Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort

7/30/2019 Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort

1/22

PHT HIN VCHNG XM

NHP TRI PHPS DNG SNORTNgi trnh by:

V Thng

Gim c Athena


2/22

ATHENA

Ni dung

Gii thiu Snort Sniffer mode

Packet Logger mode

Network Instrution Detection System (NIDS)

Inline mode

Ci t, cu hnh Snort Preprocessor

Output modules

Cu trc lut ca Snort Rule header

Rule option


3/22

ATHENA

Gii thiu

Snort l mt phn mm m ngun m c khnng pht hin, chng s xm nhp tri php.

Snort hot ng nh mt phn mm ng gia

s giao tip ca hai my tnh. Cc packet trckhi c gi n my tnh ch s c snortkim tra, thm nh.

Snort c th pht hin nhiu loi xm nhp

nh: buffer overflows, stealth port scans, CGIattacks, SMB probes, OS fingerprintingattempts


4/22

ATHENA

Gii thiu (tt)

Internet

Internet

Firewall

DMZ

network

IDS

Router

IDS

IDS

Extranet

Internet

Firewall

Router

IDS


5/22

ATHENA

Gii thiu (tt)


6/22

ATHENA

Gii thiu (tt)

Mode hot ng ca Snort Sniffer mode: hin th thng tin v cc packet ang

di chuyn trong mng trn mn hnh console.

Packet Logger mode: log li tnh trng cc packetvo a cng.

Network Instrution Detection System (NIDS):mode hot ng y v phc tp nht.

Inline mode: can thip vo packet t khi packet mic chuyn vo iptables, cho php hy b packett trong iptables.


7/22ATHENA

Sniffer Mode

Hin th thng tin header ca packet: snort -v

Hin th thng tin ng dng ang pht sinh

packet: snortv -d

Header ca tng datalink: snortvde

snortvd -e


8/22ATHENA

Packet Logger Mode

Lu thng tin xung file: snortdevl [filename]

Lu thng tin dng binary:

snortl [filename] -b

c ngc thng tin t file binary: snortdvr [filename]

snortdvr [filename] icmp


9/22ATHENA

Network Instrution Detection System

Mode hot ng phc tp nht, nhiu optionnht.

Bt buc phi ch ra file lut dng hot ng

(option -c) snortu snortg snortdDc /etc/snort

Mc nh ca mode ny l cnh bo full alert vlog li packet theo dng ASCII.


10/22ATHENA

Inline Mode

Bin dch h tr inline mode: ./configureenable-inline

C 3 loi lut c s dng mode inline:

drop: iptables s b qua packet v log li s kinny.

reject: iptables s b qua packet, log li s kin, vthng bo n my tnh rng packet ny s khng

n ni. sdrop: iptables s b qua packet, khng thng bo

n my ch v cng khng log li s kin.

snort_inlineQDc ../etc/drop.confl /var/log/snort


11/22ATHENA

Ci t

./configure

make

make install

hot ng mode NIDS cn c tp lut:snortrules.tar.gz.

tarxzvf snortrules.tar.gz -C /etc/snort

Sa file /etc/snort/snort.conf


12/22ATHENA

Cu hnh Snort

preprocessor: kim tra packet ngay sau khipacket c gii m. Preprocessor c thchin trc tt c cc lut tm kim, pht hinkhc.

preprocessor :

output module: linh hot trong vic nh dngthng bo n ngi s dng

output :


13/22ATHENA

Cu hnh Snort

Preprocessor: Stream4

sfPortscan

Performance Monitor

ASN.1 Detection

Output modules:

alert_syslog

alert_fast alert_full

log_tcpdump

csv


14/22ATHENA

Cu trc lut ca Snort

Rule header: rule action, protocol, a ch IPngun v a ch IP ch, port ngun v portch .

Rule option: thng ip cnh bo, phn thngtin xc nh packet no s b gi li.

alert tcp any any -> any any (content:|00 0186 a5|; msg: mountd access;)

Rule action

Protocol


15/22ATHENA

Rule action

Rule action:

alert: cnh bo v ghi li packet.

log: ghi li packet.

pass: b qua packet.

active: cnh bo v gi thc thi mt rule khc. dynamic: trng thi idle cho n khi c mt rule khc

c kch hot.

drop: cho php iptables b qua packet ny v log li packet bb qua.

reject: cho php iptables b qua packet ny, log li packet,ng thi gi thng bo t chi n my ngun.

sdrop: cho php iptables b qua packet ny nhng khng logli packet, cng khng thng bo n my ngun.


16/22ATHENA

Rule action (tt)

nh ngha rule type ring ph hp vi mcch:

ruletype redalert

{type alert

output alert_syslog: LOG_AUTH LOG_ALERT

output database: log, mysql, user=snort

dbname=snort host=localhost.}


17/22ATHENA

Rule option

meta-data: cung cp thng tin v rule nhngkhng gy ra bt c nh hng no n qutrnh pht hin packet.

payload: tm kim thng tin trong phn payloadca packet.

non-payload: tm kim thng tin trong phnnon-payload ca packet.

post-detection: xy ra sau khi mt rule ckch hot.


18/22ATHENA

Meta data

msg: ; reference: , ;

sid: ;

classtype: ;

priority:


19/22ATHENA

Payload

content: [!] ; nocase;

rawbytes;

depth: ;

offset: ;

distance: ;

uricontent: [!];

isdataat: ; byte_test: , [!] ,

, [,relative] [,endian] [,, string];

byte jump


20/22ATHENA

Non payload

ttl: time to live.

tos: type of service.

dsize: kim tra non-payload c ln hn mt

kch thc xc nh khng. flag: kim tra TCP flag bits (F: FIN, S: SYN, R:

RST, A: ACK).

flow: xc nh chiu ca kt ni. window: kim tra tcp window size.


21/22ATHENA

Post detection

logto: kim tra log li s kin vo file. logto: filename;

session: s dng ly s kin t mt TCP

session. session: [printable|all];

resp, react.


22/22ATHENA

Hi-p

Q&A

Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort

Documents

Transcript of Phat Hien Va Chong Xam Nhap Trai Phep Voi Snort