mo hinh snort
TRANSCRIPT
-
8/2/2019 Mo Hinh Snort
1/17
1
MC LC1. GII THIU ........................................................................................................................... 32. THAO TC CHUNG.............................................................................................................. 43. PHN TCH TP TIN LUT (RULES FILE PARSING) ......................................................84. CU TRC DLIU SAU KHI PHN TCH (DATA STRUCTURES AFTER PARSING)..
.............................................................................................................................................. 11
5. KHI TO CA B PHT HIN GI TIN NHANH......................................................... 136. NHNG CNG C VNHNG TI NGUYN (TOOLS AND RESOURCES)............... 167. NHNG THNG K MNGUN (SOURCE CODE STATISTICS)................................. 17
-
8/2/2019 Mo Hinh Snort
2/17
2
NHNG M HNH CA SNORTTc gi: Andrs Felipe Arboleda ([email protected])
Charles Edward Bedn ([email protected])
Universidad del Cauca Colombia
14th April 2005
Version 0.2 alpha
Ref: http://afrodita.unicauca.edu.co/~cbedon/snort/snort.html
Bin son v cp nht: L Tin
Ngy cp nht: 31/08/07.
-
8/2/2019 Mo Hinh Snort
3/17
3
1. GII THIU
Mc ch gii thiu nhng m hnh ny v nhng hm ca Snort. Nhng i tng
t m hnh tun t UML (nhng hnh ch nht pha trn trong cc m hnh) ch r nhng
tp tin cha m ngun v nhng thng ip (nhng mi tn) gii thiu nhng cch gi hm
vi nhng tp tin m ngun tng ng.Tt c nhng m hnh tun t c sp xp bng cch thc hin, ni cch khc, Snort
thc hin bt u vi m hnh c minh ha trong hnh 1 hnh 2...
Ti liu ny khng m t chi tit m ngun ca Snort, n ch a ra nhng bn
cho nhng ngipht trin mun bit cch c m ngun ca Snort.
Nhng m hnh ny kim tra Snort 2.2.0, thc hin bt lnh sau:
snort -d -l -c
-
8/2/2019 Mo Hinh Snort
4/17
4
2. THAO TC CHUNG
Hnh 1: M hnh khi Snort
Mi module c m t nh sau:
o Module gii m (Decoder): chuyn nhng gi tin bt c thnh nhng cu
trc v nhng nh danh lin kt nhng tng giao thc. Sau , n lm tng
ti p theo, m ha IP TCP hay UDP hay loi giao thc khc ly nhng
thng tin hu ch nh nhng cng v nhng a ch... Snort s cnh bo nu
n tm thy nhng header khng ng cu trc, chiu di TCP bt thng...
o Tin x l (Preprocessor): Chng c th c xem nh dng b lc m xc
nh nhng thuc tnh mun a vo kim tra sau (trong nhng m hnh k
tip nh: B d tm (Detection Engine), nh nghi ngnhng kt ni th n
nhng cng TCP/UDP hay rt nhiu gi tin UDP gi n trong mt khong
thi gian ngn (Hin tng: D cng Port Scan). Hm tin x l ly cc
hm c kh nng nguy him cho b d (Detection Engine) bng cch c gng
tm nhng mu bit.
-
8/2/2019 Mo Hinh Snort
5/17
5
Nhng t p tin cha nhng lut (Rules Files): C nhng t p tin cha
danh sch nhng lut vi ca php cho trc. C php ny bao gm: nhng
giao thc, a ch, kt xut gn kt lin i (output plug-ins associated)...
Nhng tp tin lut c cp nht ging nh nhng tp tin nh ngha virus.
o Nhng plug-in cho b d (Detection Plug-ins): Nhng module c
tham chiu t nhng nh ngha ca n trong nhng t p tin cha lut, v
chng c dng xc nh nhng mu tn cng bt c khi no mt lut
c tha.
o B d tm (Detection Engine): thng dng ca nhng b sung b d; n
khp (match) nhng gi tin tng phn nhng lut trc y np vo b
nhk t lc Snort khi to.
o Nhng plug-in kt xut (output plug-ins):Nhng module ny chophp nh
dng nhng thng bo (nhng cnh bo, nhng nht k logs) cho ngi
dng truy xut chng bng nhiu cch (console, nhng t p tin bn ngoi
(external files), nhng CSDL...)
-
8/2/2019 Mo Hinh Snort
6/17
6
Hnh 2: Snort khi to (M hnh tun t1)
Hnh 3: Snort khi to (M hnh tun t2)
-
8/2/2019 Mo Hinh Snort
7/17
7
Hnh 4: Phn tch (Parse) tp tin lut (M hnh tun t3).
-
8/2/2019 Mo Hinh Snort
8/17
8
3. PHN TCH TP TIN LUT (RULES FILE PARSING)
Ch : Nhng hm tip theo vi tp tin ./parser.c
Hm ParseRulesFile()
Hm ny phn tch, bi 1 chu k, mi dng tp tin cu hnh (V d: snort.conf). Nu
dng l mt lut hp l (khng phi l mt ch thch), n c a qua mt bphn tchlut (hm ParseRule() ).
Hm ParseRule()
Hm ny c thc thi mt ln cho mi lut hp l trong tp tin cu hnh. Ban u,
n tm nhng dng khngphi l nhng lutpht hin xm nhp(detection rules), ni cch
khc, nhng ch dn ging nh include, var, tin x l (preprocessor), nhng plug-in kt
xut, n gi nhng hm khi to cho mi mt lutpht hin xm nhp.
Nu mt lut c tha, iu c ngha l bt u cnh bo (alert), ghi nht k
(log) , pass, s hot ha (activation) hay ng (dynamic), lut c kim chng v a vo
b nhbng hm ProcessHeadNode().
Nhng lutpht hin (Detection rules) c cha trong b nhbn trong nhng cu
trc RuleTreeNode (RTN) v OptTreeNode (OTN) nh nhng cu trc c khai bo
trong tp tin ./rules.h
Ch : Tham kho thm cu hi 3.17 How does rule ordering work? of
[SnortFAQ 03].
Hm ProcessHeadNode()
Vi prototype: ProcessHeadNode(RuleTreeNode *test_node, ListHead *list,
protocol)
N dng mt con tr RTN vi test_node v nhng gn kt vo cui nhng dy RTN
ca giao thc tng ng trong ListHead trbi danh sch [Schildt 90].
-
8/2/2019 Mo Hinh Snort
9/17
9
Hnh 5: Nhng cu trc dliu (Data structures) kt hp vi hm
ProcessHeadNode().
Hm ParseRuleOptions()
Vi prototype: ParseRuleOptions(char *rule, int rule_type, int protocol)
N to nhng OTN v nhng gn kt (attaches) chng vi RTN trbi bit ton ccrtn_tmp m c t bi hm ProcessHeadNode().
Cui cng n c gi trc y bng lut ParseRule().
Trong cch ny ly cu trc nhng RTN v nhng OTN lin kt ma trn ( chng ta
gi ma trn lin kt n mt cu trc lin kt kt ni 2 chiu) m t nhng lut c
cha trong b nh. Nhng RTN gi d liu trc y cho bi Header lut (rule header),
trong khi nhng OTN gi d liu cho bi phn ty chn lut (Rule Options Section).
V d:
alert tcp any any -> 192.168.1.0/24 111 (content:|00 01 86 a5|; msg:mountd access;)
|------------------- Header ------------------|---------------------- Options ------------------------|
Ma trn lin kt c minh ha sau y. Trong hnh mi vung i din cho mt
cu trc d liu v mi mi tn, mt con tr.
-
8/2/2019 Mo Hinh Snort
10/17
10
Hnh 6: Ma trn kt ni (Linked matrix)
-
8/2/2019 Mo Hinh Snort
11/17
11
4. CU TRC D LIU SAU KHI PHN TCH (DATA
STRUCTURES AFTER PARSING)
Sau khi tp tin lut c phn tch, nhng lut ny c cha trong nhng RTN v
OTN theo cu trc sau:
Hnh 7: Cch lu trnhng lut.
Con tr RuleLists lbin ton cc m t trong tp tin ./parser.c, n dng xem xt
k (go over) tt c cc lut cha trong b nh. N tr n thnh phn u tin ca danh sch
lin kt RuleListNode. Mi node ca danh sch c mt con tr ListHead, mi loi lut c
mt cu trc (Cnhbo-Alert, ng-Dynamic, Nht k-Log, Pass v Kch hot-Activation).Cui cng, mi ListHead c 4 con tr, tng ng vi 4 giao thc (IP, TCP, UDP v
ICMP), mi con tr tr n mt ma trn lin kt nhng RTN v nhng OTN (ni cha cc
lut).
-
8/2/2019 Mo Hinh Snort
12/17
12
Hnh 8: Khi to b pht hin gi tin nhanh - M hnh tun t4
(Fast packet detection engine initialization)
-
8/2/2019 Mo Hinh Snort
13/17
13
5. KHI TO CA B PHT HIN GI TIN NHANH
(INITIALIZATION OF THE FAST PACKET DETECTION ENGINE)
Khi to bt u bng cch gi hm fpCreateFastPacketDetection() trong t p tin
./fpcreate.c t hm SnortMain(). Hm fpCreateFastPacketDetection() xem xt k tt c
cc lut c trong b nh dng bin ton cc RuleLists vi con tr RuleListNode, milut c phn lp tng ng vi ni dung ca n (Content, UriContent hay NoContent).
Ni dung c xc nh thng qua OTN tng ng vi lut. Trong OTN ny cha mt
trng gi l ds_list, n l mt mng con tr tr n nhng cu trc d liu khc nhau,ph
thuc vo loi ca nhng cu trc ny m ni dung c gn.
Sau khi phn lp u tin, n c xc nh nu lut l k thut 2 chiu v mt trong
cc hm prmAddRule(), prmAddRuleUri() hay prmAddRuleNC() c gi ph thuc
vo loi ni dung (content type). Nhng hm ny sp xp nhng lut vo trong nhngbng
tng ng vi cng ngun (source-port) v cng ch (destination-port) trong lut. Mc
tiu ca cch ny l lm cho vic so snh nhng gi tin vi nhng lut nhanh hn.
-
8/2/2019 Mo Hinh Snort
14/17
14
Hnh 9: Cu trc dliu tng ng vi b pht hin gi tin nhanh.
-
8/2/2019 Mo Hinh Snort
15/17
15
Nu chng ta thy hm fpCreateFastPacketDetection(), chng ta tm thy khai
bo mt PORT_RULE_MAP cho mi giao thc (tcp, udp, ip, icmp), bn trong mi
PORT_RULE_MAP c 3 nhm ca PORT_GROUP: mt l bng port ngun
(prmSrcPort), ti p theo l bng port ch (prmDstPort), v cui cng l bng c im
chung (generic) (prmGeneric) c dng cho nhng lut vi srcport=any v
dstport=any.
Hnh 10: Khi mt gi tin n (M hnh tun t5).
-
8/2/2019 Mo Hinh Snort
16/17
16
Hnh 11: Khi mt gi tin n (M hnh tun t6).
6. NHNG CNG C V NHNG TI NGUYN (TOOLS AND
RESOURCES)
Tc gi dng nhng cng c v ti nguyn sau th nghim:
OpenOffice 1.1.4
S.: Linux (Mandrake 10.1 Official).
IDE: Kdevelop v3.0 (GNU tools: make, gdb, ...)
-
8/2/2019 Mo Hinh Snort
17/17
17
7. NHNG THNG K M NGUN (SOURCE CODE
STATISTICS)
Vi Snort 2.2.0
Thng tin chung
Number of .c files 135Number of .h files 154
Number of source code lines (approx.) 99.317
Total size of files 2471.751 bytes
S lng ca nhng tp tin .c v .h trong mt thmc
Directory
Number
of .c
files
Number
of .h
files
Number of
code lines
in .c files
Number of
code lines in
.h files
Total code
lines in .c
and .h files
./ 27 41 26.794 5.821 32.615
./detection-plugins 28 28 10.417 756 11.173
./output-plugins 11 11 7.417 362 7.779
./parser 1 1 312 48 360
./preprocessors 18 19 17.724 951 18.675
./preprocessors/flow 13 16 4.498 835 5.333
./preprocessors/HttpInspect 14 19 5.885 923 6.808
./sfutil 17 18 12.587 1.974 14.561
./win32/WIN32-Code 6 1 1.887 126 2.013
TOTALS: 135 154 87.521 11.796 99.317