-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
1/22
PHT HIN VCHNG XM
NHP TRI PHPS DNG SNORTNgi trnh by:
V Thng
Gim c Athena
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
2/22
ATHENA
Ni dung
Gii thiu Snort Sniffer mode
Packet Logger mode
Network Instrution Detection System (NIDS)
Inline mode
Ci t, cu hnh Snort Preprocessor
Output modules
Cu trc lut ca Snort Rule header
Rule option
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
3/22
ATHENA
Gii thiu
Snort l mt phn mm m ngun m c khnng pht hin, chng s xm nhp tri php.
Snort hot ng nh mt phn mm ng gia
s giao tip ca hai my tnh. Cc packet trckhi c gi n my tnh ch s c snortkim tra, thm nh.
Snort c th pht hin nhiu loi xm nhp
nh: buffer overflows, stealth port scans, CGIattacks, SMB probes, OS fingerprintingattempts
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
4/22
ATHENA
Gii thiu (tt)
Internet
Internet
Firewall
DMZ
network
IDS
Router
IDS
IDS
Extranet
Internet
Firewall
Router
IDS
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
5/22
ATHENA
Gii thiu (tt)
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
6/22
ATHENA
Gii thiu (tt)
Mode hot ng ca Snort Sniffer mode: hin th thng tin v cc packet ang
di chuyn trong mng trn mn hnh console.
Packet Logger mode: log li tnh trng cc packetvo a cng.
Network Instrution Detection System (NIDS):mode hot ng y v phc tp nht.
Inline mode: can thip vo packet t khi packet mic chuyn vo iptables, cho php hy b packett trong iptables.
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
7/22ATHENA
Sniffer Mode
Hin th thng tin header ca packet: snort -v
Hin th thng tin ng dng ang pht sinh
packet: snortv -d
Header ca tng datalink: snortvde
snortvd -e
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
8/22ATHENA
Packet Logger Mode
Lu thng tin xung file: snortdevl [filename]
Lu thng tin dng binary:
snortl [filename] -b
c ngc thng tin t file binary: snortdvr [filename]
snortdvr [filename] icmp
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
9/22ATHENA
Network Instrution Detection System
Mode hot ng phc tp nht, nhiu optionnht.
Bt buc phi ch ra file lut dng hot ng
(option -c) snortu snortg snortdDc /etc/snort
Mc nh ca mode ny l cnh bo full alert vlog li packet theo dng ASCII.
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
10/22ATHENA
Inline Mode
Bin dch h tr inline mode: ./configureenable-inline
C 3 loi lut c s dng mode inline:
drop: iptables s b qua packet v log li s kinny.
reject: iptables s b qua packet, log li s kin, vthng bo n my tnh rng packet ny s khng
n ni. sdrop: iptables s b qua packet, khng thng bo
n my ch v cng khng log li s kin.
snort_inlineQDc ../etc/drop.confl /var/log/snort
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
11/22ATHENA
Ci t
./configure
make
make install
hot ng mode NIDS cn c tp lut:snortrules.tar.gz.
tarxzvf snortrules.tar.gz -C /etc/snort
Sa file /etc/snort/snort.conf
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
12/22ATHENA
Cu hnh Snort
preprocessor: kim tra packet ngay sau khipacket c gii m. Preprocessor c thchin trc tt c cc lut tm kim, pht hinkhc.
preprocessor :
output module: linh hot trong vic nh dngthng bo n ngi s dng
output :
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
13/22ATHENA
Cu hnh Snort
Preprocessor: Stream4
sfPortscan
Performance Monitor
ASN.1 Detection
Output modules:
alert_syslog
alert_fast alert_full
log_tcpdump
csv
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
14/22ATHENA
Cu trc lut ca Snort
Rule header: rule action, protocol, a ch IPngun v a ch IP ch, port ngun v portch .
Rule option: thng ip cnh bo, phn thngtin xc nh packet no s b gi li.
alert tcp any any -> any any (content:|00 0186 a5|; msg: mountd access;)
Rule action
Protocol
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
15/22ATHENA
Rule action
Rule action:
alert: cnh bo v ghi li packet.
log: ghi li packet.
pass: b qua packet.
active: cnh bo v gi thc thi mt rule khc. dynamic: trng thi idle cho n khi c mt rule khc
c kch hot.
drop: cho php iptables b qua packet ny v log li packet bb qua.
reject: cho php iptables b qua packet ny, log li packet,ng thi gi thng bo t chi n my ngun.
sdrop: cho php iptables b qua packet ny nhng khng logli packet, cng khng thng bo n my ngun.
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
16/22ATHENA
Rule action (tt)
nh ngha rule type ring ph hp vi mcch:
ruletype redalert
{type alert
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=snort
dbname=snort host=localhost.}
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
17/22ATHENA
Rule option
meta-data: cung cp thng tin v rule nhngkhng gy ra bt c nh hng no n qutrnh pht hin packet.
payload: tm kim thng tin trong phn payloadca packet.
non-payload: tm kim thng tin trong phnnon-payload ca packet.
post-detection: xy ra sau khi mt rule ckch hot.
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
18/22ATHENA
Meta data
msg: ; reference: , ;
sid: ;
classtype: ;
priority:
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
19/22ATHENA
Payload
content: [!] ; nocase;
rawbytes;
depth: ;
offset: ;
distance: ;
uricontent: [!];
isdataat: ; byte_test: , [!] ,
, [,relative] [,endian] [,, string];
byte jump
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
20/22ATHENA
Non payload
ttl: time to live.
tos: type of service.
dsize: kim tra non-payload c ln hn mt
kch thc xc nh khng. flag: kim tra TCP flag bits (F: FIN, S: SYN, R:
RST, A: ACK).
flow: xc nh chiu ca kt ni. window: kim tra tcp window size.
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
21/22ATHENA
Post detection
logto: kim tra log li s kin vo file. logto: filename;
session: s dng ly s kin t mt TCP
session. session: [printable|all];
resp, react.
-
7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort
22/22ATHENA
Hi-p
Q&A