13-1 Snort簡介 - crypto.nknu.edu.twcrypto.nknu.edu.tw/textbook/chap13.pdf ·...

83
13:Snort 13-1 Snort簡介 13-2 Snort的安裝方法 13-3 Snort的使用

Transcript of 13-1 Snort簡介 - crypto.nknu.edu.twcrypto.nknu.edu.tw/textbook/chap13.pdf ·...

13:Snort

13-1 Snort13-2 Snort13-3 Snort

Snort

Snorthttp://www.snort.org/Marty Roesch1998Intrusion Detection System, IDSGPL

SnortSniffer modePacket Logger modeNetwork Intrusion Detection SystemNIDSmode

Snort()

IDSRulesetSnortSnortRules LanguageSnortSnortSnort

SnortLinuxWindowsFreeBSDNetBSDOpenBSDSun SolarisHP-UXIBM AIXSGI IRIXMacOS XMkLinux

Snort-Linux

Fedora Core 8FC8Snort

Snort+BASEBasic Analysis and Security EngineACIDMySQLApachePHPADOdbrootSELinux

Tarball

SnortApacheMySQLlibpcap

SnortFedora 8yum

yum y install libpcap libpcap-devel pcre pcre-devel gcc

MySQL

MySQLMySQLFedora 85.0.45MySQLyum y install mysql-server mysql-devel

chkconfig mysqld on/etc/init.d/mysqld start

Apache + PHP

Apache + PHP Fedora 8Apache2.2.8PHP5.2.4BASEPHPMySQLyum y install php httpd php-mysql php-pdo php-pear php-gdchkconfig httpd on/etc/init.d/httpd start

Snort

Snort2.8.1Snorttarballroot

groupadd snortuseradd -g snort snortmkdir /var/log/snortchown snort:snort /var/log/snort

Snort()

Snort/usr/local/ snort-2.8.1

cd /usr/local/srcwget http://www.snort.org/dl/current/snorthttp://www.snort.org/dl/current/snort--2.8.1.tar.gz2.8.1.tar.gztar zxvf snort-2.8.1.tar.gzcd snort-2.8.1./configure --prefix=/usr/local/snort-2.8.1 --with-mysqlmakemake install

http://www.snort.org/dl/current/snort-2.8.1.tar.gzhttp://www.snort.org/dl/current/snort-2.8.1.tar.gz

Snort-

Snort30

30

Sourcefire VRT Certified Rulessnortrules-snapshot-CURRENT.tar.gz

tar zxvf snortrules-snapshot-CURRENT.tar.gzmv etc rules so_rules /usr/local/snort-2.8.1/

Snort()snort.conf

vi /etc/snort/snort.conf

# HOME_NETvar HOME_NET any# MySQLoutput database: log, mysql, user=snort password= dbname=snort host=localhostdynamicpreprocessor file \ /usr/local/snort-2.8.1/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.sodynamicpreprocessor file \ /usr/local/snort-2.8.1/lib/snort_dynamicpreprocessor/libsf_dns_preproc.sodynamicpreprocessor file \ /usr/local/snort-2.8.1/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.sodynamicpreprocessor file \ /usr/local/snort-2.8.1/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.sodynamicpreprocessor file \ /usr/local/snort-2.8.1/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.sodynamicengine /usr/local/snort-2.8.1/lib/snort_dynamicengine/libsf_engine.so

Snort()

Snortcd /etc/init.d/

snortvi snort

Snort-snortsnort

#!/bin/bash# chkconfig: 2345 99 99# description: Snort Daemoncase "$1" in

start)/usr/local/snort-2.8.1/bin/snort -c /usr/local/snort-2.8.1/etc/snort.conf -u snort -g snort -D;;

stop)killall -9 snort

;;restart)

killall -9 snortsleep 2/usr/local/snort-2.8.1/bin/snort -c /usr/local/snort-2.8.1/etc/snort.conf -u snort -g snort -D

;;*)

echo "Usage: /etc/init.d/snort ";;

esac

Snort()snort

chmod +x snortSnort

chkconfig add snortsnortroot

mysql -u rootmysql>

mysql> use mysql;mysql> set password for root@localhost=password("root");mysql> create database snort;mysql> grant ALL on snort.* to snort@localhost identified by "snort";mysql> exit

snortsnort

mysql -u snort -p < /usr/local/src/snort-2.8.1/schemas/create_mysql snort

Snort-

mysql> show databases;+---------------------------| Database +---------------------------| information_schema| mysql| snort | test +----------------------------4 rows in set (0.00 sec)2 rows in set (0.05 sec)

Snort()snort

mysql> use snort;Database changed

snortsnortmysql> show tables;+------------------| Tables_in_snort+------------------| data | detail | encoding | event | icmphdr| iphdr| opt | reference | reference_system| schema | sensor | sig_class| sig_reference| signature | tcphdr| udphdr+------------------16 rows in set (0.00 sec)

BASEADOdb

pearphp

pear install --alldeps Image_ColorNumbers_Romanpear install --alldepschannel://pear.php.net/Image_Canvas-0.3.1pear install --alldepschannel://pear.php.net/Image_Graph-0.7.2

BASEADOdb()

ADOdbcd /usr/local/srcwgethttp://easynews.dl.sourceforge.net/sourceforge/adhttp://easynews.dl.sourceforge.net/sourceforge/adodb/adodb504a.tgzodb/adodb504a.tgztar zxvf adodb504a.tgzrm adodb504a.tgzmv adodb5 /var/www/

http://easynews.dl.sourceforge.net/sourceforge/adodb/adodb504a.tgzhttp://easynews.dl.sourceforge.net/sourceforge/adodb/adodb504a.tgz

BASEADOdb()

BASEcd /usr/local/srcwgethttp://easynews.dl.sourceforge.net/sourceforge/secureideashttp://easynews.dl.sourceforge.net/sourceforge/secureideas/base/base--1.4.0.tar.gz1.4.0.tar.gztar zxvf base-1.4.0.tar.gzrm base-1.4.0.tar.gzmv base-1.4.0 /var/www/html/basecd /var/www/html/base/mv base_conf.php.dist base_conf.php

http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.4.0.tar.gzhttp://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.4.0.tar.gz

BASEADOdb()

BASE/var/www/html/base/base_conf.php$BASE_Language = "chinese";$BASE_urlpath = "/base";$DBlib_path = "/var/www/adodb5";$DBtype = "mysql";$alert_dbname = "snort";$alert_host = "localhost";$alert_port = "";$alert_user = "snort";$alert_password = "";

signatures/var/www/html/base/

BASEADOdb()

http://IP/base

RPM

Snort + BASE

TarballRPMFedora 8ApachePHPMySQLFedora 8SELinuxrpm -ivh

RPM()

SnortSnortFedoraRPMhttp://http://www.snort.org/dl/binaries/linuxwww.snort.org/dl/binaries/linux//RPMFedora 8Fedora Core 8RPMrpm rpm --ivhivh http://www.snort.org/dl/binaries/linux/snorthttp://www.snort.org/dl/binaries/linux/snort--

2.8.12.8.1--1.FC7.i386.rpm1.FC7.i386.rpmrpm rpm --ivhivh http://www.snort.org/dl/binaries/linux/snorthttp://www.snort.org/dl/binaries/linux/snort--

mysqlmysql--2.8.12.8.1--1.FC7.i386.rpm1.FC7.i386.rpm

http://www.snort.org/dl/binaries/linux/http://www.snort.org/dl/binaries/linux/snort-2.8.1-1.FC7.i386.rpmhttp://www.snort.org/dl/binaries/linux/snort-2.8.1-1.FC7.i386.rpmhttp://www.snort.org/dl/binaries/linux/snort-mysql-2.8.1-1.FC7.i386.rpmhttp://www.snort.org/dl/binaries/linux/snort-mysql-2.8.1-1.FC7.i386.rpm

RPM()

yumsnortd/etc/rc.d/init.dRPMSnort/etc/snort/snort.conf13.2.1.1TarballBASEADOdbRPM13.2.1.1Tarball

Snort-Windows

Snort + BASEWindowsMicrosoftIISSQL ServerWindows XP

Windows

Snort_2_8_1_Installer.exe

SnortMySQL

SnortC:\Snort

Snort

Snort-

snortrules-snapshot-CURRENT.tar.gz()C:\SnortC:\Snort\etc\snort.conf

Snort-var RULE_PATH ../rules var RULE_PATH C:\Snort\rules#dynamicpreprocessor file

/usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.sodynamicpreprocessor file

/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.sodynamicpreprocessor file

/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.sodynamicpreprocessor file

/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.sodynamicpreprocessor file

/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.sodynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor

dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.sodynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll# output database: log, mysql, user=root password=test dbname=db host=localhost #

output database: log, mysql, user=snort password=dbname=snort host=localhost

include classification.config include c:\Snort\etc\classification.config

WinPcap

SnortWinPcapWinPcap 3.1

http://www.winpcap.org/archive/3.1http://www.winpcap.org/archive/3.1--WinPcap.exeWinPcap.exe

http://www.winpcap.org/archive/3.1-WinPcap.exe

MySQL5.0.51b

MySQL

UTF8

[Include Bin Directory in Windows PATH]

root

MySQL

MySQL

MySQL

snortMS-DOSmysqlrootmysql -u root -pmysql>mysql> create database snort;mysql> grant ALL on snort.* to snort@localhost identified by snort;mysql> exitsnort13.2.2snort.confsnortsnortmysql -u snort -p < C:\Snort\schemas\create_mysql snort

Apache

Apache2.2.8ApacheWindows XP

PHP5.2.5

PHPApache

Apache 2.2.8

MySQL

Extra

PHP

PHPMySQLDLLC:\Program Files\PHP\libmysql.dllC:\WINDOWS\system32PHP

C:\Program Files\Apache Software Foundation\Apache2.2\htdocsindex.php Apachephp

PHP

PHPC:\Program Files\PHP\php.ini

max_execution_time = 30max_execution_time = 60

session.save_path="C:\DOCUME~1\chyang\LOCALS~1\Temp\php\session

session.save_path = "C:\Snort\sessiondata"C:\Snort\sessiondataBASE

Apache

C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf

DirectoryIndex index.html

DirectoryIndex index.html index.php index.htm

Apache()

Apache Service MonitorApache

BASEADOdb

WindowsXPTarballbase-1.4.0.tar.gzadodb504a.tgz

adodb504a.tgzC:\Program Files\Apache Software Foundation\Apache2.2\adodb5base-1.4.0.tar.gzC:\Program Files\Apache Software Foundation\Apache2.2\htdocs\base-1.4.0basebaseBASE_conf.php.distBASE_conf.php

BASEBASE_conf.php$BASE_Language = "english"; $BASE_Language = "chinese";

$DBlib_path = "";$DBlib_path = " C:\Program Files\Apache Software

Foundation\Apache2.2\adodb5";

$alert_dbname = "snort_log"; $alert_dbname = "snort";

$alert_password = "mypassword";$alert_password = "snort";

$BASE_urlpath = "/base";BASE

cd "c:\Program Files\PHP"go-pear.bat install --alldeps Image_Color Numbers_Roman

pear install --alldeps channel://pear.php.net/Image_Canvas-0.3.1pear install --alldeps channel://pear.php.net/Image_Graph-0.7.2Enter

LinuxWindowsBASEApacheMySQLSnort

LinuxSnortSnortLinuxWindowsMS-DOSSnort

Windows XPSnort

BASE

BASE

BASE

BASE

Snort-BASE

BASESnortSnortSnortBASESnortBASEBASE

Snort + BASEBASESnort

Snort-BASE()

BASE

Snort

Snort-BASE

BASEACID(Analysis Console for Intrusion Databases)ACIDPHP5BASESnort

BASEBASE

BASE

BASE

Snort

Snort

Network Intrusion Detection SystemNIDS

BASE

Snort -SnortTCP/IPsnort -v

-vIPTCPUDPICMP-d

-esnort -d -e -v"-"snort -devCtrl+C

Snort -

Snort-llogsnort -dev -l ./log

logSnortSnortIPlogIP

Snort -()

SnortIPIP-hSnort

snort -dev -l ./log -h 192.168.1.0/24

192.168.1CTCP/IPlog-hCIDRClassless Inter-Domain Routing

Snort -()ASCIItcpdumpEtherealtcpdump-bsnort -l ./log b-btcpdump-d-e-v-rsnort -r snort.log.1121501111TCPsnort -dv r tcptcpdumpASCIIsnort -r > snort.log.asc

Snort -()

Snorttcpdump

Snort-b

Snort -NIDS

SnortSnort-csnort.confsnort.conf

Snort -NIDS()

snort.conf

snort -dev -l ./log -h 192.168.1.0/24 -c snort.confSnortSnortSnortSnort-ev

snort -d -l ./log -h 192.168.1.0/24 -c snort.conf

NIDS

SnortNIDS64-A

-A fast /

-A full

-A unsockUnix Socket Socket

-A none

NIDS()

2syslogSambasmbclientWindowsWinPopup-ssyslog

Linux/var/log/ secureUnix-like/var/log/messages

-M(smbclientWindows)TarballSnort./configure--enable-smbalerts

Snort

SnortLinuxSnort

/usr/local/bin/snort -c /etc/snort/snort.conf -u snort -g snort -D

-uSnortUser-ggGroupSnortrootsnortSnortsnortsnortsnortsnort-DDaemonSnort

Snort.confPreprocessor

PreprocessorSnort 1.5

SnortSnortSnort

preprocessorsnort.conf

preprocessor :

preprocessor

preprocessor frag2IP4MB30

preprocessor stream4: detect_scans

preprocessor http_decode: 80 -unicode cginullCGI NullIIS Unicode

preprocessor boBack OrificeBack Orifice

Snortsnort.conf

Snort(IDS)

SnortIDSIDS

SnortUnix-likeWindows

SnortSnortSnortSnortIDS

SnortIDSSnortGPL

()

SnortSnortSnortBASE

SnortSnort

Snort

BASE (Basic Analysis and Security Engine), http://base.secureideas.net/Andrew Baker, Jay Beale, Brian Caswell, and Mike Poore, Snort 2.1 Intrusion Detection, 2nd Edition, SYNGRESS, 2004Andrew Baker, Jay Beale, and Brian Caswell, Snort Intrusion Detection and Prevention Toolkit, SYNGRESS, 2007Christina Neal, Snort Install on Win2000/XP with Acid, and MySQL, http://www.sans.org/rr/whitepapers/detection/362.phpCharlie Scott, Paul Wolfe, and Bert Hayes, Snort For Dummies, WILEY, 2004Snort Users Manual 2.8.1, http://www.snort.org/docs/snort_htmanuals/htmanual_281/

13:SnortSnortSnort()Snort-LinuxTarballMySQLApache + PHPSnortSnort()Snort-Snort()Snort()Snort-snortSnort()Snort-Snort()BASEADOdbBASEADOdb()BASEADOdb()BASEADOdb()BASEADOdb()RPMRPM()RPM()Snort-WindowsSnortMySQLSnortC:\SnortSnortSnort-Snort-WinPcapMySQL5.0.51bMySQLUTF8[Include Bin Directory in Windows PATH]rootMySQLMySQLMySQLApachePHP5.2.5MySQLExtraPHPPHPApacheApache()BASEADOdbBASEWindows XPSnortBASEBASEBASEBASE Snort-BASESnort-BASE()Snort-BASESnortSnort -Snort -Snort -()Snort -()Snort -()Snort -NIDSSnort -NIDS()NIDSNIDS()SnortSnort.confPreprocessorpreprocessor()