13-1 Snort簡介 - crypto.nknu.edu.twcrypto.nknu.edu.tw/textbook/chap13.pdf ·...
83
第13章:Snort 13-1 Snort簡介 13-2 Snort的安裝方法 13-3 Snort的使用
Transcript of 13-1 Snort簡介 - crypto.nknu.edu.twcrypto.nknu.edu.tw/textbook/chap13.pdf ·...
13:Snort
13-1 Snort13-2 Snort13-3 Snort
Snort
Snorthttp://www.snort.org/Marty Roesch1998Intrusion Detection System, IDSGPL
SnortSniffer modePacket Logger modeNetwork Intrusion Detection SystemNIDSmode
Snort()
IDSRulesetSnortSnortRules LanguageSnortSnortSnort
SnortLinuxWindowsFreeBSDNetBSDOpenBSDSun SolarisHP-UXIBM AIXSGI IRIXMacOS XMkLinux
Snort-Linux
Fedora Core 8FC8Snort
Snort+BASEBasic Analysis and Security EngineACIDMySQLApachePHPADOdbrootSELinux
Tarball
SnortApacheMySQLlibpcap
SnortFedora 8yum
yum y install libpcap libpcap-devel pcre pcre-devel gcc
MySQL
MySQLMySQLFedora 85.0.45MySQLyum y install mysql-server mysql-devel
chkconfig mysqld on/etc/init.d/mysqld start
Apache + PHP
Apache + PHP Fedora 8Apache2.2.8PHP5.2.4BASEPHPMySQLyum y install php httpd php-mysql php-pdo php-pear php-gdchkconfig httpd on/etc/init.d/httpd start
Snort
Snort2.8.1Snorttarballroot
groupadd snortuseradd -g snort snortmkdir /var/log/snortchown snort:snort /var/log/snort
Snort()
Snort/usr/local/ snort-2.8.1
cd /usr/local/srcwget http://www.snort.org/dl/current/snorthttp://www.snort.org/dl/current/snort--2.8.1.tar.gz2.8.1.tar.gztar zxvf snort-2.8.1.tar.gzcd snort-2.8.1./configure --prefix=/usr/local/snort-2.8.1 --with-mysqlmakemake install
http://www.snort.org/dl/current/snort-2.8.1.tar.gzhttp://www.snort.org/dl/current/snort-2.8.1.tar.gz
Snort-
Snort30
30
Sourcefire VRT Certified Rulessnortrules-snapshot-CURRENT.tar.gz
tar zxvf snortrules-snapshot-CURRENT.tar.gzmv etc rules so_rules /usr/local/snort-2.8.1/
Snort()snort.conf
vi /etc/snort/snort.conf
# HOME_NETvar HOME_NET any# MySQLoutput database: log, mysql, user=snort password= dbname=snort host=localhostdynamicpreprocessor file \ /usr/local/snort-2.8.1/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.sodynamicpreprocessor file \ /usr/local/snort-2.8.1/lib/snort_dynamicpreprocessor/libsf_dns_preproc.sodynamicpreprocessor file \ /usr/local/snort-2.8.1/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.sodynamicpreprocessor file \ /usr/local/snort-2.8.1/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.sodynamicpreprocessor file \ /usr/local/snort-2.8.1/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.sodynamicengine /usr/local/snort-2.8.1/lib/snort_dynamicengine/libsf_engine.so
Snort()
Snortcd /etc/init.d/
snortvi snort
Snort-snortsnort
#!/bin/bash# chkconfig: 2345 99 99# description: Snort Daemoncase "$1" in
start)/usr/local/snort-2.8.1/bin/snort -c /usr/local/snort-2.8.1/etc/snort.conf -u snort -g snort -D;;
stop)killall -9 snort
;;restart)
killall -9 snortsleep 2/usr/local/snort-2.8.1/bin/snort -c /usr/local/snort-2.8.1/etc/snort.conf -u snort -g snort -D
;;*)
echo "Usage: /etc/init.d/snort ";;
esac
Snort()snort
chmod +x snortSnort
chkconfig add snortsnortroot
mysql -u rootmysql>
mysql> use mysql;mysql> set password for root@localhost=password("root");mysql> create database snort;mysql> grant ALL on snort.* to snort@localhost identified by "snort";mysql> exit
snortsnort
mysql -u snort -p < /usr/local/src/snort-2.8.1/schemas/create_mysql snort
Snort-
mysql> show databases;+---------------------------| Database +---------------------------| information_schema| mysql| snort | test +----------------------------4 rows in set (0.00 sec)2 rows in set (0.05 sec)
Snort()snort
mysql> use snort;Database changed
snortsnortmysql> show tables;+------------------| Tables_in_snort+------------------| data | detail | encoding | event | icmphdr| iphdr| opt | reference | reference_system| schema | sensor | sig_class| sig_reference| signature | tcphdr| udphdr+------------------16 rows in set (0.00 sec)
BASEADOdb
pearphp
pear install --alldeps Image_ColorNumbers_Romanpear install --alldepschannel://pear.php.net/Image_Canvas-0.3.1pear install --alldepschannel://pear.php.net/Image_Graph-0.7.2
BASEADOdb()
ADOdbcd /usr/local/srcwgethttp://easynews.dl.sourceforge.net/sourceforge/adhttp://easynews.dl.sourceforge.net/sourceforge/adodb/adodb504a.tgzodb/adodb504a.tgztar zxvf adodb504a.tgzrm adodb504a.tgzmv adodb5 /var/www/
http://easynews.dl.sourceforge.net/sourceforge/adodb/adodb504a.tgzhttp://easynews.dl.sourceforge.net/sourceforge/adodb/adodb504a.tgz
BASEADOdb()
BASEcd /usr/local/srcwgethttp://easynews.dl.sourceforge.net/sourceforge/secureideashttp://easynews.dl.sourceforge.net/sourceforge/secureideas/base/base--1.4.0.tar.gz1.4.0.tar.gztar zxvf base-1.4.0.tar.gzrm base-1.4.0.tar.gzmv base-1.4.0 /var/www/html/basecd /var/www/html/base/mv base_conf.php.dist base_conf.php
http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.4.0.tar.gzhttp://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.4.0.tar.gz
BASEADOdb()
BASE/var/www/html/base/base_conf.php$BASE_Language = "chinese";$BASE_urlpath = "/base";$DBlib_path = "/var/www/adodb5";$DBtype = "mysql";$alert_dbname = "snort";$alert_host = "localhost";$alert_port = "";$alert_user = "snort";$alert_password = "";
signatures/var/www/html/base/
BASEADOdb()
http://IP/base
RPM
Snort + BASE
TarballRPMFedora 8ApachePHPMySQLFedora 8SELinuxrpm -ivh
RPM()
SnortSnortFedoraRPMhttp://http://www.snort.org/dl/binaries/linuxwww.snort.org/dl/binaries/linux//RPMFedora 8Fedora Core 8RPMrpm rpm --ivhivh http://www.snort.org/dl/binaries/linux/snorthttp://www.snort.org/dl/binaries/linux/snort--
2.8.12.8.1--1.FC7.i386.rpm1.FC7.i386.rpmrpm rpm --ivhivh http://www.snort.org/dl/binaries/linux/snorthttp://www.snort.org/dl/binaries/linux/snort--
mysqlmysql--2.8.12.8.1--1.FC7.i386.rpm1.FC7.i386.rpm
http://www.snort.org/dl/binaries/linux/http://www.snort.org/dl/binaries/linux/snort-2.8.1-1.FC7.i386.rpmhttp://www.snort.org/dl/binaries/linux/snort-2.8.1-1.FC7.i386.rpmhttp://www.snort.org/dl/binaries/linux/snort-mysql-2.8.1-1.FC7.i386.rpmhttp://www.snort.org/dl/binaries/linux/snort-mysql-2.8.1-1.FC7.i386.rpm
RPM()
yumsnortd/etc/rc.d/init.dRPMSnort/etc/snort/snort.conf13.2.1.1TarballBASEADOdbRPM13.2.1.1Tarball
Snort-Windows
Snort + BASEWindowsMicrosoftIISSQL ServerWindows XP
Windows
Snort_2_8_1_Installer.exe
SnortMySQL
SnortC:\Snort
Snort
Snort-
snortrules-snapshot-CURRENT.tar.gz()C:\SnortC:\Snort\etc\snort.conf
Snort-var RULE_PATH ../rules var RULE_PATH C:\Snort\rules#dynamicpreprocessor file
/usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.sodynamicpreprocessor file
/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.sodynamicpreprocessor file
/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.sodynamicpreprocessor file
/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.sodynamicpreprocessor file
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.sodynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.sodynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll# output database: log, mysql, user=root password=test dbname=db host=localhost #
output database: log, mysql, user=snort password=dbname=snort host=localhost
include classification.config include c:\Snort\etc\classification.config
WinPcap
SnortWinPcapWinPcap 3.1
http://www.winpcap.org/archive/3.1http://www.winpcap.org/archive/3.1--WinPcap.exeWinPcap.exe
http://www.winpcap.org/archive/3.1-WinPcap.exe
MySQL5.0.51b
MySQL
UTF8
[Include Bin Directory in Windows PATH]
root
MySQL
MySQL
MySQL
snortMS-DOSmysqlrootmysql -u root -pmysql>mysql> create database snort;mysql> grant ALL on snort.* to snort@localhost identified by snort;mysql> exitsnort13.2.2snort.confsnortsnortmysql -u snort -p < C:\Snort\schemas\create_mysql snort
Apache
Apache2.2.8ApacheWindows XP
PHP5.2.5
PHPApache
Apache 2.2.8
MySQL
Extra
PHP
PHPMySQLDLLC:\Program Files\PHP\libmysql.dllC:\WINDOWS\system32PHP
C:\Program Files\Apache Software Foundation\Apache2.2\htdocsindex.php Apachephp
PHP
PHPC:\Program Files\PHP\php.ini
max_execution_time = 30max_execution_time = 60
session.save_path="C:\DOCUME~1\chyang\LOCALS~1\Temp\php\session
session.save_path = "C:\Snort\sessiondata"C:\Snort\sessiondataBASE
Apache
C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf
DirectoryIndex index.html
DirectoryIndex index.html index.php index.htm
Apache()
Apache Service MonitorApache
BASEADOdb
WindowsXPTarballbase-1.4.0.tar.gzadodb504a.tgz
adodb504a.tgzC:\Program Files\Apache Software Foundation\Apache2.2\adodb5base-1.4.0.tar.gzC:\Program Files\Apache Software Foundation\Apache2.2\htdocs\base-1.4.0basebaseBASE_conf.php.distBASE_conf.php
BASEBASE_conf.php$BASE_Language = "english"; $BASE_Language = "chinese";
$DBlib_path = "";$DBlib_path = " C:\Program Files\Apache Software
Foundation\Apache2.2\adodb5";
$alert_dbname = "snort_log"; $alert_dbname = "snort";
$alert_password = "mypassword";$alert_password = "snort";
$BASE_urlpath = "/base";BASE
cd "c:\Program Files\PHP"go-pear.bat install --alldeps Image_Color Numbers_Roman
pear install --alldeps channel://pear.php.net/Image_Canvas-0.3.1pear install --alldeps channel://pear.php.net/Image_Graph-0.7.2Enter
LinuxWindowsBASEApacheMySQLSnort
LinuxSnortSnortLinuxWindowsMS-DOSSnort
Windows XPSnort
BASE
BASE
BASE
BASE
Snort-BASE
BASESnortSnortSnortBASESnortBASEBASE
Snort + BASEBASESnort
Snort-BASE()
BASE
Snort
Snort-BASE
BASEACID(Analysis Console for Intrusion Databases)ACIDPHP5BASESnort
BASEBASE
BASE
BASE
Snort
Snort
Network Intrusion Detection SystemNIDS
BASE
Snort -SnortTCP/IPsnort -v
-vIPTCPUDPICMP-d
-esnort -d -e -v"-"snort -devCtrl+C
Snort -
Snort-llogsnort -dev -l ./log
logSnortSnortIPlogIP
Snort -()
SnortIPIP-hSnort
snort -dev -l ./log -h 192.168.1.0/24
192.168.1CTCP/IPlog-hCIDRClassless Inter-Domain Routing
Snort -()ASCIItcpdumpEtherealtcpdump-bsnort -l ./log b-btcpdump-d-e-v-rsnort -r snort.log.1121501111TCPsnort -dv r tcptcpdumpASCIIsnort -r > snort.log.asc
Snort -()
Snorttcpdump
Snort-b
Snort -NIDS
SnortSnort-csnort.confsnort.conf
Snort -NIDS()
snort.conf
snort -dev -l ./log -h 192.168.1.0/24 -c snort.confSnortSnortSnortSnort-ev
snort -d -l ./log -h 192.168.1.0/24 -c snort.conf
NIDS
SnortNIDS64-A
-A fast /
-A full
-A unsockUnix Socket Socket
-A none
NIDS()
2syslogSambasmbclientWindowsWinPopup-ssyslog
Linux/var/log/ secureUnix-like/var/log/messages
-M(smbclientWindows)TarballSnort./configure--enable-smbalerts
Snort
SnortLinuxSnort
/usr/local/bin/snort -c /etc/snort/snort.conf -u snort -g snort -D
-uSnortUser-ggGroupSnortrootsnortSnortsnortsnortsnortsnort-DDaemonSnort
Snort.confPreprocessor
PreprocessorSnort 1.5
SnortSnortSnort
preprocessorsnort.conf
preprocessor :
preprocessor
preprocessor frag2IP4MB30
preprocessor stream4: detect_scans
preprocessor http_decode: 80 -unicode cginullCGI NullIIS Unicode
preprocessor boBack OrificeBack Orifice
Snortsnort.conf
Snort(IDS)
SnortIDSIDS
SnortUnix-likeWindows
SnortSnortSnortSnortIDS
SnortIDSSnortGPL
()
SnortSnortSnortBASE
SnortSnort
Snort
BASE (Basic Analysis and Security Engine), http://base.secureideas.net/Andrew Baker, Jay Beale, Brian Caswell, and Mike Poore, Snort 2.1 Intrusion Detection, 2nd Edition, SYNGRESS, 2004Andrew Baker, Jay Beale, and Brian Caswell, Snort Intrusion Detection and Prevention Toolkit, SYNGRESS, 2007Christina Neal, Snort Install on Win2000/XP with Acid, and MySQL, http://www.sans.org/rr/whitepapers/detection/362.phpCharlie Scott, Paul Wolfe, and Bert Hayes, Snort For Dummies, WILEY, 2004Snort Users Manual 2.8.1, http://www.snort.org/docs/snort_htmanuals/htmanual_281/
13:SnortSnortSnort()Snort-LinuxTarballMySQLApache + PHPSnortSnort()Snort-Snort()Snort()Snort-snortSnort()Snort-Snort()BASEADOdbBASEADOdb()BASEADOdb()BASEADOdb()BASEADOdb()RPMRPM()RPM()Snort-WindowsSnortMySQLSnortC:\SnortSnortSnort-Snort-WinPcapMySQL5.0.51bMySQLUTF8[Include Bin Directory in Windows PATH]rootMySQLMySQLMySQLApachePHP5.2.5MySQLExtraPHPPHPApacheApache()BASEADOdbBASEWindows XPSnortBASEBASEBASEBASE Snort-BASESnort-BASE()Snort-BASESnortSnort -Snort -Snort -()Snort -()Snort -()Snort -NIDSSnort -NIDS()NIDSNIDS()SnortSnort.confPreprocessorpreprocessor()
