them
TRANSCRIPT
-
5/26/2018 Them
1/8
3.2.2.3. SDng Snor t chNetwork I DS
Tt cnhng hnh ng ca Snort IDS u hot ng thng qua cc rule, v vy tacn phi to mi hay chnh sa nhng rule c to sn. y ta stham kho chaitrng hp ny. u tin, cc ta tham kho dng lnh sau p dng Snort NIDS:
C:\Snor t\bin\snort -dev -l \snort\l og -c snort.conf
Trong dng lnh ny c mt ty chn mi lc vi gi trl snort.conf. Chng ta bit snort.conf c lu trtrong th mc C:\Snort\etc cha cc thng siu khinv cu hnh Snort nh cc bin HOME_NET xc nh lp mng, bin RULE_PATH xcnh ng dn n ni cha cc quy tc Snort p dng. Trong trng hp ny, tychn c s yu cu Snort p dng cc quy tc c khai bo trong tp tin cu hnhsnort.conf khi x l cc gi tin c bt gi trn mng. Cc thnh phn ca mt Snortrule gm c:
Rule header: l ni cha cc action (hnh ng), protocol (giao thc truynthng), Source IP address v Destination IP Address cng vi gi trsubnet mask v shiu port ca a chIP ngun v ch.
Rule option: l ni khai bo cc c tvtnh trng trng khp ca cc gi tin vicc rule, cng nhng cnh bo alert messenger nh trong v dsau y:
alert tcp any any -> any 80 (content: " adult" ; msg: " Adul t Si te Access" ;)
Dng lnh trn cho ta thy phn rule header l alert tcp any any -> any 80v phncontent: ("adult"; msg: "Adult Site Access";)l rule option, mc d rule option khng bt
buc phi c trong tt ccc snort rule nhng n cho chng ta bit cc thng tin cn thitvl do to rule hay cc hnh ng tng ng. V kt quca dng lnh ny l to racc cnh bo (alert) khi cc TCP trafic tbt ka chIP v port c gi n mt achIP bt ktrnPort 80m phn ni dung (payload) c cha tkha Adult. Nu tnhhung ny xy ra, ngha l c mt user no trn LAN truy cp vo 1 site c cha tAdult th mt record Adult Site Access sc ghi vo log file.
3.2.2.3.1. Rule Header
Tip theo, ta si su hn vcc rule header, nh trong v dtrn l alert tcp anyany -> any 80, vi phn u tin l alert chnh l rule action nh ngha hnh ng m
snort sthc hin khi cc packet trng khp vi quy tc m ta to ra. C 5 loi ruleaction nh sau:
-
5/26/2018 Them
2/8
Rule Action M t
Alert To cnh bo v ghi log file
Log Ghi Log cc packet
Pass Bqua cc gi tinActivate To mt cnh bo v bt chc nng dynamic rule
Dynamic Cha sdng, trkhi c mt rule khc tng thch
Khi action c nh ngha, ta cn phi xc nh cc giao thc nh trong v dtrn l TCP, Snort htrcc giao thc truyn thng sau TCP, UDP, ICMP, v IP.
Sau chng ta sbsung a chIP cho snort rule ca mnh, v dany l xcnh bt ka chIP no, ngai ra snort sdng nh dng netmask khai bo cc mtnmng nh lp A l /8, a chlp B l /16 v a chlp C l /24. Nu mun khai bo
mt host th sdng /32. Bn cnh ta cn c thmt dy cc my tnh nh sau:
Alert tcp any any -> [10.0.10.0/24, 10.10.10.0/24] any => (content: " Password" ;
msg:" Password Transfer Possible! " ;)
Lu : trong trng hp dng lnh trn chia thnh 2 dng nhng khi thc hin ccbn phi nhp trn 1 dng. Cn nu mun chia lm nhiu dng khc nhau cho 1 dnglnh th phi sdng du \, tuy nhin nu c thnn sdng 1 dng n.
Sau khi cc action, protocol v ip address c nh ngha ta cn xc nh shiu port ca dch v, nh 80 l cho cc dch v truy cp Web hay cc port 21, 23
Cng c thp dng tkha any p dng cho tt ccc port, hay dng cc du ;chnh mt dy cc port no :
ghi log bt k truyn thng no ttt ca chIP address v tt cport nport 23 ca lp mng 10.0.10.0/24 sdng lnh sau:
Log tcp any any -> 10.0.10.0/24 23
Ghi log tt ctruyn thng tbt ka chIP n cc port nm trong khang 1n 1024 trn cc my thuc lp mng 10.0.10.0/24 sdng lnh sau:
Log tcp any any -> 10.0.10.0/24 1:1024
Ghi log tt c truyn thng tcc a chIP c shiu port thp hn hoc bng1024 n cc my thuc lp mng 10.0.10.0/24 v destination port ln hn hoc
bng 1024 sdng c pho sau:
Log tcp any :1024 -> 10.0.10.0/24 1 1024
-
5/26/2018 Them
3/8
Ngoi ra, ta c thsdng cc tham sphnh ! nh trng hp ghi log cctruyn thng trn giao thc TCP tcc my tnh ngai tr172.16.40.50 p dng cho ttccc port n bt ktrn 10.0.10.0/24 sdng tt ccc port :
Log tcp ! 172.16.40.50/32 any -> 10.0.10.0/24 any
Hay trng hp ghi log tt ccc truyn thng n cc my tnh thuc lp mng10.0.10.0/24 ngai trport 23 nh sau:
Log tcp any any -> 10.0.10.0/24 ! 23
n lc ny ta duyt qua mt scc snort rule v nhn thy mi rule u cmt lnh iu hng ->, xc nh chiu ca truyn thng i tphi qua tri. Trong trnghp mun p dng snort rule cho cc truyn thng theo c2 chiu th sdng c php thay cho -> nh trong trng hp ghi log 2 chiu i vi tenlet session sau
Log tcp 10.0.10.0/24 any 172.16.30.0/24 23
3.2.2.3.2. Rule Option
Mt snort rule c thc nhiu option khc nhau phn cch bi giu ; v cc ruleoption ny slm cho snort rule c thc p dng linh ng, mnh mhn. Danh schsau y strnh by nhng rule option thng dng thng c p dng trong cc snortrule:
Rule Option M t
Msg Hin thmt thng bo trong alert v packet log file
Ttl Dng so snh cc gii trTime To Live ca IP headerId Dng so snh mt gi trca IP header fragment
Flags Dng so snh tcp flag vi cc gi trc nh ngha
Ack So snh cc TCP ack cho mt gi trc nh ngha
Content So snh ni dung packet vi cc gi trc nh ngha
Khi tkha msg c p dng trong rule n syu cu ghi nht k v cnh boca snort chn thm mt thng ip c nh ngha vo trong log file hay cc cnh bov d
msg: " text here" ;
Khi ttl c sdng trong rule syu cu snort hy so snh vi mt gi trTimeTo Live, trng hp ny thng c p dng d tm tuyn ng.V dn gin sauc dng khai bo ttl:
ttl: " time-value" ;
-
5/26/2018 Them
4/8
Cn trng hp trong rule sdng tkha id n syu cu Snort so snh vi 1 IPheader fragment theo id nh nh:
id: " id-value" ;
i vi trng hp ca flags option chng ta c nhiu tnh hung khc ty theo
flag c yu cu so snh, cc ty chn flag c khai bo nh sau:
F: dng cho cFIN S: dng cho cSYN R: dng cho cRST P: dng cho cPSH A: dng cho cACK U: dng cho cURG 2: dng cho Reserved bit 2 1: dng cho Reserved bit 1 0: dng cho no tcp flags set
Cc ton tlogic c thc p dng cho ty chn flag nh + dng so khpvi tt ccc flag, * dng xc nh c strng lp vi bt kflag no hoc ! dngso snh strng lp mang tnh cht loi tr. Cc reserved bit c p dng trong tnhhung pht hin cc trng hp scan hay IP stack fingerprinting. Sau y l mt v dca ty chn flags v mt snort rule dng xc nh d tm cc SYNFIN scans:
V dsdng flags:
Alert any any -> 10.0.10.0/24 any (flags: SF; msg: "SYN FIN => ScanPossible";)
Ty chn ack c p dng so khp vi mt gi trACK tng ng trong TCPheader ca packet, nh ng dng Nmap dng cc ACK flag xc nh s tn ti camt host no .
Trong scc tkha th content l tkha quan trng nht, khi content c pdng snort skim tra ni dung ca gi tin v so snh vi gi trc khai bo trongcontent, nu c strng lp th cc hnh ng tng ng stin hnh. Lu l cc gi trc p dng vi content c tnh cht case sensitive (phn bit chhoa v chthng)
v tng hiu qu cho qu trnh so snh Snort s dng c ch pattern-match gi lBoyer-Moore, vi c chny qu trnh so snh sdin ra hiu quhn trn cc my ccu hnh yu. C php n gin ca tkha content l:
content:" content value" ;
3.2.2.3.3. Cch xy dng lut trn Snort
-
5/26/2018 Them
5/8
phn trn ta thy kh r rng l mt lut ca Snort sbao gm 2 thnh phn:phn Header v phn Rule Option. Nh vy xy dng mt lut trn Snort ta sphitng bc i xy dng 2 thnh phn ny.
Sau y ta si xy dng 1 lut, lut ny c cho php cnh bo n chuyn gia khi
xy ra trng hp c lnh ping c sdng, ng thi a ra cc cnh bo nu c ai sdng mt m l password. Tin hnh nh sau:
Sdng trnh san tho Notepad v nhp vo ni dung:
log tcp any any -> any any (msg: " TCP Traffi c Logged" ;)
alert i cmp any any -> any any (msg: " ICMP Traff ic Alerted" ;)
alert tcp any any -> any any (content: " password" ; msg: => " Possible
Password Transmitted" ;)
Lu tp tin trn thnh c:\Snort\rules\security365.rule, lu chn ch lu trAll file trong Notepad khng bgn thm phn mrng.
-
5/26/2018 Them
6/8
kim tra li cc quy tc va mi to ra, hy xa cc tp tin trong th mcC:\Snort\log v m2 ca sdng lnh v chy lnh sau trn ca sthnht:
C:\Snort\bin\snort -c \Snort\rules\secur ity365.ru le -l \Snort\l og
Sau chy cc lnh tip theo trn ca scn li:
C:\ping www.dantr i.vn
C:\net send [ ip_address] Here is my password
Nhn Ctrl-C trn mn hnh thc thi Snort sthy cc gi tin c lu giv quanst log file sthy xut hin cc cnh bo
Bn cnh vic to ra cc snort rule ca ring mnh cc ta c thp dng cc quytc c to sn. Hnh sau trnh by ni dung ca mt pre-defined rule l scan.rules trongth mc C:\Snort\rules v cch thit lp quy tc pht hin FIN/SYN scan.
-
5/26/2018 Them
7/8
Nu mun p dng rule pre-defined th cng tin hnh tng tnh i vi trng
hp cc rule do ta thit lp. Trong trng hp h thng c nhiu card mng ta nn xcnh r rng cc shiu ca chng snort sdng. Ngoi ra, khi thit lp cc quy tc
cho giao thc ICMP trong phn Port ta t l any.3.2.2.3.4. Cc v dvSnort rule
Sau y l mt ssnort rule c bn cng vi nhng m tca chng. Ta c thsdng chng lm cc mu cho qu trnh to snort rule ca mnh.
log tt ccc truyn thng kt ni n port 23 ca dch vtelnet:Log tcp any any -> 10.0.10.0/24 23
log cc ICMP traffic n lp mng 10.0.10.0:Log icmp any any -> 10.0.10.0/24 any
Cho php tt ccc qu trnh duyt Web m khng cn ghi log:Pass tcp any 80 -> any 80
To mt cnh bo vi thng ip km theo:Aler t tcp any any -> any 23 (msg: " Telnet Connection => Attempt" ;)
-
5/26/2018 Them
8/8
D tm cc tnh hung qut mng vi SYN/FIN :Aler t tcp any any -> 10.0.10.0/24 any (msg: " SYN-F IN => scan
detected" ; fl ags: SF ;)
D tm cc tin trnh qut mng TCP NULL:Aler t tcp any any -
fl ags: 0;)
D tm cc tin trnh OS fingerprinting:Aler t tcp any any -> 10.0.10.0/24 (msg: " O/S F ingerprint => detected" ;
fl ags: S12;)
Tin hnh lc ni dung:Alert tcp any $HOME_NET -> !$HOME_NET any (content: =>
" Hello" ; msg:" Hello Packet" ;)