d vmwin2003ids 12 2012huongdanthuchanhattt snort10 2012
TRANSCRIPT
-
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng
1
HNG DN THC HNH SNORT 1 Gii thiu v SNORT
Snort l mt sn phm m ngun m c pht trin nhm pht hin nhng xm nhp tri php vo h thng bi nhng quy tc hay lut c thit lp sn, nhng thit lp ny da vo nhng du hiu, giao thc v s d thng.
Snort s dng cc lut c lu tr trong cc file text, c th c chnh sa bi ngi qun tr. Cc lut c nhm thnh cc kiu. Cc lut thuc v mi loi c lu trong cc file khc nhau. File cu hnh chnh ca Snort l snort.conf. Snort c nhng lut ny vo lc khi to v xy dng cu trc d liu cung cp cc lut bt gi mu vi phm. Tm ra cc du hiu v s dng chng trong cc lut l mt vn i hi s tinh t, v cng s dng nhiu lut th nng lc x l cng c i hi thu thp d liu trong thc t. Snort c mt tp hp cc lut c nh ngha trc pht hin cc hnh ng xm nhp v cc qun tr vin cng c th thm vo cc lut ca chnh mnh. Qun tr vin cng c th xa mt vi lut c to trc trnh vic bo ng sai. Snort bao gm mt hoc nhiu sensor v mt server CSDL chnh.Cc Sensor c th c t trc hoc sau firewall:
o Gim st cc cuc tn cng vo firewall v h thng mng o C kh nng ghi nh cc cuc vt firewall thnh cng
2 Ci t Snort Gi s a ch IP my Server l 192.168.1.9 Download Wincap: http://www.winpcap.org/install/default.htm Download Snort: http://snort.org/snort-downloads Ci t Winpcap Ci t Snort ti th mc C:\Snort
2.1 Xem th mc ci t C:\Snort\bin>dir
-
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng
2
2.2 Xem tp tin snort.conf C:\Snort\bin>type C:\Snort\etc\snort.conf
2.3 Xem s hiu card mng tin hnh sniffer ta cn chn card mng snort t vo ch promicous, Nu my tnh c nhiu card hy s lnh snort W xc nh card mng.
snort W
-
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng
3
2.4 Xem kt qu bt gi tin Hin th IP v TCP/UDP/ICMP header C:\Snort\bin\snort v i4 Xem thng tin truyn ca cc ng dng C:\Snort\bin\snort vd i4 Hin th thm cc header ca gi tin ti tng Data Link: C:\Snort\bin\snort -dev -i 1
-
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng
4
Nhn Ctrl+C dng
-
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng
5
2.5 Bt gi tin v lu vo tp tin log C:\Snort\bin>snort -i 1 -s -l c:\Snort\log
Kt qu tp tin log c to
-
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng
6
C:\Snort\bin>snort -dev -i 1 -l c:\snort\log
2.6 Cu hnh h thng dch v snort C:\Snort\bin>snort /SERVICE /INSTALL -c c:\snort\etc\snort.conf -l c:\snort\log -K ascii -i1
-
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng
7
sc config snortsvc start= auto
-
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng
8
3 Cu hnh dch v Snort M tp tin C:\Snort\etc\snort.conf
3.1 Cu hnh a ch mng Trin khai Snort trn lp mng C vi dy a ch 192.168.1.0/24 Thit lp bin HOME_NET nh sau:
3.2 Khai bo ng dn n cc lut Khai bo ng dn n ni cha cc quy tc snort rules nh sau :
Ni dung gc:
Chnh sa nh sau:
Khai bo cc bin include classification.config v reference.config:
-
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng
9
3.3 Ti b lut Ti b lut rules t https://www.snort.org/snort-rules/ v v gii nn, Sao th mc rules vo C:\Snort\rules Ch : cc rule ny phi ph hp vi phin bn Snort ang ci.
4 Thc hnh thit lp lut Snort cnh bo
4.1 V d lut cnh bo PING Trong tp tin finger.rules ti th mc C:\Snort\rules ta thit lp lut nh sau:
alert icmp ip any any -> $HOME_NET any (msg: " Co may dang ping den "; sid: 1;) Lut ny s a ra dng cnh bo Co may dang ping den nu pht hin gi
tin icmp bt k t mt mng no ping n my my c a ch ip l HOME_NET ( a ch 192.168.1.150 nh thit lp trn)
Ti ca s dng lnh ta thc hin cu lnh: snort dve l c:\snort\log c :\snort\etc\snort.conf i 2
-
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng
10
pht hin gi tin n v ghi vo file log alert.ids T bn ngoi thc hin lnh ping n my ci t Snort:
Kt qu ti my ci t Snort :
Kt qu file log alert.ids
-
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng
11
4.2 V d lut cnh bo PING kch thc ln Thm lnh vo file icmp-info.rules :
Thm lnh vo file icmp.rules
Khi ping tai my client vi size ping = 64kb n http://google.com :
Ti my t snort
-
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng
12
Kt qu ti file log alert .ids:
-
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng
13
4.3 V d thit lp lut cnh bo truy cp Web Trong th mc C:\Snort\rules ta to file youtube.rules bit mt my no
t bt k mng no truy cp vo a ch http://www.youtube.com vi ni dung file : alert tcp any any -> any any (content: "www.youtube.com"; ms:" ban moi ghe tham trang web youtebe.com"; sid: 1000000;rev : 1;)
Tuy nhin, nu th th Snort khng th pht hin ra c rules ny, ta phi thm rules vo trong tp tin Snort.config Snort nhn bit c lut ny.
Kt qu ti my Snort :
-
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng
14
M tp tin alert.isds ta thy dng cnh bo hin ra :
-
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng
15
4.4 To mi mt lut v chy t dng lnh To tp tin lut C:\Snort\rules\ ping.rules vi ni dung sau: Alert icmp any any -> any any (msg:May dang bi ping!;SID: 1212121212;)
Khai bo trong C:\Snort\etc\snort.conf trong vi cu lnh: include $RULE_PATH/ping.rules
v chnh sa thm cc dng sau:
thnh:
-
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng
16
Sa:
thnh:
Tip theo ta vo cmd v g lnh: C:\snort\bin\snort dev l c:\snort\log c c:\snort\rules\ping.rules
Kt qu:
-
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng
17
Dng my tnh khc ping ti my ci snort (c ip l 192.168.1.8).
Kt qu ni dung cnh bo trong tp tin alert.ids:
-
B mn Mng & Truyn thng, Khoa CNTT, HBK Nng
18