Tìm Hiểu IDS Và Triển Khai Hệ Thống Phát Hiện Xâm Nhập Trên Mạng Cục Bộ

MC LC

DANH MC CC HNH V TRONG BO CO ..................................................... 5

CC THUT NG VIT TT .................................................................................... 6

LI GII THIU .......................................................................................................... 8

PHN 1 : TNG QUAN ............................................................................................... 9

1.1 L do chn ti ..................................................................................................... 10

1.2 Phn tch hin trng ................................................................................................. 10

1.3 Xc nh yu cu .................................................................................................... 11

1.4 Gii hn v phm vi nghin cu ............................................................................. 12

1.5 ngha thc tin ca ti ..................................................................................... 12

PHN 2 : TM HIU IDS ........................................................................................... 13

2.1 Khi nim ................................................................................................................ 14

2.2 Cc thnh phn v chc nng ca IDS ..................................................................... 14

2.2.1 Thnh phn thu thp gi tin ............................................................................... 14

2.2.2 Thnh phn pht hin gi tin.............................................................................. 15

2.2.3 Thnh phn phn hi ......................................................................................... 15

2.3 Phn loi IDS ........................................................................................................... 15

2.3.1 Network Base IDS (NIDS) ................................................................................ 15

2.3.1.1 Li th ca Network-Based IDS .................................................................. 16

2.3.1.2 Hn ch ca Network-Based IDS ................................................................ 16

2.3.2 Host Base IDS (HIDS)....................................................................................... 17

2.3.2.1 Li th ca Host IDS .................................................................................. 17

Su tm bi www.diendandaihoc.com

ti: Tm Hiu IDS V Trin Khai H Thng Pht Hin Xm Nhp Trn Mng Cc B

- Trang 1 -

2.3.2.2 Hn ch ca Host IDS ................................................................................. 18

2.4 C ch hot ng ca IDS ....................................................................................... 18

2.4.1 Pht hin da trn s bt thng ........................................................................ 18

2.4.2 Pht hin thng qua Protocol ............................................................................. 18

2.4.3 Pht hin nh qu trnh t hc ........................................................................... 21

2.5 Cc ng dng IDS ph bin hin nay ....................................................................... 21

PHN 3 : CC PHNG THC TN CNG V CCH PHNG CHNG ....... 22

3.1 Cc phng thc tn cng ....................................................................................... 23

3.1.1 ARP Spoofing ................................................................................................... 23

3.1.2 Syn Flood .......................................................................................................... 23

3.1.3 Zero Day Attacks ............................................................................................... 23

3.1.4 DOS - Ping Of Death ......................................................................................... 24

3.2 Cc phng thc phng chng ................................................................................. 24

3.2.1 ARP Spoofing : m ha ARP Cache .................................................................. 24

3.2.2 Syn Flood ......................................................................................................... 25

3.2.3 Zero Day Attacks ............................................................................................... 25

3.2.4 DOS Ping Of Death ........................................................................................ 25

PHN 4 : TRIN KHAI H THNG PHT HIN XM NHP ........................... 26

4.1 Cc bc thc hin .................................................................................................. 27

4.1.1 M hnh mng tng quan ................................................................................... 27

4.1.2 My Client ......................................................................................................... 27



- Trang 2 -

4.1.3 My IDS ............................................................................................................ 27

4.1.4 My Webserver ................................................................................................. 28

4.1.5 My Windows Server 2008 ............................................................................... 28

4.2 Cu hnh IDS .......................................................................................................... 28

4.2.1 M hnh mng chi tit ....................................................................................... 28

4.2.2 Cc bc cu hnh cnh bo v ngn chn mt vi ng dng ca IDS trn Snort

kt hp Iptables .......................................................................................................... 29

4.2.2.1 Tn cng bng phng thc Dos li SMB 2.0 ............................................. 29

4.2.2.2 Truy cp Web tri php theo IP v tn min ................................................ 29

4.2.2.3 Truy cp Website vo gi cm. ................................................................... 29

4.2.2.4 Truy cp theo phng thc FTP .................................................................. 30

4.2.2.5 Tn cng theo phng thc Ping Of Death .................................................. 30

4.2.2.6 Hnh ng chat vi cc my ip l. ............................................................... 30

4.2.2.7 Hnh ng chng sniff s dng phng php ARP Spoofing. ..................... 30

4.2.3 Ci t webmin qun l Snort ............................................................................ 31

4.2.4 To CSDL Snort vi MySQL ............................................................................ 31

4.2.5 Ci t BASE .................................................................................................... 31

PHN 5 : XY DNG NG DNG DEMO THNH PHN SENSOR V ALERT

CA MT IDS ............................................................................................................ 32

5.1 Inotify ...................................................................................................................... 33

5.2 Lp trnh API kt hp vi Inotify ............................................................................ 33

5.3 Sn phm ................................................................................................................. 34



- Trang 3 -

PHN 6 : TNG KT ................................................................................................. 35

6.1 Nhng vn t c ............................................................................................ 36

6.2 Nhng vn cha t c .................................................................................... 36

6.3 Hng m rng ti .............................................................................................. 37

PHN 7 : PH LC .................................................................................................... 38

7.1 Ti liu tham kho ................................................................................................... 39

7.2 Phn mm IDS-Snort ............................................................................................... 40

7.2.1 Gii thiu Snort ................................................................................................. 40

7.2.2 Snort l mt NIDS ............................................................................................. 41

7.3 Cu hnh cc Rules c bn ca Snort v Iptables...................................................... 41

7.3.1 Rules Snort ........................................................................................................ 41

7.3.1.1 Cnh bo ping. ............................................................................................ 41

7.3.1.2 Cnh bo truy cp website. .......................................................................... 41

7.3.1.3 Cnh bo truy cp FTP. ............................................................................... 41

7.3.1.4 Cnh bo truy cp Telnet. ............................................................................ 41

7.3.1.5 Cnh bo gi tin ICMP c kch thc ln. ................................................... 42

7.3.1.6 Cnh bo Dos li SMB 2.0 .......................................................................... 42

7.3.1.7 Cnh bo chat vi cc my c IP l ............................................................. 42

7.3.1.8 Ngn chn cc trang Web c ni dung xu .................................................. 42

7.3.2 Rules Iptables .................................................................................................... 42

7.3.2.1 Ngn chn ping. .......................................................................................... 42

7.3.2.2 NAT inbound v NAT outbound ................................................................. 43



- Trang 4 -

7.3.2.3 Ngn chn truy cp website ......................................................................... 43

7.3.2.4 Ngn chn truy cp FTP .............................................................................. 44

7.3.2.5 Ngn chn Dos li SMB 2.0 ....................................................................... 44

7.3.2.6 Ngn chn gi tin ICMP c kch thc ln. ................................................. 44

7.3.2.7 Ngn chn chat vi cc my c IP l ........................................................... 44

7.4 Hng dn chi tit cu hnh Snort ........................................................................... 44

7.5 Thit lp mng v cu hnh cc bin ....................................................................... 46

7.6 Cu hnh option ca file Snort.conf .......................................................................... 47

7.7 Cu hnh tin x l (preprocessor) ......................................................................... 48

7.8 Thit Lp Snort khi ng cng h thng ................................................................ 50

7.9 Qun l snort bng webmin .................................................................................... 51

7.10 To CSDL snort vi MySQL ................................................................................. 51

7.11 Ci t BASE v ADODB .................................................................................... 52



- Trang 5 -

DANH MC CC HNH V TRONG BO CO Hnh 1: M hnh kin trc h thng pht hin xm nhp (IDS) : Hnh 1 trong phn 2

Hnh 2: Network IDS : Hnh 2 trong phn 2

Hnh 3: Host base IDS : Hnh 3 trong phn 2

Hnh 4: Cu trc IP Header : Hnh 4 trong phn 2

Hnh 5: Cu trc TCP Header : Hnh 5 trong phn 2

Hnh 6: Xem ARP Cache : Hnh 1 trong phn 3

Hnh 7: M hnh mng tng quan : Hnh 1 trong phn 4

Hnh 8: M hnh mng chi tit : Hnh 2 trong phn 4

Hnh 9 : Qun l vi Webmin : Hnh 1 trong phn 6

Hnh 10 : Qun l BASE : Hnh 2 trong phn 6

Hnh 11 : Sn phm demo - Hnh 1 trong phn 5



- Trang 6 -

CC THUT NG VIT TT IDS Intrusion Detection System : H thng pht hin xm nhp

NIDS: Network Intrusion Detection System.

HIDS: Host Intrusion Detection System.

DIDS: Distributed Intrusion Detection System.

ADOdb: l mt th vin mc tru tng dnh cho PHP v Python da trn

cng khi nim vi ActiveX Data Objects ca Microsoft.

DdoS Distribute Denial of Service. T chi dch v phn tn.

LAN Local Area Network: mng my tnh cc b.

Sensor: B phn cm bin ca IDS.

Alert: Cnh bo trong IDS.

TCP-Transmission Control Protocol : Giao thc iu khin truyn vn.

Slow Scan: l tin trnh qut chm.

SSL Secure Sockets Layer.

SSH- Secure Shell:giao thc mng thit lp kt ni mng mt cch bo mt.

IPSec: IP Security.

DMZ demilitarized zone : Vng mng vt l cha cc dch v bn ngoi ca

mt t chc.

CPU : Central Processing Unit- n v x l trung tm.

UNIX: Unix hay UNIX l mt h iu hnh my tnh.

Host: Host l khng gian trn cng lu d liu dng web v c th truy

cp t xa.

Protocol: Giao thc

Payload: ti ca mt gi tin trn mng.

Attacker: K tn cng.



- Trang 7 -

ADSL:: Asymmetric Digital Subscriber Line ng dy thu bao s bt i

xng.

WLAN: Wireless Local Area mng cc b khng dy.

Iptables : H thng tng la trong linux.

ACID Analysis Console for Intrusion Databases Bng iu khin phn tch

d liu cho h thng pht hin xm nhp

BASE Basic Analysis and Security Engine B phn phn tch gi tin

Software: Phn mm

OS : Operating System : h iu hnh

OSI : Open Systems Interconnection : m hnh 7 tng OSI



- Trang 8 -

LI GII THIU

Do s lng xm phm ngy cng tng khi Internet v cc mng ni b cng ngy

cng xut hin nhiu khp mi ni, thch thc ca cc vn xm phm mng

buc cc t chc phi b sung thm h thng khc kim tra cc l hng v bo

mt. Cc hacker v k xm nhp to ra rt nhiu cch c th thnh cng trong

vic lm sp mt mng hoc dch v Web ca mt cng ty.

Nhiu phng php c pht trin bo mt h tng mng v vic truyn

thng trn Internet, bao gm cc cch nh s dng tng la (Firewall), m ha, v

mng ring o(VPN). H thng pht hin xm nhp tri php (IDS-Intrusion

Detection System) l mt phng php bo mt c kh nng chng li cc kiu tn

cng mi, cc v lm dng xut pht t trong h thng v c th hot ng tt vi cc

phng php bo mt truyn thng.

Chng em chn thnh cm n thy inh Xun Lm tn tnh hng dn gip

chng em hon thnh n tt nghip ny. Mc d c gng hon thnh ti

nhng y l mt lnh vc cn kh mi l v ang pht trin mnh nn cn nhiu

thiu st.

Chng em rt mong c tip nhn nhng kin, nhn xt t qu thy c.

Chng em xin chn thnh cm n.

Cc sinh vin thc hin :

1. Hunh Tin Pht : S in thoi : 0986.440.748

Email: [email protected]

2. Trn Quang Lm : S in thoi : 0984.055.050

Email: [email protected]



- Trang 9 -

PHN 1 : TNG QUAN



- Trang 10 -

1.1 L do chn ti

Chng em thc hin n ny vi mong mun khng ch nghin cu nhng c

trng c bn ca h thng pht hin xm nhp tri php vi vai tr l phng php bo

mt mi b sung cho nhng phng php bo mt hin ti, m cn c th xy dng c

mt phn mm IDS ph hp vi iu kin ca Vit Nam v c th ng dng vo thc

tin nhm m bo s an ton cho cc h thng v cht lng dch v cho ngi dng.

IDS khng ch l cng c phn tch cc gi tin trn mng, t a ra cnh bo n

nh qun tr m n cn cung cp nhng thng tin sau:

Cc s kin tn cng.

Phng php tn cng.

Ngun gc tn cng.

Du hiu tn cng.

Loi thng tin ny ngy cng tr nn quan trng khi cc nh qun tr mng mun thit

k v thc hin chng trnh bo mt thch hp cho mt cho mt t chc ring bit.

Mt s l do thm IDS cho h thng tng la l:

Kim tra hai ln nu h thng tng la cu hnh sai.

Ngn chn cc cuc tn cng c cho php thng qua tng la.

Lm cho n lc tn cng b tht bi.

Nhn bit cc cuc tn cng t bn trong.

1.2 Phn tch hin trng

- Trn 90% cc mng c kt ni ang s dng IDS pht hin l hng bo mt

my tnh.

- 4/7/02, Vin An ninh my tnh bo co c n 80% thit hi ti chnh vt qua

455 triu la b gy ra bi s xm nhp v m nguy him.

- Hng triu cng vic b nh hng do s xm nhp.



- Trang 11 -

- Nu s dng mt phn mm chng virus th bn phi xem xt n vic b sung thm

mt IDS cho chin lc bo mt ca mnh. Hu ht cc t chc s dng phn mm chng

virus khng s dng IDS.

- Ngy nay do cng ngh ngy cng pht trin nn khng c mt gii php bo mt

no c th tn ti lu di. Theo nh gi ca cc t chc hng u v cng ngh thng tin

trn th gii, tnh hnh an ninh mng vn trn bt n v tip tc c coi l nm bo

ng ca an ninh mng ton cu khi c nhiu l hng an ninh nghim trng c

pht hin, hnh thc tn cng thay i v c nhiu cuc tn cng ca gii ti phm cng

ngh cao vo cc h thng cng ngh thng tin ca cc doanh nghip.

- Ly v d vi h iu hnh Vista c th b tn cng bi mt l hng "blue screen of

death" hay vn thng c gi l mn hnh xanh cht chc. Hacker c th gi ti h

thng mt yu cu cha cc m lnh tn cng trc tip vo h thng ca Vista v lm

ngng li mi hot ng.

- H thng pht hin xm nhp tri php IDS l mt phng php bo mt c kh

nng chng li cc kiu tn cng mi, cc v lm dng, dng sai xut pht t trong h

thng v c th hot ng tt vi cc phng php bo mt truyn thng. N c

nghin cu, pht trin v ng dng t lu trn th gii v th hin vai tr quan trng

trong cc chnh sch bo mt.

1.3 Xc nh yu cu

Yu cu bt buc:

1. IDS l g?

2. Cc thnh phn ca IDS.

3. Cc m hnh IDS.

4. Cc ng dng IDS ph bin hin nay.

5. Trin khai m hnh IDS demo trong mng LAN.

Yu cu m rng : xy dng ng dng demo thnh phn cm bin v cnh bo ca

mt IDS.



- Trang 12 -

1.4 Gii hn v phm vi nghin cu

- Tm hiu h thng mng my tnh cc b ca cc t chc, doanh nghip v c

tham gia kt ni internet.

- Tm hiu cc nguy c xm nhp tri php i vi h thng mng.

- Tm hiu cc k thut ca vic pht hin v ngn chn xm nhp.

- Tm hiu Snort IDS Software.

1.5 ngha thc tin ca ti

- Nghin cu cc vn k thut ca h thng pht hin v ngn chn xm nhp.

- Phn tch, nh gi c cc nguy c xm nhp tri php i vi h thng mng.

- a ra mt gii php an ninh hu ch cho h thng mng ca t chc, doanh

nghip.



- Trang 13 -

PHN 2 : TM HIU IDS



- Trang 14 -

2.1 Khi nim

H thng pht hin xm nhp (Intrusion Detection System IDS) l h thng phn

cng hoc phn mm c chc nng gim st lu thng mng, t ng theo di cc s

kin xy ra trn h thng my tnh, phn tch pht hin ra cc vn lin quan n an

ninh, bo mt v a ra cnh bo cho nh qun tr.

2.2 Cc thnh phn v chc nng ca IDS

IDS bao gm cc thnh phn chnh :

Thnh phn thu thp thng tin gi tin.

Thnh phn pht hin gi tin.

Thnh phn x l(phn hi).

Hnh 1: M hnh kin trc h thng pht hin xm nhp (IDS)

2.2.1 Thnh phn thu thp gi tin

Thnh phn ny c nhim v ly tt cc gi tin i n mng. Thng thng cc

gi tin c a ch khng phi ca mt card mng th s b card mng hu b nhng

card mng ca IDS c t ch thu nhn tt c. Tt c cc gi tin qua chng

u c sao chp, x l, phn tch n tng trng thng tin. B phn thu thp gi

tin s c thng tin tng trng trong gi tin, xc nh chng thuc kiu gi tin no,

dch v g... Cc thng tin ny c chuyn n thnh phn pht hin tn cng.



- Trang 15 -

2.2.2 Thnh phn pht hin gi tin

thnh phn ny, cc b cm bin ng vai tr quyt nh. Vai tr ca b cm

bin l dng lc thng tin v loi b nhng thng tin d liu khng tng thch t

c t cc s kin lin quan ti h thng bo v, v vy c th pht hin c cc

hnh ng nghi ng.

2.2.3 Thnh phn phn hi

Khi c du hiu ca s tn cng hoc thm nhp, thnh phn pht hin tn cng s

gi tn hiu bo hiu (alert) c s tn cng hoc thm nhp n thnh phn phn ng.

Lc thnh phn phn ng s kch hot tng la thc hin chc nng ngn chn

cuc tn cng hay cnh bo ti ngi qun tr. Di y l mt s k thut ngn

chn:

Cnh bo thi gian thc

Gi cc cnh bo thi gian thc n ngi qun tr h nm c chi tit cc

cuc tn cng, cc c im v thng tin v chng.

Ghi li vo tp tin

Cc d liu ca cc gi tin s c lu tr trong h thng cc tp tin log. Mc

ch l nhng ngi qun tr c th theo di cc lung thng tin v l ngun

thng tin gip cho module pht hin tn cng hot ng.

Ngn chn, thay i gi tin

Khi mt gi tin khp vi du hiu tn cng th IDS s phn hi bng cch xa

b, t chi hay thay i ni dung ca gi tin, lm cho gi tin tr nn khng bnh

thng.

2.3 Phn loi IDS

2.3.1 Network Base IDS (NIDS)

H thng IDS da trn mng s dng b d v b cm bin c ci t trn ton

mng. Nhng b d ny theo di trn mng nhm tm kim nhng lu lng trng

vi nhng m t s lc c nh ngha hay l nhng du hiu.



- Trang 16 -

Hnh 2: Network IDS

2.3.1.1 Li th ca Network-Based IDS

Qun l c c mt network segment (gm nhiu host).

Ci t v bo tr n gin, khng nh hng ti mng.

Trnh DOS nh hng ti mt host no .

C kh nng xc nh li tng Network (trong m hnh OSI).

c lp vi OS.

2.3.1.2 Hn ch ca Network-Based IDS

C th xy ra trng hp bo ng gi.

Khng th phn tch cc gi tin c m ha (vd: SSL, SSH, IPSec)

NIDS i hi phi c cp nht cc signature mi nht thc s an ton.



- Trang 17 -

C tr gia thi im b tn cng vi thi im pht bo ng. Khi bo

ng c pht ra, h thng c th b tn hi.

Khng cho bit vic tn cng c thnh cng hay khng.

2.3.2 Host Base IDS (HIDS)

HIDS thng c ci t trn mt my tnh nht nh. Thay v gim st hot

ng ca mt network segment, HIDS ch gim st cc hot ng trn mt my tnh.

Hnh 3: Host base IDS

2.3.2.1 Li th ca Host IDS

C kh nng xc nh ngi dng lin quan ti mt s kin.

HIDS c kh nng pht hin cc cuc tn cng din ra trn mt my.

C th phn tch cc d liu m ho.

Cung cp cc thng tin v host trong lc cuc tn cng din ra.



- Trang 18 -

2.3.2.2 Hn ch ca Host IDS

Thng tin t HIDS l khng ng tin cy ngay khi s tn cng vo host ny

thnh cng.

Khi h iu hnh b "h" do tn cng, ng thi HIDS cng b "h".

HIDS phi c thit lp trn tng host cn gim st .

HIDS khng c kh nng pht hin cc cuc d qut mng (Nmap,

Netcat)

HIDS cn ti nguyn trn host hot ng.

HIDS c th khng hiu qu khi b DOS.

a s chy trn h iu hnh Window. Tuy nhin cng c 1 s chy

c trn UNIX v nhng h iu hnh khc.

2.4 C ch hot ng ca IDS

IDS c hai chc nng chnh l pht hin cc cuc tn cng v cnh bo cc cuc tn

cng . C hai phng php khc nhau trong vic phn tch cc s kin pht hin cc

v tn cng: pht hin da trn cc du hiu v pht hin s bt thng. Cc sn phm

IDS c th s dng mt trong hai cch hoc s dng kt hp c hai.

2.4.1 Pht hin da trn s bt thng

Cng c ny thit lp mt hin trng cc hot ng bnh thng v sau duy tr

mt hin trng hin hnh cho mt h thng. Khi hai yu t ny xut hin s khc bit,

ngha l c s xm nhp.

V d: Mt a ch IP ca my tnh A thng thng truy cp vo domain ca cng

ty trong gi hnh chnh, vic truy cp vo domain cng ty ngoi gi lm vic l mt

iu bt thng.

2.4.2 Pht hin thng qua Protocol

Tng t nh vic pht hin da trn du hiu, nhng n thc hin mt s phn

tch theo chiu su ca cc giao thc c xc nh c th trong gi tin.



- Trang 19 -

Sau y l cu trc ca mt gi tin:

IP Header

Hnh 4: Cu trc IP Header

Thuc tnh Source Address v Destination Address gip cho IDS bit c ngun

gc ca cuc tn cng.



- Trang 20 -

TCP Header

Hnh 5: Cu trc TCP Header.

Cc h thng IDS khc nhau u da vo pht hin cc xm nhp tri php v

nhng hnh ng d thng. Qu trnh pht hin c th c m t bi 3 yu t c

bn nn tng sau:

Thu thp thng tin: Kim tra tt c cc gi tin trn mng.

S phn tch : Phn tch tt c cc gi tin thu thp cho bit hnh ng

no l tn cng.

Cnh bo : hnh ng cnh bo cho s tn cng c phn tch trn.



- Trang 21 -

2.4.3 Pht hin nh qu trnh t hc

K thut ny bao gm hai bc. Khi bt u thit lp, h thng pht hin tn cng

s chy ch t hc v to ra mt h s v cch c x ca mng vi cc hot ng

bnh thng. Sau thi gian khi to, h thng s chy ch lm vic, tin hnh

theo di, pht hin cc hot ng bt thng ca mng bng cch so snh vi h s

thit lp. Ch t hc c th chy song song vi ch lm vic cp nht h s

ca mnh nhng nu d ra c tn hiu tn cng th ch t hc phi dng li cho ti

khi cuc tn cng kt thc.

2.5 Cc ng dng IDS ph bin hin nay

Trong hon cnh hin nay, vi tn xut tn cng v xm nhp ngy cng ph bin th

khi mt t chc kt ni vi internet khng th p dng cc phng php phng chng tn

cng, xm nhp s dng firewall ch l mt trong nhng bin php cn bn, s khai trong

cng tc phng chng xm phm thng tin. S dng IDS s gp phn tng cng sc

mnh cho nh qun tr v cnh bo kp thi mi thi im din bin bt thng qua

mng. C th, IDS c th cnh bo nhng hnh ng sau:

Hnh ng download d liu trong h thng LAN bng ftp t cc my ip l.

Hnh ng chat vi cc my ip l.

Hnh ng truy xut 1 website b cng ty cm truy cp m nhn vin cng ty

vn c tnh truy xut.

Hnh ng truy xut cc website vo gi cm.

Hnh ng chng sniff s dng phng php ARP Spoofing.

Thc hin chng Dos vo my server thng qua li trn b m.



- Trang 22 -

PHN 3 : CC PHNG THC TN

CNG V CCH PHNG CHNG



- Trang 23 -

3.1 Cc phng thc tn cng

3.1.1 ARP Spoofing

y l mt hnh thc tn cng Man in the middle (MITM) hin i c xut s lu

i nht (i khi cn c bit n vi ci tn ARP Poison Routing), tn cng ny

cho php k tn cng nm trn cng mt subnet vi cc nn nhn ca n c th nghe

trm tt c cc lu lng mng gia cc my tnh nn nhn. y l loi tn cng n

gin nht nhng li l mt hnh thc hiu qu nht khi c thc hin bi k tn

cng.

3.1.2 Syn Flood

Syn flood l 1 dng tn cng t chi dch v, k tn cng gi cc gi tin kt ni

SYN n h thng. y l 1 loi tn cng rt ph bin. Loi tn cng ny s nguy

him nu h thng cp pht ti nguyn ngay sau khi nhn gi tin SYN t k tn cng

v trc khi nhn gi ACK.

3.1.3 Zero Day Attacks

Zero-day l thut ng ch s tn cng hay cc mi e da khai thc l hng ca

ng dng trong my tnh ci m cha c cng b v cha c sa cha.

"Windows Vista/7:SMB2.0 NEGOTIATE PROTOCOL REQUEST Remote

B.S.O.D." l nguyn vn tiu m t m tn cng vit bng Python m Gaffie a

ln blog bo mt Seclists.org. Cuc tn cng nhm vo li xut pht t System

Message Block phin bn 2.0 (SMB2) vn c trong Windows Vista, Windows 7 v

Windows Server 2008. i su vo li do Gaffie cng b, nguyn nhn chnh xut pht

t cch thc driver srv2.sys x l cc yu cu t my khch trong khi phn tiu

(header) ca "Process Id High" cha ng mt k t "&"(m hexa l 00 26). Cuc

tn cng khng cn n chng thc nhn dng, ch cn cng 445 c th truy xut. Mi

lo ngi y l cng 445 thng c m mc nh trong phn cu hnh mng ni b

(LAN) ca Windows.



- Trang 24 -

3.1.4 DOS - Ping Of Death

Khi tn cng bng Ping of Death, mt gi tin echo oc gi c kch thc ln hn

kch thc cho php l 65,536 bytes. Gi tin s b chia nh ra thnh cc segment nh

hn, nhng khi my ch rp li, host ch nhn thy rng l gi tin qu ln i vi

buffer bn nhn. Kt qu l, h thng khng th qun l ni tnh trng bt thng ny

v s reboot hoc b treo.

VD : ping 192.168.1.20 l 65000

3.2 Cc phng thc phng chng

3.2.1 ARP Spoofing : m ha ARP Cache

Mt cch c th bo v chng li vn khng an ton vn c trong cc ARP

request v ARP reply l thc hin mt qu trnh km ng hn. y l mt ty

chn v cc my tnh Windows cho php bn c th b sung cc entry tnh vo

ARP cache. Bn c th xem ARP cache ca my tnh Windows bng cch m

nhc lnh v nh vo lnh arp a.

Hnh 7: Xem ARP Cache

C th thm cc entry vo danh sch ny bng cch s dng lnh arp s .

Trong cc trng hp, ni cu hnh mng ca bn khng my khi thay i, bn

hon ton c th to mt danh sch cc entry ARP tnh v s dng chng cho cc

client thng qua mt kch bn t ng. iu ny s bo m c cc thit b s

lun da vo ARP cache ni b ca chng thay v cc ARP request v ARP reply.



- Trang 25 -

3.2.2 Syn Flood

Syn flood l 1 dng tn cng ph bin v n c th c ngn chn bng on

lnh iptables sau:

iptables -A INPUT p tcp --syn m limit --limit 1/s --limit -burst 3 -j RETURN

Tt c cc kt ni n h thng ch c php theo cc thng s gii hn sau:

--limit 1/s: Tc truyn gi tin trung bnh ti a 1/s (giy) --limit-burst 3: S lng gi tin khi to ti a c php l 3

Dng iptables, thm rule sau vo:

# Limit the number of incoming tcp connections # Interface 0 incoming syn-flood protection iptables -N syn_flood iptables -A INPUT -p tcp --syn -j syn_flood iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN iptables -A syn_flood -j DROP

3.2.3 Zero Day Attacks

+ Cp nht bn v li.

+ Lc d liu t cng TCP 445 bng tng la (iptables)

+ Kha cng SMB trong registry.

3.2.4 DOS Ping Of Death

- S dng cc tnh nng cho php t rate limit trn router/firewall hn ch s

lng packet vo h thng. - Dng tnh nng lc d liu ca router/firewall loi b cc packet khng mong

mun, gim lng lu thng trn mng v ti ca my ch.

V d : alert icmp 192.168.1.0/24 any -> 172.16.1.0/24 any (msg:"Ping > 1000";dsize:>1000 ; sid:2;)

Trong v d trn th nu gi tin c kch thc ln hn 1000byte th s khng cho Ping.



- Trang 26 -

PHN 4 : TRIN KHAI H THNG PHT

HIN XM NHP



- Trang 27 -

4.1 Cc bc thc hin

4.1.1 M hnh mng tng quan

Hnh 8: M hnh mng tng quan.

4.1.2 My Client

Ci t XP

Ci t h iu hnh Linux(Backtrack 4.0)

Ch default gateway v DNS v ip mt ngoi (192.168.1.20) ca my IDS.

Vai tr: l mt my ngoi mng LAN. Thc hin cc cuc tn cng vo my ch

Web Server v my DC.

4.1.3 My IDS

Ci t h iu hnh Linux, Snort, tng la iptables, MySQL, Apache, Basic

Analysis and Security Engine (BASE), squid proxy, join Domain vsic.com.



- Trang 28 -

Vai tr: l mt h thng pht hin v chng xm nhp mng, kim sot cc gi tin

trong mng ni b v cc gi tin t bn ngoi.

4.1.4 My Webserver

Ci t Window server 2003, ci t IIS, ASP.NET, Join Domain vsic.com.

Th mc cha source website: C:\Inetpub\wwwroot

Vai tr: l mt my ch Web Server cung cp cc dch v cn thit cho client.

4.1.5 My Windows Server 2008

+ Ci t h iu hnh Windows Server 2008 SP1, nng cp ln Domain vi tn

vsic.com.

+ Vai tr : dng thc hin Demo bng phng thc Zero day attack.

4.2 Cu hnh IDS

4.2.1 M hnh mng chi tit

Hnh 9: M hnh mng chi tit.



- Trang 29 -

4.2.2 Cc bc cu hnh cnh bo v ngn chn mt vi ng dng ca IDS trn

Snort kt hp Iptables

4.2.2.1 Tn cng bng phng thc Dos li SMB 2.0

Bc 1 : Kim tra cu hnh v kt ni gia cc my.

Bc 2 : S lc v li SMB.

Bc 3 : Dng phn mm WireShark bt gi tin.

Bc 4 : Tin hnh tn cng my Server.

Bc 5 : Xem kt qu tn cng.

Bc 6 : Kch hot Snort v iptable (rule SMB.rules) Ph lc phn 7.3.1.6

v 7.3.2.5

Bc 7 : Thc hin li cuc tn cng.

Bc 8 : Xem kt qu tn cng.

4.2.2.2 Truy cp Web tri php theo IP v tn min


Bc 2 : Client duyt Website vsic.com : bnh thng .

Bc 3 : Kch hot Snort v iptable (rule nganchanwebsite.rules) Ph lc

phn 7.3.1.2 v 7.3.2.3

Bc 4 : Client duyt Website vsic.com li : khng kt ni c.

Bc 5 : Client duyt Website Microsoft.com : bnh thng .

Bc 6 : M rule cm Micrsoft .

Bc 7 : Client duyt website microsoft.com : khng kt ni c.

4.2.2.3 Truy cp Website vo gi cm.

Bc 1 : Kim tra cu hnh va kt ni gia cc my

Bc 2 : Client duyt Web vsic.com vo gi cm : bnh thng

Bc 3 : Kch hot Snort v iptable (rule giocam.rules)

Bc 4 : Client duyt Website vsic.com li: khng kt ni c



- Trang 30 -

4.2.2.4 Truy cp theo phng thc FTP

Bc 1 : Kim tra cu hnh v kt ni gia cc my

Bc 2 : Client truy cp bng phng thc FTP vo my ch Webserver :

truy cp c bnh thng.

Bc 3 : Kch hot Snort v iptable (rule ftp.rules) Ph lc phn 7.3.1.3

v 7.3.2.4

Bc 4 : Client truy cp bng phng thc FTP vo my ch Webserver :

khng truy cp c

4.2.2.5 Tn cng theo phng thc Ping Of Death


Bc 2 : Client thc hin Ping qua my ch Webserver vi gi tin 32 byte.

Bc 3 : Kch hot Snort v iptable (rule ping.rules) Ph lc phn 7.3.1.5

v 7.3.2.6

Bc 4 : Client tin hnh Ping li my ch Webserver vi gi tin 2000 byte.

Bc 5 : Xem kt qu.

4.2.2.6 Hnh ng chat vi cc my ip l.

Bc 1 : My Client chat vi my Web server (yahoo message)

Bc 2 : Kch hot Snort v iptable (rule chat.rules) Ph lc phn 7.3.1.7

v 7.3.2.7

Bc 3 : My Client chat vi my Web server-> b ngn cn (xem hnh)-

>Login li th khng c n

4.2.2.7 Hnh ng chng sniff s dng phng php ARP Spoofing.

Bc 1: Kim tra cu hnh v a ch MAC ca my Web Server v

modem.

Bc 2 : Kch hot Snort (B tin x l - Preprocessor) Ph lc phn 7.7



- Trang 31 -

Bc 3 : Ti my attacker, thc hin gii mo a ch card MAC ca my

web server v modem.

Bc 4: M Base xem kt qu.

Bc 5 : Kim tra a ch card MAC ca my Webserver v modem.

4.2.3 Ci t webmin qun l Snort

Qun l Snort trn giao din web. Truy cp a ch:

https://localhost.localdomain:10000

4.2.4 To CSDL Snort vi MySQL

C s d liu dng cha cc cnh bo(log) ca h thng. Trong bng

acid_event cha ng cc cnh bo. Bng sensor cha a ch ca my ci t

IDS.

4.2.5 Ci t BASE

Base dng xem cc cnh bo trn giao din web. Truy cp ti

http://192.168.1.20/base



- Trang 32 -

PHN 5 : XY DNG NG DNG DEMO

THNH PHN SENSOR V ALERT CA

MT IDS



- Trang 33 -

5.1 Inotify

Inotify l mt Linux kernel subsystem (nhn ca h thng Linux) c pht trin bi

John McCutchan, Robert Love v Amy Griffis. Inotify c chc nng gim st s thay i

ca d liu: tng gim dung lng, sa, xa, to mi mt th mc, tp tin,v thm ch c

mt hot ng unmount, t Inotify c th thng bo nhng s thay i n mt

ng dng c lp trnh sn(API). Ta cng c th theo di ngun gc v im n ca di

chuyn ca th mc tp tin. s dng Inotify, ta cn ci t Linux vi kernel 2.6.13

hoc phin bn mi hn.

5.2 Lp trnh API kt hp vi Inotify

API l vit tt ca Application Programming Interface (giao din lp trnh ng dng).

API cung cp hu ht cc tnh nng thng dng cho tt c cc chng trnh chy trn

nn Window v Linux. Hu ht cc hm API thng c cha trong file /sys/inotify.h

trong th mc h thng. Kt hp lp trnh API vi Inotify ta c th nm bt c cc bin

c xy ra trn file system.



- Trang 34 -

5.3 Sn phm

Hnh 11 : Sn phm demo

thc hin c:

+ S dng ngn ng C kt hp vi cc hm trong inotify nm bt s thay i ca

file system.

+ Tm hiu v cc li gi hm v b to s kin trong inotify.

Cha thc hin c:

+ To mt giao din cho Inotify nm bt cc bin c xy ra trn file system.

+ Sn phm ch chy c trn pha Server (IDS-Linux)



- Trang 35 -

PHN 6 : TNG KT



- Trang 36 -

Thng qua qu trnh tm hiu v nghin cu, chng em rt ra mt s nhn xt

sau:

H thng pht hin xm nhp (IDS) tuy ch mi xut hin sau ny nhng hin

ng vai tr khng km phn quan trng. IDS gip con ngi khm ph, phn tch

mt nguy c tn cng mi. T n ngi ta vch ra phng n phng chng. mt

gc no , c th ln tm c th phm gy ra mt cuc tn cng. Mt t chc

ln khng th no thiu IDS.

6.1 Nhng vn t c

Nm bt c c ch hot ng ca h thng pht hin xm nhp IDS.

Ci t v cu hnh mt h thng pht hin xm nhp trn mng cc b da trn

m ngun m Snort, iptables, squid proxy.

Vn dng nhng hiu bit nghin cu c v DoS/DDoS vit lut cho Snort,

iptables.

S dng c cc sn phm phn tch cnh bo trong Snort nh: MySQL, ACID,

BASE.

6.2 Nhng vn cha t c

Vn v tn cng rt rng ln, hin nhng cch thc tn cng mi ngy cng

tr nn tinh vi v phc tp hn.

i vi Snort, hin c rt nhiu sn phm i km hot ng rt hay nh:

Snort_inline, Fsnort(Firewall Snort), cha c p dng trit .

Tp lut ca Snort ngy cng c pht trin nn cn phi cp nht.

Cha kt hp phn mm Mod Security bo v Web server.



- Trang 37 -

6.3 Hng m rng ti

- i vi mng khng dy, cu trc vt l mang li s an ton nhng c ch truyn tin

khng dy gia cc node mng li ko theo nhng l hng bo mt, do vy lun cn phi

chng thc gia cc ngi dng trong mng.

- Cch lm vic ca IDS trong mng WLAN c nhiu khc bit so vi mi trng

mng LAN truyn thng. Trong mi trng mng c dy ta c ton quyn qun l i

vi cc loi lu lng c truyn trn dy dn. Trong WLAN, khng kh l mi trng

truyn dn, tt c mi ngi trong phm vi ph sng ca tn s theo chun 802.11 u c

th truy cp vo mng. Do cn phi c s gim st c bn trong v bn ngoi mng

WLAN.

- Mt khc bit na l wireless IDS cn cho mng my tnh trin khai WLAN v

c nhng ni cha trin khai WLAN. L do l d kh nng b tn cng t mng WLAN

vo mng LAN cha r rng nhng l mt mi e da thc s. S e da ny c

coi l ch lin quan n ai s dng WLAN nhng s thc th ton b t chc mng LAN

u nn gim st lu lng lu chuyn trong mng WLAN chc chn loi b s e

da t khng gian xung quanh. Mt iu lun phi tm n l cc AP gi mo bt k

ta ang dng mng khng dy hay mng LAN truyn thng.



- Trang 38 -

PHN 7 : PH LC



- Trang 39 -

7.1 Ti liu tham kho

- [1] Intrusion Detection Systems with Snort: Advanced IDS Techniques Using

Snort, Apache, MySQL, PHP, and ACID By Rafeeq Ur Rehman May 08, 2003

0-13-140733-3.

- [2] Snort 2.1 Intrusion Detection Second Edition Featuring Jay Beale

and Snort Development Team Andrew R. Baker, Brian Caswell, Mike Poor

Copyright 2004 by Syngress Publishing ISBN: 1-931836-04-3.

- [3] Snort User Manual 2.8.5 Martin Roesch Chris Green, October 22, 2009

Sourcefire, Inc.

- [4] Syngress Intrusion.Prevention.and.Active.Response.(2005)

- [5] Guide to Intrusion Detection and Prevention Systems Recommendations of

the National Institute of Standards and Technology Karen Scarfone Peter Mell

- [6] Managing Security with Snort and IDS Tools OReilly-By Kerry J. Cox,

Christopher Gerg

- [7] Snort cookbook OReilly By Kerry J. Cox, Christopher Gerg

- [8] Snort IDS and IPS Toolkit-Featuring Jay Beale and Members of the Snort

Team-Andrew R. Baker Joel Esler

- [9] ModSecurity Handbookby Ivan Risti Copyright 2009, 2010 Ivan Risti

- [10] Ci t v cu hnh Iptables - Nguyn Hng Thi

- [11] Firewalls, Nat & Accounting Linux iptables Pocket Reference- O'REILLY

GREGOR N. PURDY.

- [12] Linux Firewalls - Attack Detection and Response with iptables, psad, and

fwsnort-MICHAEL RASH.



- Trang 40 -

Cc trang web:

Ting Vit: Nc ngoi:

http://www.hvaonline.net http://www.google.co.uk

http://nhatnghe.com/forum http://www.snort.org

http://quantrimang.com.vn http://www.openmaniak.com/inline.php

http://forum.saobacdau-acad.vn http://sectools.org/

http://forum.t3h.vn http://linux.org/

http://ipmac.vn/forum http://ibm.com

http://vnexperts.net http://support.microsoft.com

http://kmasecurity.net http://www.winids.com

7.2 Phn mm IDS-Snort

7.2.1 Gii thiu Snort

Snort c ci t trn mng lm nhim v gim st nhng packet vo ra h

thng mng. Khi Snort pht hin mt cuc tn cng th n c th phn ng bng nhiu

cch khc nhau ty thuc vo cu hnh m ngi qun tr mng thit lp, chng hn

nh n c th gi thng ip cnh bo n nh qun tr hay loi b gi tin khi pht

hin c s bt thng trong cc gi tin . Snort s dng cc lut c lu tr trong

cc file text, c th c chnh sa bi ngi qun tr. Mi lut i din cho mt cuc

tn cng. File cu hnh chnh ca Snort l snort.conf. Khi c mt packet n h thng

n s c p vo tp lut, nu c s so trng snort s phn ng.

Snort bao gm mt hoc nhiu cm bin v mt server c s d liu chnh.Cc

cm bin c th c t trc hoc sau firewall:

Gim st cc cuc tn cng vo firewall v h thng mng.

C kh nng ghi nh cc cuc vt firewall thnh cng.



- Trang 41 -

7.2.2 Snort l mt NIDS

Khi c s dng nh l mt NIDS, Snort cung cp kh nng pht hin xm nhp

gn nh l thi gian thc. Chng ta s xem rt nhiu cch m Snort c th c s

dng nh l mt NIDS v tt c cc ty chn cu hnh c th.

7.3 Cu hnh cc Rules c bn ca Snort v Iptables

7.3.1 Rules Snort

7.3.1.1 Cnh bo ping.

Alert icmp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"ICMP Pinger"; classtype:attempted-recon; sid:465;) - Trong :

Alert: l hnh ng cnh bo. Icmp: l giao thc bt cnh bo. $EXTERNAL_NET: l a ch ch ca cuc tn cng. Ngi dng c th nh ngha (var $EXTERNAL_NET 192.168.1.0/24 ) Any: l port m gi tin i qua (bt c port no). $HOME_NET: l a ch gi tin i n ca cuc tn cng. Ta c th nh ngha a ch ny cho ph hp vi mng ni b m ta ang qun l. 7: l port m lnh ping gi gi tin echo qua. Msg: xut cu thng bo trong log hoc trn giao din qun l cnh bo. Classtype: dng phn loi cnh bo. Sid: s id ca cu rule cnh bo, mi rule c mt sid khc nhau.

7.3.1.2 Cnh bo truy cp website.

alert tcp $HOME_NET any -> 192.168.1.10 80(msg:"Vsic access" ;content:"vsic.com"; nocase; sid:5531;)

7.3.1.3 Cnh bo truy cp FTP.

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP login"; flow:from_server,established; sid:491;)

7.3.1.4 Cnh bo truy cp Telnet.

alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET login"; flow:to_server,established; sid:500;)



- Trang 42 -

7.3.1.5 Cnh bo gi tin ICMP c kch thc ln.

alert icmp 192.168.1.0/24 any -> 172.16.1.0/24 any (msg:"Ping > 1000";dsize:>1000 ; sid:2;)

7.3.1.6 Cnh bo Dos li SMB 2.0

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS

Windows SMB process ID high"; flow:to_server, established; content:"|00 26|";

offset:5; depth:96; classtype:attempted-dos; sid:15930;)

7.3.1.7 Cnh bo chat vi cc my c IP l

alert tcp any any any 5101 (msg:"CHAT Yahoo IM message";

flow:established; content:"YMSG"; nocase; metadata:policy ; classtype:policy-

violation; sid:2457)

7.3.1.8 Ngn chn cc trang Web c ni dung xu

alert tcp any any 192.168.1.0/24 80 (content: "bad.htm"; msg: "Not for

children!"; react: block, msg, proxy 8000;)

7.3.2 Rules Iptables

7.3.2.1 Ngn chn ping.

-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j DROP - Trong :

RH-Firewall-1-INPUT: Ngi dng nh ngha.

ACCEPT: iptables chp nhn chuyn data n ch.

DROP: iptables kha nhng packet.

-A RH-Firewall-1-INPUT: nhng gi tin i vo t firewall

-p: protocol l icmp

-m icmp --icmp-type: m t dng ca icmp nh echo, request

Any: port ca icmp



- Trang 43 -

-j : jump lnh chuyn ti cu lnh tip theo

DROP : v cui cng l chn gi tin.

-s: a ch ngun.

--dport: cng ch ca gi tin.

state --state NEW: Kim tra trng thi:

ESTABLISHED: thit lp connection

NEW: bt u thit lp connection

7.3.2.2 NAT inbound v NAT outbound

- Nat in iptables -t nat -A PREROUTING -d 192.168.1.20 -i eth0 -p tcp -m tcp --dport

80 -j DNAT --to-destination 172.16.1.40:80 - Nat out echo '1' > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 172.16.1.40 -d 192.168.1.10 -o eth0 -j

MASQUERADE

7.3.2.3 Ngn chn truy cp website

- Theo port, host v giao thc : dng Iptables

-A RH-Firewall-1-INPUT -s 192.168.1.10 -p tcp -m tcp --dport 80 -j DROP

- Chn theo host : dng Squid Proxy

acl hostdeny src 192.168.1.10/24

http_access deny hostdeny

- Chn theo tn min web : dng Squid

acl webdeny dstdomain vsic.com

hay acl webdeny dstdomain "/etc/squid/webdeny"

http_access deny webdeny

- Theo gi : dng Squid Proxy

acl time_acl1 time MTWHF 8:00-10:00



- Trang 44 -

http_access deny webdeny time_acl1

7.3.2.4 Ngn chn truy cp FTP

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j DROP

7.3.2.5 Ngn chn Dos li SMB 2.0 A RH-Firewall-1-INPUT -p tcp -m state --state ESTABLISHED -m string --

hex-string "|00 26|" --algo bm -m tcp --dport 445 -j DROP

7.3.2.6 Ngn chn gi tin ICMP c kch thc ln.

A RH-Firewall-1-INPUT -p icmp --icmp-type any -m length --length 1000: -j DROP

7.3.2.7 Ngn chn chat vi cc my c IP l

-A RH-Firewall-1-INPUT -p tcp -m state --state ESTABLISHED -m string --

string "YMSG" --algo bm -m tcp --dport 5101 -j DROP

7.4 Hng dn chi tit cu hnh Snort

File cu hnh /etc/snort/snort.conf

var HOME_NET 172.16.1.0/24

var EXTERNAL_NET !$HOME_NET

var RULE_PATH /etc/snort/rules

output database: log, mysql, user=snort password=123456 dbname=snort

host=localhost.

Bc 1 : Ci t Snort

#./configure --with-mysql --enable-dynamicplugin

#make & make install

Bc 2 : Cu hnh snort

- To cc th mc hot ng cho snort

mkdir /etc/snort



- Trang 45 -

mkdir /etc/snort/rules

mkdir /var/log/snort

- Chp cc file cu hnh

cd etc/

cp * /etc/snort

- To nhm & ngi dng cho snort

groupadd snort

useradd -g snort snort -s /sbin/nologin

- Set quyn s hu v cho php Snort ghi log vo th mc cha log

chown snort:snort /var/log/snort/

Bc 3 : Cu hnh v pht hin xm nhp

3.1 File bo ng trong th mc /var/log/Snort

V d phn tch mt bo ng ca Snort

y l tn ca bo ng:

[**] [1:1418:3] SNMP request tcp [**]

y l phn header v thng tin ca packet l nguyn nhn gy ra bo ng:

03/24-15:07:35.827022 192.168.1.2:49641 -> 192.168.1.105:161 TCP TTL:44

TOS:0x0 ID:37753 IpLen:20 DgmLen:40 Seq: 0x4EB5A7C6 Ack: 0x0 Win:

0x400 TcpLen: 20

3.2 File Snort.conf

File Snort.conf iu khin mi th m Snort thy c, lm cch no n c th

chng li cc cuc tn cng, nhng rules no c s dng khi thy nghi ng, v

lm cch no n c th pht hin ra c nhng du hiu nguy him tm tng mc

d n khng c cc tn hiu nhn dng c th so snh.

V d file Snort.conf

Thit lp mng v cu hnh cc bin

Cu hnh phn gii m (decoder) v pht hin



- Trang 46 -

Cu hnh tin x l (preprocessor)

Cu hnh phn output

File c tr ti

7.5 Thit lp mng v cu hnh cc bin

ch nh 1 a ch ip, n gian ch lm theo cch sau:

Var HOME_NET 192.168.1.1

Var HOME_NET [192.168.1.1,192.168.14.1,10.0.0.2]

Ta cng c cch khc ch nh lun c mng:

Var HOME_NET 10.10.10.0/24

Hoc cng c th gp c 2 cch trn vo chung 1 nhm:

Var HOME_NET [192.168.1.1,10.10.10.0/24,172.168.1.5/16,187.1.1.1/19]

Nu mun ch nh khng dng cc ip ny ngoi tr th dng thm du !

Var EXTERNAL_NET !$HOME_NET

ch nh cho cc port cng lm tng t v dng

Var ORACLE_PORTS 1521

Hoc cc port khng phi l port 80

Var SHELLcode_PORTS !80

Cc bin mc nh trong Snort.conf

HOME_NET : ch nh a ch mng ca mnh ang bo v

EXTERNAL_NET: cc mng bn ngoi.

Cc bin ch nh cc server ang chy cc service phc v cho h thng

DNS_SERVERS : a ch ca my DNS.

SMTP_SERVERS : a ch ca my Mail Server.

HTTP_SERVERS : a ch ca my Web server

SQL_SERVERS : a ch ca my cha c s d liu.

TELNET_SERVERS : a ch ca my lm telnet



- Trang 47 -

Cc port mc nh cc bin khc:

HTTP_PORTS : Port 80

7.6 Cu hnh option ca file Snort.conf

Option M t

config order: pass, alert, log, activation, or dynamic

Thay i cc gi tr iu khn ca rules

config alertfile: alerts Thit lp output ca file bo ng

config decode_arp Bt chc nng arp decoding (Snort -a)

config dump_chars_only Bt chc nng character dumps (Snort -C)

config dump_payload Hin thng tin lp application(Snort -d).

config decode_data_link gii m Layer2 headers (Snort -e).

config bpf_file: filters.bpf Ch nh dng b lc BPF (Snort -F).

config set_gid: 30 Thay i GID n GID khc (Snort -g)

config daemon Chy Snort ch daemon (Snort -D)

config interface: Thit lp interface (Snort -i).

config alert_with_interface_name Ch nh interface cn bo ng(Snort -I)

config logdir: /var/log/Snort Thit lp li th mc log (Snort -l).

config umask: Thit lp umask khi chy (Snort -m).

config pkt_count: N Thot ra sau N packets (Snort -n).

config nolog Tt ch log (Snort -N).

config verbose S dng ch xem chi tit (Snort -v)



- Trang 48 -

7.7 Cu hnh tin x l (preprocessor)

Tin x l phc v cho nhiu mc ch. N bnh thng ho traffic cho cc

services, chc chn rng d liu trong cc packet Snort ang theo di s c c hi tt

nht so snh vi cc tn hiu nhn dng (signatures ) m Snort uc trang b.

V d :

- preprocessor arpspoof

- preprocessor arpspoof_detect_host: 192.168.1.1 00:19:cb:4b:52:9b

- preprocessor arpspoof_detect_host: 192.168.1.1 00:19:cb:4b:52:9b

- Ta cho Snort bit a ch MAC ca my trong LAN, khi b tn cng gi mo

a ch MAC, Snort s so snh gi tr ny v cnh bo cho ngi qun tr.

Flow

Flow preprocessor c mt module l flow-portscan. Flow theo di tt c traffic

v gi cc track kt ni gia h thng v port l, khi c 1 flow l mi thng tin s

chuyn qua hash (lm cho cc track nh hn , nhanh hn trong tracking cc a ch

IP v PORTS) c lu tr trong bng b nh dnh sn. Cc option cho flow

preprocessor

Frag

Khi mt packet i t mng ny qua mng khc, n thng cn phn mnh

thnh cc packet nh hn, bi v mng th 2 s gii hn kch thuc ca packet v

tt nhin nh hn mng u tin. V tt c cc packet nh s uc sp xp li khi

n ni. Mt trong nhng phng php ca attacker l dng cc packet nh la

firewall hoc IDS.

Stream4

Stream4 c thit k bo v Snort t 1 dng tn cng mi ca attacker ti

cc NIDS sensor bng cch gi trn ngp cc packet cha cc chui d liu ging



- Trang 49 -

nh trong rules kch cc bo ng, cng c kh nhiu tools dng cho vic ny

nhng Snort ca c cch chng li. Stream4 c 2 nhim v chnh: sateful

inspection ( kim tra tnh nguyn vn ), awareness and session reassembly ( nhn

bit v sp xp cc session )

Tin x l cc http inspect

C nhiu cch thng tin c th nh dng sang cc http session v cng c

nhiu loi khc nhau biu din cc thng tin nh l cc http session nh

multimedia, .xml, .HTML, .asp, .php, .java,.v kt qu Snort phi gi li ni

dung ca cc HTTP conversation nh dng li data phc v cho qu trnh pht

hin tt nht.

Arpspoof

Arpspoof c thit k cho preprocessor d detech cc hot ng spoof arp bt

hp php trn local network. Cc hacker dng cc tools man-in-the-middle attacks

nh ettercap hoc arpspoof nghe trm gia cc my trong mng ni b. cu

hnh administrator phi bit a ch MAC ca card mng, iu ny th qu d dng:

V d:

preprocessor arpspoof

preprocessor arpspoof_detect_host: 192.168.1.1 F0:AB:GH:10:12:53

File Inclusion

Trong file Snort.conf, cu lnh include ch cho Snort c cc file sau t include

c lu trong filesystem ca Snort sensor, ging nh trong lp trnh vy

V d :

include $RULE_PATH/bad-traffic.rules



- Trang 50 -

include $RULE_PATH/exploit.rules

include $RULE_PATH/scan.rules

Cc rules trn ta c th download trn internet, khi down v ta mun phn

nhm hoc chnh sa, u tin cc rules ta c th cu hnh trong file

classification.config, file reference.config gm cc links ti web site vi cc thng

tin cho tt c cc alerts, include n rt hu tch , nhanh gn

V d:

# include classification & priority settings

# include classification.config

# include reference systems

include reference.config

Ci t tp rule cho SNORT

tar -xzvf snortrules-snapshot-2.8.tar.gz

cd rules

cp * /etc/snort/rules

7.8 Thit Lp Snort khi ng cng h thng

To mt lin kt mm (symbolic link) ca file snort binary n /usr/sbin/snort

ln -s /usr/local/bin/snort /usr/sbin/snort

cp /snort/snort-2.8.4.1/rpm/snortd /etc/init.d/

cp /snort/snort-2.8.4.1/rpm/snort.sysconfig /etc/sysconfig/snort

t quyn li cho file snort :

chmod 755 /etc/init.d/snortd

chkconfig snortd on

service snortd start



- Trang 51 -

7.9 Qun l snort bng webmin

- Ci webmin :

rpm ivh webmin-1.400.noarch.rpm

Log vo Webmin, chn chc nng Webmin Modules, import thm Snort module

vo Webmin:

7.10 To CSDL snort vi MySQL

#service mysqld start

Trc tin ta cn set password cho root trong MySQL.

#mysqladmin -u root password 123456

#mysql p

To password cho ti khon snort

mysql> use mysql;

mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY '123456';



- Trang 52 -

To CSDL cho snort.

mysql> create database snort;

mysql> GRANT CREATE, INSERT, SELECT, DELETE, UPDATE ON snort.*

to snort@localhost;

mysql> flush privileges;

mysql> exit

To cc table t /snort/snort-2.8.4.1/schemas/create_mysql cho database snort (th

mc gi nn snort)

mysql -u root -p < /snort/snort-2.8.4.1/schemas/create_mysql snort

mysql -p

show databases;

use snort;

show tables;

Quan st cc tables

7.11 Ci t BASE v ADODB

Web server v PHP ci t sn ta cn ci thm vi gi pear cho PHP.

cd snort/snort-2.8.4.1

pear install Image_Graph-alpha Image_Canvas-alpha Image_Color

Ci t ADODB

cp adodb480.tgz /var/www/html/

cd /var/www/html/

tar -xzvf adodb480.tgz

Ci BASE

#cp /snort/base-1.4.4.tar.gz /var/www/html/

#tar -zxvf base-1.4.4.tar.gz

#mv base-1.4.4/ base/



- Trang 53 -

#cd base

#cp base_conf.php.dist base_conf.php

#vi base_conf.php

Restart Snort

#service snortd restart

#service httpd restart



- Trang 54 -

THE END


Tìm Hiểu IDS Và Triển Khai Hệ Thống Phát Hiện Xâm Nhập Trên Mạng Cục Bộ

Documents

Transcript of Tìm Hiểu IDS Và Triển Khai Hệ Thống Phát Hiện Xâm Nhập Trên Mạng Cục Bộ