AIX, IRIX, MacOS. Bn cnh vic c th hot ng nh mt ng dng thu bt gi tin thng thng, Snort cn c th c cu hnh chy nh mt NIDS. Snort h tr kh nng hot ng trn cc giao thc sau: Ethernet, 802.11,Token Ring, FDDI, Cisco HDLC, SLIP, PPP, v PF ca OpenBSD.

Trang 9


1.2.

Kin trc ca Snort:Snort c chia thnh nhiu thnh phn. Nhng thnh phn ny lm vic vi

nhau pht hin cc cch tn cng c th v to ra output theo mt nh dng c i hi. Mt IDS da trn Snort bao gm cc thnh phn chnh sau y: Packet Decoder Preprocessor Dectection Engine

Logging v Alerting System Output Modules

Kin trc ca Snort c m t trong hnh sau:

Hnh 1: M hnh kin trc h thng Snort

Khi Snort hot ng n s thc hin vic lng nghe v thu bt tt c cc gi tin no di chuyn qua n. Cc gi tin sau khi b bt c a vo Mun Gii m gi tin. Tip theo gi tin s c a vo mun Tin x l, ri mun Pht hin. Ti y ty theo vic c pht hin c xm nhp hay khng m gi tin c th c b qua lu thng tip hoc c a vo mun Log v cnh bo x l. Khi cc cnh bo c xc nh mun Kt xut thng tin s thc hin vic a cnh bo ra theo ng nh dng mong mun. Sau y ta s i su vo chi tit hn v c ch hot ng v chc nng ca tng thnh phn.

1.2.1.

Modun gii m gi tin - Packet Decoder

Snort s dng th vin pcap bt mi gi tin trn mng lu thng qua h thng. Hnh sau m t vic mt gi tin Ethernet s c gii m th no:

Trang 10


Hnh 2: X l mt gi tin Ethernet

Mt gi tin sau khi c gii m s c a tip vo mun tin x l. Nhim v ch yu ca h thng ny l phn tch gi d liu th bt c trn mng v phc hi thnh gi d liu hon chnh lp application, lm input cho h thng dectection engine. Qu trnh phc hi gi d liu c tin hnh t lp Datalink cho ti lp Application theo th t ca Protocol Stack.

1.2.2.

M un tin x l - Preprocessors

Mun tin x l l mt mun rt quan trng i vi bt k mt h thng IDS no c th chun b gi d liu a v cho mun Pht hin phn tch. Ba nhim v chnh ca cc mun loi ny l: Kt hp li cc gi tin: Khi mt lng d liu ln c gi i, thng tin s khng ng gi ton b vo mt gi tin m phi thc hin vic phn mnh, chia gi tin ban u thnh nhiu gi tin ri mi gi i. Khi Snort nhn c cc gi tin ny n phi thc hin vic ghp ni li c c d liu nguyn dng ban u, t mi thc hin c cc cng vic x l tip. Nh ta bit khi mt phin lm vicTrang 11


ca h thng din ra, s c rt nhiu gi tin uc trao i trong phin . Mt gi tin ring l s khng c trng thi v nu cng vic pht hin xm nhp ch da hon ton vo gi tin s khng em li hiu qu cao. Module tin x l stream gip Snort c th hiu c cc phin lm vic khc nhau (ni cch khc em li tnh c trng thi cho cc gi tin) t gip t c hiu qu cao hn trong vic pht hin xm nhp. Gii m v chun ha giao thc (decode/normalize): cng vic pht hin xm nhp da trn du hiu nhn dng nhiu khi b tht bi khi kim tra cc giao thc c d liu c th c th hin di nhiu dng khc nhau. V d: mt web server c th chp nhn nhiu dng URL nh URL c vit di dng m hexa/Unicode, URL chp nhn c du \ hay / hoc nhiu k t ny lin tip cng lc. Chng hn ta c du hiu nhn dng scripts/iisadmin, k tn cng c th vt qua c bng cch ty bin cc yu cu gi n web server nh sau: scripts/./iisadmin scripts/examples/../iisadmin scripts\iisadmin scripts/.\iisadmin Hoc thc hin vic m ha cc chui ny di dng khc. Nu Snort ch thc hin n thun vic so snh d liu vi du hiu nhn dng s xy ra tnh trng b st cc hnh vi xm nhp. Do vy, mt s mun tin x l ca Snort phi c nhim v gii m v chnh sa, sp xp li cc thng tin u vo ny thng tin khi a n mun pht hin c th pht hin c m khng b st. Hin nay Snort h tr vic gii m v chun ha cho cc giao thc: telnet, http, rpc, arp. Pht hin cc xm nhp bt thng (nonrule /anormal): cc plugin tin x l dng ny thng dng i ph vi cc xm nhp khng th hoc rt kh pht hin c bng cc lut thng thng hoc cc du hiu bt thng trong giao thc. Cc mun tin x l dng ny c th thc hin vic pht hin xm nhp theo bt c cch no m ta ngh ra t tng cng thm tnh nng cho Snort. V d, mt plugin tin x l c nhim v thng k thng lng mng ti thi im bnh thng ri khi c thng lng mng bt thng xy ra n c th tnh ton, pht hin v a ra cnh bo (pht hin xm nhp theo m hnh thng k). Phin bn hin ti ca Snort c i km hai plugin gip pht hin cc xm nhp bt thng l portscanTrang 12


v bo (backoffice). Portcan dng a ra cnh bo khi k tn cng thc hin vic qut cc cng ca h thng tm l hng. Bo dng a ra cnh bo khi h thng b nhim trojan backoffice v k tn cng t xa kt ni ti backoffice thc hin cc lnh t xa.

1.2.3.

Mun pht hin- Detection Engine

y l mun quan trng nht ca Snort. N chu trch nhim pht hin cc du hiu xm nhp. Mun pht hin s dng cc lut c nh ngha trc so snh vi d liu thu thp c t xc nh xem c xm nhp xy ra hay khng. Ri tip theo mi c th thc hin mt s cng vic nh ghi log, to thng bo v kt xut thng tin. Mt vn rt quan trng trong mun pht hin l vn thi gian x l cc gi tin: mt IDS thng nhn c rt nhiu gi tin v bn thn n cng c rt nhiu cc lut x l. C th mt nhng khong thi gian khc nhau cho vic x l cc gi tin khc nhau. V khi thng lng mng qu ln c th xy ra vic b st hoc khng phn hi c ng lc. Kh nng x l ca mun pht hin da trn mt s yu t nh: s lng cc lut, tc ca h thng ang chy Snort, ti trn mng. Mt s th nghim cho bit, phin bn hin ti ca Snort khi c ti u ha chy trn h thng c nhiu b vi x l v cu hnh my tnh tng i mnh th c th hot ng tt trn c cc mng c Giga. Mt mun pht hin cng c kh nng tch cc phn ca gi tin ra v p dng cc lut ln tng phn no ca gi tin . Cc phn c th l: IP header Header tng giao vn: TCP, UDP Header tng ng dng: DNS header, HTTP header, FTP header, Phn ti ca gi tin (bn cng c th p dng cc lut ln cc phn d liu c truyn i ca gi tin) Mt vn na trong Mun pht hin l vic x l th no khi mt gi tin b pht hin bi nhiu lut. Do cc lut trong Snort cng c nh th t u tin, nn mt gi tin khi b pht hin bi nhiu lut khc nhau, cnh bo c a ra s l cnh bo ng vi lut c mc u tin ln nht.Trang 13


1.2.4. System

Mun

log v cnh bo - Logging and Alerting

Ty thuc vo vic mun Pht hin c nhn dng uc xm nhp hay khng m gi tin c th b ghi log hoc a ra cnh bo. Cc file log l cc file text d liu trong c th c ghi di nhiu nh dng khc nhau chng hn tcpdump.

Hnh 3: Mooddun log v cnh bo

1.2.5.

M un kt xut thng tin - Output Module

Mun ny c th thc hin cc thao tc khc nhau ty theo vic bn mun lu kt qu xut ra nh th no. Ty theo vic cu hnh h thng m n c th thc hin cc cng vic nh l: Ghi log file Ghi syslog: syslog v mt chun lu tr cc file log c s dng rt nhiu trn cc h thng Unix, Linux. Ghi cnh bo vo c s d liu. To file log dng xml: vic ghi log file dng xml rt thun tin cho vic trao i v chia s d liu. Cu hnh li Router, firewall.Trang 14


Gi cc cnh bo c gi trong gi tin s dng giao thc SNMP. Cc gi tin dng SNMP ny s c gi ti mt SNMP server t gip cho vic qun l cc cnh bo v h thng IDS mt cch tp trung v thun tin hn. Gi cc thng ip SMB (Server Message Block) ti cc my tnh Windows. Nu khng hi lng vi cc cch xut thng tin nh trn, ta c th vit cc mun kt xut thng tin ring tu theo mc ch s dng.

1.2.6.1.2.6.1.

Cc ch thc thi ca Snort:Sniff mode

ch ny, Snort hot ng nh mt chng trnh thu thp v phn tch gi tin thng thng. Khng cn s dng file cu hnh, cc thng tin Snort s thu c khi hot ng ch ny: -

Date and time. Source IP address. Source port number. Destination IP address. Destination port. Transport layer protocol used in this packet. Time to live or TTL value in this packet. Type of service or TOS value. Packer ID. Length of IP header. IP payload. Dont fragment or DF bit is set in IP header. Two TCP flags A and P are on. TCP sequence number. Acknowledgement number in TCP header. TCP Window field. TCP header length.Trang 15

-


1.2.6.2.

Packet logger mode

Khi chy ch ny, Snort s tp hp tt c cc packet n thy c v a vo log theo cu trc phn tng. Ni cch khc, mt th mc mi s c to ra ng vi mi a ch n bt c, v d liu s ph thuc vo a ch m n lu trong th mc . Snort t cc packet vo trong file ASCII, vi tn lin quan n giao thc v cng. S sp xp ny d dng nhn ra ai ang kt ni vo mng ca mnh v giao thc, cng no ang s dng. n gin s dng ls-R hin danh sch cc th mc. Tuy nhin s phn cp ny s to ra nhiu th mc trong gi cao im nn rt kh xem ht tt c th mc v file ny. Nu mt ngi no thc hin vic qut mng ca bn v nh x tt c 65536 cng TCp cng nh 65536 cng UDP, bn s t ngt c hn 131000 file trong mt th mc n. Log vi dng nh phn (binary) tt c nhng g c th c c bi Snort, n lm tng c kh nng bt gi tin ca Snort. Hu ht cc h thng c th capture v log tc 100Mbps m khng c vn g. log packet ch nh phn, s dng c -b: #Snort -b -l /usr/local/log/Snort/temp.log Khi capture, ta c th c li file mi va to ra ngay vi c -r v phn hin th ging nh mode sniffer: #Snort -r /usr/local/log/Snort/temp.log Trong phn ny Snort khng gii hn dc cc file binary trong ch sniffer. Ta c th chy Snort ch NIDS vi vic set cc rule hoc filters tm nhng traffic nghi ng. 1.2.6.3. NIDS mode

Snort thng c s dng nh mt NIDS. N nh, nhanh chng, hiu qu v s dng cc rule p dng ln gi tin. Khi pht hin c du hiu tn cng trong gi tin th n s ghi li v to thng bo. Khi dng ch ny phi khai bo file cu hnh cho Snort hot ng. Thng tin v thng bo khi hot ng ch ny:

Trang 16

Tm hiu v khai thc dch v SNORT -

Fast mode: Date and time, Alert message, Source and destination IP address, Source and destination ports, Type of packet. Full mode: Gm cc thng tin nh ch fast mode v thm mt s thng tin sau: TTL value, TOS value, Length of packet header, length of packet,Type of packet, Code of packet, ID of packet, Sequence number.

-

1.3.

B lut ca Snort:1.3.1. Gii thiu

Snort ch yu l mt IDS da trn lut, tuy nhin cc input plug-in cng tn ti pht hin s bt thng trong cc header ca giao thc. Snort s dng cc lut c lu tr trong cc file text, c th c chnh sa bi ngi qun tr. Cc lut c nhm thnh cc kiu. Cc lut thuc v mi loi c lu trong cc file khc nhau. File cu hnh chnh ca Snort l snort.conf. Snort c nhng lut ny vo lc khi to v xy dng cu trc d liu cung cp cc lut bt gi d liu. Tm ra cc du hiu v s dng chng trong cc lut l mt vn i hi s tinh t, v bn cng s dng nhiu lut th nng lc x l cng c i hi thu thp d liu trong thc t. Snort c mt tp hp cc lut c nh ngha trc pht hin cc hnh ng xm nhp v bn cng c th thm vo cc lut ca chnh bn. Bn cng c th xa mt vi lut c to trc trnh vic bo ng sai. Cng ging nh virus, hu ht cc hot ng tn cng hay xm nhp u c cc du hiu ring. Cc thng tin v cc du hiu ny s c s dng to nn cc lut cho Snort. Thng thng, cc by (honey pots) c to ra tm hiu xem cc k tn cng lm g cng nh cc thng tin v cng c v cng ngh chng s dng. V ngc li, cng c cc c s d liu v cc l hng bo mt m nhng k tn cng mun khai thc. Cc dng tn cng bit ny c dng nh cc du hiu pht hin tn cng xm nhp. Cc du hiu c th xut hin trong phn header ca cc gi tin hoc nm trong phn ni dung ca chng. H thng pht hin ca Snort hot ng da trn cc lut (rules) v cc lut ny li c da trn cc du hiu nhn dng tn cng. Cc lut c th c p dng cho tt c cc phn khc nhau ca mt gi tin d liu .Trang 17


Mt lut c th c s dng to nn mt thng ip cnh bo, log mt thng ip hay c th b qua mt gi tin.

1.3.2.

Cu trc lut ca Snort

Hy xem xt mt v d n gin : alert tcp 192.168.2.0/24 23 -> any any (content:confidential; msg: Detected confidential) Ta thy cu trc ca mt lut c dng nh sau:

Hnh 4: Cu trc lut ca Snort

Din gii: Tt c cc Lut ca Snort v logic u gm 2 phn: Phn header v phn Option. - Phn Header cha thng tin v hnh ng m lut s thc hin khi pht hin ra c xm nhp nm trong gi tin v n cng cha cc tiu chun p dng lut vi gi tin . - Phn Option cha mt thng ip cnh bo v cc thng tin v cc phn ca gi tin dng to nn cnh bo. Phn Option cha cc tiu chun ph thm i snh lut vi gi tin. Mt lut c th pht hin c mt hay nhiu hot ng thm d hay tn cng. Cc lut thng minh c kh nng p dng cho nhiu du hiu xm nhp. Di y l cu trc chung ca phn Header ca mt lut Snort:

- Action: l phn qui nh loi hnh ng no c thc thi khi cc du hiu ca gi tin c nhn dng chnh xc bng lut . Thng thng, cc hnh ng to ra mt cnh bo hoc log thng ip hoc kch hot mt lut khc. - Protocol: l phn qui nh vic p dng lut cho cc packet ch thuc mt giao thc c th no . V d nh IP, TCP, UDP - Address: l phn a ch ngun v a ch ch. Cc a ch c th l mt my n, nhiu my hoc ca mt mng no . Trong hai phn a ch trn thTrang 18

Hnh 5: Header lut ca Snort


mt s l a ch ngun, mt s l a ch ch v a ch no thuc loi no s do phn Direction -> qui nh. - Port: xc nh cc cng ngun v ch ca mt gi tin m trn lut c p dng. - Direction: phn ny s ch ra u l a ch ngun, u l a ch ch.

V d:alert icmp any any -> any any (msg: Ping with TTL=100;ttl: 100;) Phn ng trc du m ngoc l phn Header ca lut cn phn cn li l phn Option. Chi tit ca phn Header nh sau: Hnh ng ca lut y l alert : mt cnh bo s c to ra nu nh cc iu kin ca gi tin l ph hp vi lut(gi tin lun c log li mi khi cnh bo c to ra). Protocol ca lut y l ICMP tc l lut ch p dng cho cc gi tin thuc loi ICMP. Bi vy, nu nh mt gi tin khng thuc loi ICMP th phn cn li ca lut s khng cn i chiu. a ch ngun y l any: tc l lut s p dng cho tt c cc gi tin n t mi ngun cn cng th cng l any v i vi loi gi tin ICMP th cng khng c ngha. S hiu cng ch c ngha vi cc gi tin thuc loi TCP hoc UDP thi. Cn phn Option trong du ng ngoc ch ra mt cnh bo cha dng Ping with TTL=100 s c to khi tm thy iu kin TTL=100. TTL l Time To Live l mt trng trong Header IP.

1.3.3.

Phn tiu

Nh phn trn trnh by, Header ca lut bao gm nhiu phn. Sau y, l chi tit c th ca tng phn mt. Hnh ng ca lut (Rule Action) L phn u tin ca lut, ch ra hnh ng no c thc hin khi m cc iu kin ca lut c tho mn. Mt hnh ng c thc hin khi v ch khi tt c cc iu kin u ph hp. C 5 hnh ng c nh ngha nhng ta c th to ra cc hnh ng ring tu thuc vo yu cu ca mnh. i vi cc phin bnTrang 19


trc ca Snort th khi nhiu lut l ph hp vi mt gi tin no th ch mt lut c p dng. Sau khi p dng lut u tin th cc lut tip theo s khng p dng cho gi tin y na. Nhng i vi cc phin bn sau ca Snort th tt c cc lut s c p dng gi tin . Pass: Hnh ng ny hng dn Snort b qua gi tin ny. Hnh ng ny ng vai tr quan trng trong vic tng cng tc hot ng ca Snort khi m ta khng mun p dng cc kim tra trn cc gi tin nht nh. V d ta s dng cc by (t trn mt my no ) nh cc hacker tn cng vo th ta phi cho tt c cc gi tin i n c my . Hoc l dng mt my qut kim tra an ton mng ca mnh th ta phi b qua tt c cc gi tin n t my kim tra . Log: Hnh ng ny dng log gi tin. C th log vo file hay vo c s d liu tu thuc vo nhu cu ca mnh. Alert: Gi mt thng ip cnh bo khi du hiu xm nhp c pht hin. C nhiu cch gi thng ip nh gi ra file hoc ra mt Console. Tt nhin l sau khi gi thng ip cnh bo th gi tin s c log li. -

Activate: s dng to ra mt cnh bo v kch hot mt lut khc kim tra thm cc iu kin ca gi tin. Dynamic: ch ra y l lut c gi bi cc lut khc c hnh ng l Activate. Cc hnh ng do ngi dng nh ngha: mt hnh ng mi c nh

ngha theo cu trc sau: ruletype action_name { action definition } ruletype l t kho. Hnh ng c nh ngha chnh xc trong du ngoc nhn: c th l mt hm vit bng ngn ng C chng hn. V d: ruletype smb_db_alert { ype alertTrang 20


output alert_smb: workstation.list output database: log, mysql, user=test password=test dbname=snort host = localhost } y l hnh ng c tn l smb_db_alert dng gi thng ip cnh bo di dng ca s pop-up SMB ti cc my c tn trong danh sch lit k trong file workstation.list v ti c s d liu MySQL tn l snort. Protocols L phn th hai ca mt lut c chc nng ch ra loi gi tin m lut s c p dng. Hin ti Snort hiu c cc protocol sau : IP, ICMP, TCP, UDP. Nu l IP th Snort s kim tra header ca lp lin kt xc nh loi gi tin. Nu bt k giao thc no khc c s dng th Snort s dng header IP xc nh loi protocol. Protocol ch ng vai tr trong vic ch r tiu chun trong phn header ca lut. Phn option ca lut c th c cc iu kin khng lin quan g n protocol. Address C hai phn a ch trong mt lut ca Snort. Cc a ch ny c dng kim tra ngun sinh ra v ch n ca gi tin. a ch c th l a ch ca mt IP n hoc l a ch ca mt mng. Ta c th dng t any p dng lut cho tt c cc a ch. a ch c vit ngay theo sau mt du gch cho v s bt trong subnet mask. V d nh a ch 192.168.2.0/24 th hin mng lp C 192.168.2.0 vi 24 bt ca subnet mask. Subnet mask 24 bt chnh l 255.255.255.0. Ta bit rng : Nu subnet mask l 24 bt th l mng lp C Nu subnet mask l 16 bt th l mng lp B Nu subnet mask l 8 bt th l mng lp A Nu subnet mask l 32 bt th l a ch IP n. Trong hai a ch ca mt lut Snort th c mt a ch l a ch ngun v a ch cn li l a ch ch. Vic xc nh u l a ch ngun, u l a ch ch th ph thuc vo phn hng (direction). V d nh lut :Trang 21


alert tcp any any -> 192.168.1.10/32 80 (msg: TTL=100; ttl: 100;) Lut trn s to ra mt cnh bo i vi tt c cc gi tin t bt k ngun no c TTL = 100 i n web server 192.168.1.10 ti cng 80. Ngn chn a ch hay loi tr a ch Snort cung cp cho ta k thut loi tr a ch bng cch s dng du ph nh (du !). Du ph nh ny ng trc a ch s ch cho Snort khng kim tra cc gi tin n t hay i ti a ch . V d, lut sau s p dng cho tt c cc gi tin ngoi tr cc gi c ngun xut pht t mng lp C 192.168.2.0. alert icmp ![192.168.2.0/24] TTL=100; ttl: 100;) Danh sch a ch Ta c th nh r ra danh sch cc a ch trong mt lut ca Snort. V d nu bn mun p dng lut cho tt c cc gi tin tr cc gi xut pht t hai mng lp C 192.168.2.0 v 192.168.8.0 th lut c vit nh sau: alert icmp ![192.168.2.0/24, 192.168.8.0/24] any -> any any (msg: Ping with TTL=100; ttl: 100;) Hai du [] ch cn dng khi c du ! ng trc. Cng (Port Number) S hiu cng dng p dng lut cho cc gi tin n t hoc i n mt cng hay mt phm vi cng c th no . V d ta c th s dng s cng ngun l 23 p dng lut cho tt c cc gi tin n t mt server Telnet. T any cng c dng i din cho tt c cc cng. Ch l s hiu cng ch c ngha trong cc giao thc TCP v UDP thi. Nu protocol ca lut l IP hay ICMP th s hiu cng khng ng vai tr g c. V d : alert tcp 192.168.2.0/24 23 -> any any (content: confidential; msg: Detected confidential;) S hiu cng ch hu dng khi ta mun p dng mt lut ch cho mt loi gi tin d liu c th no . V d nh l mt lut chng hack cho web th ta ch cn s dng cng 80 pht hin tn cng. Dy cng hay phm vi cng:Trang 22

any

-> any

any (msg: Ping with


Ta c th p dng lut cho dy cc cng thay v ch cho mt cng no . Cng bt u v cng kt thc phn cch nhau bi du hai chm :. V d : alert udp any 1024:2048 -> any any (msg: UDP ports;) Ta cng c th dn cng theo kiu cn trn v cn di, tc l ch s dng cng bt u hoc cng kt thc m thi. V d nh l 1024: hoc l :2048 Du ph nh cng c p dng trong vic s dng cng. V d sau s log tt c cc gi tin ngoi tr cc gi tin xut pht t cng 53. log udp any !53 -> any any log udp Sau y l mt s cng thng dng hay l cc cng ca cc dch v thng dng nht: 20 FTP data, 21 FTP, 22 SSH, 23 Telnet, 24 SMTP, 53 DNS Server, 80 HTTP, 110 POP3, 161 SNMP, 443 HTTPS, 3360 MySQL Hng Direction Ch ra u l ngun u l ch, c th l -> hay 192.168.1.0/24 server; classtype: DoS;) alert udp any any -> 192.168.1.0/24 server; classtype: DoS; priority: 1;)Trang 24

any

->

192.168.1.0/24

any

(flags: A; ack: 0; msg:

6838 6838

(msg:DoS; content: (msg:DoS; content:


Trong cu lnh th 2 th ta ghi ln gi tr priority mc nh ca lp nh ngha. T kho content Mt c tnh quan trng ca Snort l n c kh nng tm mt mu d liu bn trong mt gi tin. Mu ny c th di dng chui ASCII hoc l mt chui nh phn di dng cc k t h 16. Ging nh virus, cc tn cng cng c cc du hiu nhn dng v t kho content ny dng tm cc du hiu bn trong gi tin. V d: alert tcp 192.168.1.0/24 any -> ![192.168.1.0/24] any (content: GET; msg: GET match;) Lut trn tm mu GET trong phn d liu ca tt c cc gi tin TCP c ngun i t mng 192.168.1.0/24 v i n cc a ch khng thuc mng . T GET ny rt hay c dng trong cc tn cng HTTP. Mt lut khc cng thc hin ng nhim v ging nh lnh trn nhng mu d liu li di dng h 16 l: alert tcp 192.168.1.0/24 any -> ![192.168.1.0/24] any (content: |47 45 54|; msg: GET match;) rng s 47 h 16 chnh l bng k t ASCII : G v tng t 45 l E v 54 l T. Ta c th dng c hai dng trn trong cng mt lut nhng nh l phi dng thp lc phn gia cp k t ||. Tuy nhin khi s dng t kho content ta cn nh rng: i snh ni dung s phi x l tnh ton rt ln v ta phi ht sc cn nhc khi s dng nhiu lut c i snh ni dung. Ta c th s dng nhiu t kho content trong cng mt lut tm nhiu du hiu trong cng mt gi tin. i snh ni dung l cng vic rt nhy cm. C 3 t kho khc hay c dng cng vi t kho content dng b sung thm cc iu kin tm kim l :

Trang 25


-

offset: dng xc nh v tr bt u tm kim (chui cha trong t kho content ) l offset tnh t u phn d liu ca gi tin. V d sau s tm chui HTTP bt u t v tr cch u on d liu ca gi tin l 4 byte:

alert tcp 192.168.1.0/24 any -> any any (content: HTTP; offset: 4; msg: HTTP matched;) - dept : dng xc nh v tr m t Snort s dng vic tm kim.T kho ny cng thng c dng chung vi t kho offset va nu trn. V d: alert tcp 192.168.1.0/24 any -> any any (content: HTTP; offset: 4; dept: 40; msg: HTTP matched;). T kho ny s gip cho vic tiu tn thi gian tm kim khi m on d liu trong gi tin l kh ln. content-list: c s dng cng vi mt file. Tn file (c ch ra trong phn tham s ca t kho ny) l mt file text cha danh sch cc chui cn tm trong phn d liu ca gi tin. Mi chui nm trn mt dng ring bit. V d nh file test c dng nh sau: test Snort NIDS v ta c lut sau: alert tcp 192.168.1.0/24 any -> any any (content-list: test;msg: This is my Test;). Ta cng c th dng k t ph nh ! trc tn file cnh bo i vi cc gi tin khng tm thy mt chui no trong file . T kho dsize Dng i snh theo chiu di ca phn d liu. Rt nhiu tn cng s dng li trn b m bng cch gi cc gi tin c kch thc rt ln. S dng t kho ny, ta c th so snh ln ca phn d liu ca gi tin vi mt s no . alert ip any any -> 192.168.1.0/24 any (dsize: > 6000; msg: Goi tin co kich thuoc lon;) T kho flags

Trang 26


T kho ny c dng pht hin xem nhng bit c flag no c bt (thit lp) trong phn TCP header ca gi tin. Mi c c th c s dng nh mt tham s trong t kho flags. Sau y l mt s cc c s dng trong t kho flags: Flag FIN (Finish Flag) SYN Sync Flag RST Reset Flag PSH Push Flag ACK Acknowledge Flag URG Urgent Flag Reserved Bit 1 Reserved Bit 2 No Flag set K t tham s dng trong lut ca Snort F S R P A U 1 2 0

Bng 1:Cc c s dng vi t kho flags

Ta c th s dng cc du +, * v ! thc hin cc php ton logic AND, OR v NOT trn cc bit c mun kim tra. V d lut sau y s pht hin mt hnh ng qut dng gi tin TCP SYN-FIN: alert tcp any any -> 192.168.1.0/24 any (flags: SF; msg: SYNC-FIN packet detected;) T kho fragbits Phn IP header ca gi tin cha 3 bit dng chng phn mnh v tng hp cc gi tin IP. Cc bit l: Reserved Bit (RB) dng dnh cho tng lai. Dont Fragment Bit (DF): nu bit ny c thit lp th tc l gi tin khng b phn mnh. More Fragments Bit (MF): nu c thit lp th tc l cc phn khc (gi tin b phn mnh) ca gi tin vn ang cn trn ng i m cha ti ch. Nu bit ny khng c thit lp th c ngha l y l phn cui cng ca gi tin (hoc l gi duy nht). iu ny xut pht t nguyn nhn: Ni gi i phi chia gi tin IP thnh nhiu on nh do ph thuc vo n v truyn d liu ln nht cho php (Maximum Transfer Units - MTU) trn ng truyn. Kch thc ca gi tin khng c php vt qu kch thc ln nht ny. Do vy, bit MF ny gip bn ch c th tng hp li cc phn khc nhau thnh mt gi tin hon chnh.Trang 27


i khi cc bit ny b cc hacker s dng tn cng v khai thc thng tin trn mng ca ta. V d, bit DF c th c dng tm MTU ln nht v nh nht trn ng i t ngun xut pht n ch n. S dng fragbits, ta c th kim tra xem cc bit trn c c thit lp hay khng. V d lut sau s pht hin xem bit DF trong gi tin ICMP c c bt hay khng: alert icmp any any -> 192.168.1.0/24 any (fragbits: D; msg: Dont Fragment bit set;) Trong lut ny , D dng cho bit DF, R cho bit d tr v M cho bit MF. Ta cng c th dng du ph nh ! trong lut ny kim tra khi bit khng c bt: alert icmp any any -> 192.168.1.0/24 any (fragbits: !D; msg: Dont Fragment bit not set;)

Trang 28


Chng 2.

THIT K V XY DNG H THNG

2.1.

Phn tch yu cuCi t h thng pht hin xm nhp vi snort, Log ca snort s c ghi vo

c s d liu ca MySQL, Ngi qun tr s theo di Log thng qua giao din ca BASE (Basic Analysis And Security Engine). Cc gi cn ci t bao gm: Server configuration tools: chn mc nh Web server cn cc gi sau:Apache, Php, Php_mysql, Phpmyadmin MySQL Database cn cc gi sau:Mysql-connector-odbc, Mysql-

server, Mysql-clien, Mysql-devel, Php-mysq-

Cc gi h tr cho snort nh: libpcap (bao gm hai gi libpcap v

libpcap-devel nu ci t rpm) khuyn khch ci t source, th vin Bison, libpcre, lipNet.-

Ci t gi Snort-2.8.4.1.

2.1.1.

Ci t Server configuration tools:

Server configuration tools dng lu cc alert ca snort vo c s d liu mysql, s sng BASE(Basic Analysis And Security Engine) th hin biu phn tch h thng. Ta tin hnh ci t nh sau: -

Ci t apache: sudo apt-get install apache2 Ci t php5: sudo apt-get install php5 libapache2-mod-php5 Ci t phpmyadmin: sudo apt-get install phpmyadmin Ci t mysql: sudo apt-get install mysql-server mysql-clientTrang 29

-


Trong qu trnh ci t mysql cn nhp user v password truy cp vo mysql server.

2.1.2.2.1.2.1.

Ci t cc th vin Bison, Libpcap, Libpcre, LipNet.Ci th vin flex.

bin dch libpcap thnh cng ta cn ci th vin h tr flex. Ta tin hnh ti flex v v ci t theo link: http://biznetnetworks.dl.sourceforge.net/sourceforge/flex/flex-2.5.35.tar.gz. Tin hnh ci t theo cc bc sau:-

Ti flex v my: /flex/flex-

root@Ubuntu:/home/chau/Desktop/Install# wget http://biznetworks.dl.sourceforge.net/sourceforge 2.5.35.tar.gz Copy file flex vo th mc ci t.

root@Ubuntu:/home/chau/Desktop/Install# cp flex-2.5.35.tar.gz /usr/local/ Cd n th mc ci t:

root@Ubuntu:/home/chau/Desktop/Install# cd /usr/local Gii nn flex:

root@Ubuntu:/usr/local# tar -xvzf flex-2.5.35.tar.gz Cd n flex-2.5.35

root@Ubuntu:/usr/local# cd flex-2.5.35 Cu hnh, bin dch v ci t flex

root@Ubuntu:/usr/local/flex-2.5.35# ./configure root@Ubuntu:/usr/local/flex-2.5.35# make && make install 2.1.2.2. Ci th vin Bison:

Ta thc hin cc bc tng t nh ci flex. root@Ubuntu:/home/chau/Desktop/Install# wget http://ftp.gnu.org/gnu/bison/bison-2.4.1.tar.gz root@Ubuntu:/home/chau/Desktop/Install# cp bison-2.4.1.tar.gz /usr/local/ root@Ubuntu:/home/chau/Desktop/Install# cd /usr/localTrang 30


root@Ubuntu:/usr/local # tar -xvzf bison-2.4.1.tar.gz root@Ubuntu:/usr/local # cd bison-2.4.1 root@Ubuntu:/usr/local/bison-2.4.1# ./configure root@Ubuntu:/usr/local/bison-2.4.1# make && make install 2.1.2.3. Ci libpcap

Ci libpcap t source: http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz root@ubuntu:/home/chau/Desktop/Install# wget http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz root@ubuntu:/home/chau/Desktop/Install /usr/local/ # cp libpcap-1.0.0.tar.gz

root@Ubuntu:/home/chau/Desktop/Install# cd /usr/local root@Ubuntu:/usr/local# tar -xvzf libpcap-1.0.0.tar.gz root@Ubuntu:/usr/local# cd libpcap-1.0.0 root@Ubuntu:/usr/local/libpcap-1.0.0# ./confugure root@Ubuntu:/usr/local/libpcap-1.0.0# make && make install 2.1.2.4. Ci t pcre

root@ubuntu:/home/chau/Desktop/Install# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre7.9.tar.gz root@ubuntu:/home/chau/Desktop/Install # cp pcre-7.9.tar.gz /usr/local/ root@Ubuntu:/home/chau/Desktop/Install# cd /usr/local root@Ubuntu:/usr/local# tar -xvzf pcre-7.9.tar.gz root@Ubuntu:/usr/local# cd pcre-7.9 root@Ubuntu:/usr/local/pcre-7.9# ./configure root@Ubuntu:/usr/loca/pcre-7.9l# make && make install 2.1.2.5. Ci Libnet :

root@Ubuntu:/home/chau/Desktop/Install# wget ftp://64.50.238.52/.1/gentoo/distfiles/libnet-1.1.2.1.tar.gz root@ubuntu:/home/chau/Desktop/Install # cp libnet-1.1.2.1.tar.gz /usr/local/ root@Ubuntu:/home/chau.Desktop/Instal# cd /usr/local/ root@Ubuntu:/usr/local# tar -xvzf libnet-1.1.2.1.tar.gzTrang 31


root@Ubuntu:/usr/local# cd libnet root@Ubuntu:/usr/local/ libnet# ./configure root@Ubuntu:/usr/local/ libnet# make && make install

2.1.3.

Ci Snort:

root@Ubuntu:/home/chau/Desktop/Install# wget http://www.procyonlabs.com/mirrors/snort/snort-2.8.4.1.tar.gz root@ubuntu:/home/chau/Desktop/Install # cp snort-2.8.4.1.tar.gz /usr/local/ root@ubuntu:/home/chau/Desktop/Install # cd /usr/local/ root@Ubuntu:/usr/local# tar -xvzf snort-2.8.4.1.tar.gz root@Ubuntu:/usr/local# cd snort-2.8.4.1 root@Ubuntu:/usr/local/ snort-2.8.4.1# ./configure --with-mysql root@Ubuntu:/usr/local/ snort-2.8.4.1# make && make install

2.2.

To database lu cc alert:-

ng nhp sql bng sql-client: root@Ubuntu:/usr/local# mysql

-u root p-

Nhp password cho user root ca mysql. Sau khi ng nhp thnh cng, ta to user mysql s dng

-

cho snort. User c tn l snort v password l 123456. mysql> use mysql; mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY '123456'; mysql> flush privileges; To CSDL cho snort c tn l snort:

mysql> create database snort; Cp quyn cho ti khon snort.

mysql> GRANT CREATE, INSERT, SELECT, DELETE, UPDATE ON snort.* to snort@localhost; To cc bng: vo th mc schames m bn gii nn snort:

root@Ubuntu:~# cd /usr/local/snort-2.8.4.1/schemas/

Trang 32


root@Ubuntu:/usr/local/snort-2.8.4.1/schemas# create_mysql snort cu lnh c thc thi.

mysql

-u

root

-p

any any (msg:"ICMP Packet"; sid:477; rev:3;) Lu li file icmp.rules.

Trang 33


- Chnh li file cu hnh snort.conf tr ti file icmp.rules v thng tin truy

nhp vo mysql. Vo xa ht ni dung ca file cu hnh snort.conf. To ni dung mi cho file cu hnh snort.conf: include /etc/snort/rules/icmp.rules output database: log,mysql, user=snort password = 123456 dbname=snort host=localhost Lu li file cu hnh.

2.4.-

Ci t BASEWeb server v PHP ci t sn ta cn ci thm vi gi pear cho PHP.

root@Ubuntu:/home/chau/Desktop/Install# pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman root@Ubuntu:/home/chau/Desktop/Install# apt-get install php-pearCi t ADODB

root@Ubuntu:/home/chau/Desktop/Install# wget http://nchc.dl.sourceforge.net/sourceforge/adodb/adodb508a.tgz root@Ubuntu:/home/chau/Desktop/Install# cp adodb508a.tgz /var/www/ root@Ubuntu:/home/chau/Desktop/Install# cd /var/www/ root@Ubuntu:/var/www# tar -xvzf adodb508a.tgzCi BASE:

root@Ubuntu:/home/chau/Desktop/Install# wget http://nchc.dl.sourceforge.net/sourceforge/secureideas/base-1.4.2.tar.gz root@Ubuntu:/home/chau/Desktop/Install# cp base-1.4.2.tar.gz /var/www/ root@Ubuntu:/home/chau/Desktop/Install# cd /var/www/ root@Ubuntu:/var/www# tar -xzvf base-1.4.2.tar.gz root@Ubuntu:/var/www# rm -rf base-1.4.2.tar.gz root@Ubuntu:/var/www# cd base-1.4.2/ root@Ubuntu:/var/www/base-1.4.2# cp base_conf.php.dist base_conf.php root@Ubuntu:/var/www/base-1.4.2# vi base_conf.phpChnh li thng s cc dng sau:

Trang 34


$DBlib_path = '/var/www/adodb5'; $DBtype = 'mysql'; $alert_dbname = 'snort'; $alert_host = 'localhost'; $alert_port = ''; $alert_user = 'snort'; $alert_password = '123456'; $archive_exists = 1; # Set this to 1 if you have an archive DB $archive_dbname = 'snort'; $archive_host = 'localhost'; $archive_port = ''; $archive_user = 'snort'; $archive_password = '123456'; /* Whois query */ $external_whois_link = ''; /* DNS query */ $external_dns_link = ''; /* SamSpade "all" query */ $external_all_link = '';

-

Sa li ng dn cho BASE: root@Ubuntu:/var/www# mv base-1.4.2/ base/

Trang 35


Chng 3.

TRIN KHAI V NH GI KT QU

3.1.

Mi trng trin khaiDch v pht hin v chng xm nhp Snort c ci t trn h iu hnh

Ubuntu 10, chy trn my o VMware Workstation 7.0.

3.2.

Mt s kt qu cc chc nng ca chng trnh

Hnh 6: My Windowns truy cp vo h thng my Ubuntu

Trang 36


Hnh 7: Log ca snort c th hin thng qua giao din ca BASE, giao thc ICMP

Hnh 8: Bng acid_event ca database Snort cha cc thng s v ip ngun, ip ch, thi gian my windown truy cp vo h thng qua gi ICMP

Trang 37


Hnh 9: Bng iphdr ca database snort cha version, ip_len, ip_id, ip_ttl, ip_csum ca my windown.

Hnh 10

Trang 38


Hnh 11:

3.3.

nh gi v nhn xt ci t thnh cng h thng pht hin v chng xm nhp Snort chy trn

h iu hnh Ubuntu. H thng Snort vi cc chc nng:

Pht hin s xm nhp t bn ngoi vo h thng.

Th hin cc Log cu snort qua giao din Base. Lu tr thi gian, a ch ip ca h thng xm nhp qua cc bng c s d liu ca snort trong phpmyadmin. Tuy nhin, h thng ch c ci t trn my o WM ware. Cc chc nng ca snort cha khai thc ht.

Trang 39


KT LUN V HNG PHT TRIN1. Nhng kt qu t c V mt l thuyt:

Qua nghin cu tm hiu l thuyt v ng dng l thuyt chng em hiu r hn v hot ng h iu hnh Ubuntu. Hiu r hn v mt s dch v pht hin v chng xm nhp mng c bit l dch v Snort. Trong qu trnh xy dng v ci t Snort chng em hc c thm nhiu iu v kin thc mng. V mt thc nghim:

ci t thnh cng h thng pht hin v chng xm nhp Snort chy trn h iu hnh Ubuntu. H thng Snort vi cc chc nng: Pht hin s xm nhp t bn ngoi vo h thng. Th hin cc Log cu snort qua giao din Base. Lu tr thi gian, a ch ip ca h thng xm nhp qua cc bng c s d liu ca snort trong phpmyadmin.

2. Nhng vn tn tiSnort ch c th chng li cc cuc tn cng mt cch hiu qu nu nh n bit c du hiu (signature) ca cc cuc tn cng . Da vo im ny, cc Hacker c th iu chnh cc cuc tn cng thay i signature ca cuc tn cng . T , cc cuc tn cng ny c th qua mt c s gim st ca Snort.

3. Hng pht trinNghin cu su hn v cch thc hot ng ca snort. Tin hnh ci t snort trn my ch, chy v kim th qu trinhg pht hin v chng xm nhm ca snort trn my ch

Trang 40


TI LIU THAM KHO[1] Cc trang web hu dng nh Google. [2] http://www.snort.org/[3] [4]

http://en.wikipedia.org/wiki/Snort_%28software%29 http://www.download.com.vn/security+firewall+tools/22939_snort-forlinux.aspx

Trang 41

baocao linux snort1

Documents