Bao Cao Ids-Ips PDF

Shared at SinhVienIT.Net Thanks For hocLinux.
Net
MC LC
LI NI U
CHNG I : TNG QUAN V IDS/IPS
1.1 Gii thiu v IDS/IPS
1.1.1 nh ngha
1.1.2 S khc nhau gia IDS v IPS
1.2 Phn loi IDS/IPS & phn tch u nhc im
1.2.1 Network based IDS NIDS
1.2.2 Host based IDS HIDS
1.3 C ch hot ng ca h thng IDS/IPS
1.3.1 M hnh pht hin s lm dng
1.3.2 M hnh pht hin s bt thng

1.3.2.1 Pht hin tnh
1.3.2.2 Pht hin ng
1.3.3 So snh gia hai m hnh
1.4 Mt s sn phm ca IDS/IPS

CHNG II : NGHIN CU NG DNG SNORT TRONG IDS/IPS
2.1 Gii thiu v snort

2.2 Kin trc ca snort
2.2.1 Modun gii m gi tin

2.2.2 M un tin x l
2.2.3 Mun pht hin
2.2.4 Mun log v cnh bo
2.2.5 M un kt xut thong tin
2.3 B lut ca snort
2.3.1 Gii thiu
2.3.2 Cu trc lut ca Snort
2.3.2.1 Phn tiu
2.3.2.2 Cc ty chn
2.4 Ch ngn chn ca Snort : Snort Inline
Shared at SinhVienIT.Net Thanks For hocLinux.Net
2.4.1 Tch hp kh nng ngn chn vo Snort

2.4.2 Nhng b sung cho cu trc lut ca Snort h tr Inline mode
CHNG III : CI T V CU HNH SNORT, TH NGHIM KH
NNG PHN NG CA IDS/IPS
3.1 nh ngha cc bin
3.2 Cu hnh mun tin x l
3.3Cu hnh mun kt xut thng tin
TI LIU THAM KHO
LI NI U
An ninh thng tin ni chung v an ninh mng ni ring ang l vn c
quan tm khng ch Vit Nam m trn ton th gii. Cng vi s pht trin
nhanh chng ca mng Internet, vic m bo an ninh cho cc h thng thng
tin cng tr nn cp thit hn bao gi ht.
Trong lnh vc an ninh mng, pht hin v phng chng tn cng xm nhp
cho cc mng my tnh l mt ti hay, thu ht c s ch ca nhiu nh
nghin cu vi nhiu hng nghin cu khc nhau. Trong xu hng , n
thc tp chuyn ngnh ny chng em mong mun c th tm hiu, nghin cu
v pht hin v phng chng xm nhp mng vi mc ch nm bt c cc
gii php, cc k thut tin tin chun b tt cho hnh trang ca mnh sau khi
ra trng. Mc d c gng ht sc nhng do kin thc v kh nng nhn
nhn vn cn hn ch nn bi lm khng trnh khi thiu st, rt mong c
s quan tm v gp thm ca thy c v tt c cc bn.
c th hon thnh c n ny , chng em xin gi li cm n su sc
nht ti thy Nguyn o Trng nhit tnh hng dn, ch bo v cung cp
cho chng em nhiu kin thc rt b ch trong sut qu trnh lm n. Nh s
gip tn tm ca thy, chng em mi c th hon thnh c n ny.
Mt ln na xin cm n thy rt nhiu !
CHNG I : TNG QUAN V IDS/IPS

1.1 Gii thiu v IDS/IPS
1.1.1 nh ngha
H thng pht hin xm nhp (IDS) l h thng c nhim v theo di, pht
hin v (c th) ngn cn s xm nhp, cng nh cc hnh vi khai thc tri php
ti nguyn ca h thng c bo v m c th dn n vic lm tn hi n
tnh bo mt, tnh ton vn v tnh sn sng ca h thng.
H thng IDS s thu thp thng tin t rt nhiu ngun trong h thng c
bo v sau tin hnh phn tch nhng thng tin theo cc cch khc nhau
pht hin nhng xm nhp tri php.
Khi mt h thng IDS c kh nng ngn chn cc nguy c xm nhp m n
pht hin c th n c gi l mt h thng phng chng xm nhp hay IPS.
Hnh sau minh ho cc v tr thng ci t IDS trong mng :
Hnh : Cc v tr t IDS trong mng
1.1.2 S khc nhau gia IDS v IPS

C th nhn thy s khc bit gia hai khi nim ngay tn gi: pht hin
v ngn chn. Cc h thng IDS c thit k vi mc ch ch yu l pht
hin v cnh bo cc nguy c xm nhp i vi mng my tnh n ang bo v
trong khi , mt h thng IPS ngoi kh nng pht hin cn c th t hnh
ng chng li cc nguy c theo cc quy nh c ngi qun tr thit lp sn.
Tuy vy, s khc bit ny trn thc t khng tht s r rng. Mt s h thng
IDS c thit k vi kh nng ngn chn nh mt chc nng ty chn. Trong
khi mt s h thng IPS li khng mang y chc nng ca mt h thng
phng chng theo ng ngha.
Mt cu hi c t ra l la chn gii php no, IDS hay IPS? Cu tr li
ty thuc vo quy m, tnh cht ca tng mng my tnh c th cng nh chnh
sch an ninh ca nhng ngi qun tr mng. Trong trng hp cc mng c
quy m nh, vi mt my ch an ninh, th gii php IPS thng c cn nhc
nhiu hn do tnh cht kt hp gia pht hin, cnh bo v ngn chn ca n.

Tuy nhin vi cc mng ln hn th chc nng ngn chn thng c giao ph
cho mt sn phm chuyn dng nh mt firewall chng hn. Khi , h thng
cnh bo s ch cn theo di, pht hin v gi cc cnh bo n mt h thng
ngn chn khc. S phn chia trch nhim ny s lm cho vic m bo an ninh
cho mng tr nn linh ng v hiu qu hn.
1.2 phn loi IDS/IPS
Cch thng thng nht phn loi cc h thng IDS (cng nh IPS) l
da vo c im ca ngun d liu thu thp c. Trong trng hp ny, cc
h thng IDS c chia thnh cc loi sau:
Host-based IDS (HIDS): S dng d liu kim tra t mt my trm n
pht hin xm nhp.
Network-based IDS (NIDS): S dng d liu trn ton b lu thng
mng, cng vi d liu kim tra t mt hoc mt vi my trm pht
hin xm nhp.
1.2.1 Network based IDS NIDS
NIDS thng bao gm c hai thnh phn logic :
B cm bin Sensor : t ti mt on mng, kim sot cc cuc lu
thng nghi ng trn on mng .
Trm qun l : nhn cc tn hiu cnh bo t b cm bin v thng bo
cho mt iu hnh vin.
Hnh I : M hnh NIDS
Mt NIDS truyn thng vi hai b cm bin trn cc on mng khc nhau

cng giao tip vi mt trm kim sot.
u im
Chi ph thp : Do ch cn ci t NIDS nhng v tr trng yu l c th

gim st lu lng ton mng nn h thng khng cn phi np cc phn
mm v qun l trn cc my ton mng.
Pht hin c cc cuc tn cng m HIDS b qua: Khc vi HIDS,
NIDS kim tra header ca tt c cc gi tin v th n khng b st cc
du hiu xut pht t y. V d: nhiu cuc tn cng DoS, TearDrop
(phn nh) ch b pht hin khi xem header ca cc gi tin lu chuyn
trn mng.
Kh xo b du vt (evidence): Cc thng tin lu trong log file c th b
k t nhp sa i che du cc hot ng xm nhp, trong tnh hung
ny HIDS kh c thng tin hot ng. NIDS s dng lu thng
hin hnh trn mng pht hin xm nhp. V th, k t nhp khng
th xo b c cc du vt tn cng. Cc thng tin bt c khng ch
cha cch thc tn cng m c thng tin h tr cho vic xc minh v
buc ti k t nhp.
Pht hin v i ph kp thi : NIDS pht hin cc cuc tn cng ngay
khi xy ra, v th vic cnh bo v i ph c th thc hin c nhanh
hn. VD : Mt hacker thc hin tn cng DoS da trn TCP c th b
NIDS pht hin v ngn chn ngay bng vic gi yu cu TCP reset
nhm chm dt cuc tn cng trc khi n xm nhp v ph v my b
hi.
C tnh c lp cao: Li h thng khng c nh hng ng k no i
vi cng vic ca cc my trn mng. Chng chy trn mt h thng
chuyn dng d dng ci t; n thun ch m thit b ra, thc hin mt
vi s thay i cu hnh v cm chng vo trong mng ti mt v tr cho
php n kim sot cc cuc lu thng nhy cm.
Nhc im
B hn ch vi Switch: Nhiu li im ca NIDS khng pht huy c

trong cc mng chuyn mch hin i. Thit b switch chia mng thnh
nhiu phn c lp v th NIDS kh thu thp c thng tin trong ton
mng. Do ch kim tra mng trn on m n trc tip kt ni ti, n
khng th pht hin mt cuc tn cng xy ra trn cc on mng khc.
Vn ny dn ti yu cu t chc cn phi mua mt lng ln cc b

cm bin c th bao ph ht ton mng gy tn km v chi ph ci t.
Hn ch v hiu nng: NIDS s gp kh khn khi phi x l tt c cc gi
tin trn mng rng hoc c mt lu thng cao, dn n khng th pht
hin cc cuc tn cng thc hin vo lc "cao im". Mt s nh sn xut
khc phc bng cch cng ho hon ton IDS nhm tng cng tc
cho n. Tuy nhin, do phi m bo v mt tc nn mt s gi tin
c b qua c th gy l hng cho tn cng xm nhp.
Tng thng lng mng: Mt h thng pht hin xm nhp c th cn
truyn mt dung lng d liu ln tr v h thng phn tch trung tm, c
ngha l mt gi tin c kim sot s sinh ra mt lng ln ti phn tch.
khc phc ngi ta thng s dng cc tin trnh gim d liu linh
hot gim bt s lng cc lu thng c truyn ti. H cng thng
thm cc chu trnh t ra cc quyt nh vo cc b cm bin v s dng
cc trm trung tm nh mt thit b hin th trng thi hoc trung tm
truyn thng hn l thc hin cc phn tch thc t. im bt li l n s
cung cp rt t thng tin lin quan cho cc b cm bin; bt k b cm
bin no s khng bit c vic mt b cm bin khc d c mt
cuc tn cng. Mt h thng nh vy s khng th d c cc cuc tn
cng hip ng hoc phc tp.
Mt h thng NIDS thng gp kh khn trong vic x l cc cuc tn
cng trong mt phin c m ho. Li ny cng tr nn trm trng khi
nhiu cng ty v t chc ang p dng mng ring o VPN.
- Mt s h thng NIDS cng gp kh khn khi pht hin cc cuc tn
cng mng t cc gi tin phn mnh. Cc gi tin nh dng sai ny c th
lm cho NIDS hot ng sai v v.
1.2.2 Host based IDS HIDS
Host-based IDS tm kim du hiu ca xm nhp vo mt host cc b;
thng s dng cc c ch kim tra v phn tch cc thng tin c logging. N
tm kim cc hot ng bt thng nh login, truy nhp file khng thch hp,
bc leo thang cc c quyn khng c chp nhn.
Kin trc IDS ny thng da trn cc lut (rule-based) phn tch cc hot
ng. V d c quyn ca ngi s dng cp cao ch c th t c thng
qua lnh su-select user, nh vy nhng c gng lin tc login vo account
root c th c coi l mt cuc tn cng.
u im
Xc nh c kt qu ca cuc tn cng: Do HIDS s dng d liu log

lu cc s kin xy ra, n c th bit c cuc tn cng l thnh cng
hay tht bi vi chnh xc cao hn NIDS. V th, HIDS c th b sung
thng tin tip theo khi cuc tn cng c sm pht hin vi NIDS.
Gim st c cc hot ng c th ca h thng: HIDS c th gim st
cc hot ng m NIDS khng th nh: truy nhp file, thay i quyn,
cc hnh ng thc thi, truy nhp dch v c phn quyn. ng thi n
cng gim st cc hot ng ch c thc hin bi ngi qun tr. V
th, h thng host-based IDS c th l mt cng c cc mnh phn
tch cc cuc tn cng c th xy ra do n thng cung cp nhiu thng
tin chi tit v chnh xc hn mt h network-based IDS.
Pht hin cc xm nhp m NIDS b qua: chng hn k t nhp s dng
bn phm xm nhp vo mt server s khng b NIDS pht hin.
Thch nghi tt vi mi trng chuyn mch, m ho: Vic chuyn mch
v m ho thc hin trn mng v do HIDS ci t trn my nn n
khng b nh hng bi hai k thut trn.
Khng yu cu thm phn cng: c ci t trc tip ln h tng mng
c sn (FTP Server, WebServer) nn HIDS khng yu cu phi ci t
thm cc phn cng khc.
Nhc im
Kh qun tr : cc h thng host-based yu cu phi c ci t trn tt

c cc thit b c bit m bn mun bo v. y l mt khi lng cng
vic ln cu hnh, qun l, cp nht.
Thng tin ngun khng an ton: mt vn khc kt hp vi cc h
thng host-based l n hng n vic tin vo nht k mc nh v nng
lc kim sot ca server. Cc thng tin ny c th b tn cng v t nhp
dn n h thng hot ng sai, khng pht hin c xm nhp.
H thng host-based tng i t : nhiu t chc khng c ngun ti
chnh bo v ton b cc on mng ca mnh s dng cc h thng
host-based. Nhng t chc phi rt thn trng trong vic chn cc h
thng no bo v. N c th li cc l hng ln trong mc bao
ph pht hin xm nhp. V d nh mt k tn cng trn mt h thng
lng ging khng c bo v c th nh hi thy cc thng tin xc thc
hoc cc ti liu d b xm phm khc trn mng.
Chim ti nguyn h thng : Do ci t trn cc my cn bo v nn

HIDS phi s dng cc ti nguyn ca h thng hot ng nh: b vi
x l, RAM, b nh ngoi.
1.3 C ch hot ng ca h thng IDS/IPS

C hai cch tip cn c bn i vi vic pht hin v phng chng xm
nhp l :
pht hin s lm dng (Misuse Detection Model): H thng s pht hin cc
xm nhp bng cch tm kim cc hnh ng tng ng vi cc k thut xm
nhp c bit n (da trn cc du hiu - signatures) hoc cc im d b
tn cng ca h thng.
pht hin s bt thng (Anomaly Detection Model): H thng s pht hin
cc xm nhp bng cch tm kim cc hnh ng khc vi hnh vi thng thng
ca ngi dng hay h thng.
1.3.1 pht hin s lm dng
Pht hin s lm dng l pht hin nhng k xm nhp ang c gng t
nhp vo h thng m s dng mt s k thut bit. N lin quan n vic
m t c im cc cch thc xm nhp vo h thng c bit n, mi
cch thc ny c m t nh mt mu. H thng pht hin s lm dng ch
thc hin kim sot i vi cc mu r rng. Mu c th l mt xu bit c
nh (v d nh mt virus c t vic chn xu),dng m t mt tp hay
mt chui cc hnh ng ng nghi ng.
y, ta s dng thut ng kch bn xm nhp (intrusion scenario). Mt h
thng pht hin s lm dng in hnh s lin tc so snh hnh ng ca h
thng hin ti vi mt tp cc kch bn xm nhp c gng d ra kch bn
ang c tin hnh. H thng ny c th xem xt hnh ng hin ti ca h
thng c bo v trong thi gian thc hoc c th l cc bn ghi kim tra c
ghi li bi h iu hnh.
Cc k thut pht hin s lm dng khc nhau cch thc m chng m
hnh ho cc hnh vi ch nh mt s xm nhp. Cc h thng pht hin s lm
dng th h u tin s dng cc lut (rules) m t nhng g m cc nh qun
tr an ninh tm kim trong h thng. Mt lng ln tp lut c tch lu dn
n kh c th hiu v sa i bi v chng khng c to thnh tng nhm
mt cch hp l trong mt kch bn xm nhp.
gii quyt kh khn ny, cc h thng th h th hai a ra cc biu din

kch bn xen k, bao gm cc t chc lut da trn m hnh v cc biu din v
php bin i trng thi. iu ny s mang tnh hiu qu hn i vi ngi
dng h thng cn n s biu din v hiu r rng v cc kch bn. H thng
phi thng xuyn duy tr v cp nht ng u vi nhng kch bn xm
nhp mi c pht hin.
Do cc kch bn xm nhp c th c c t mt cch chnh xc, cc h
thng pht hin s lm dng s da theo theo vt hnh ng xm nhp.
Trong mt chui hnh ng, h thng pht hin c th on trc c bc
tip theo ca hnh ng xm nhp. B d tm phn tch thng tin h thng
kim tra bc tip theo, v khi cn s can thip lm gim bi tc hi c th.
1.3.2 pht hin s bt thng
Da trn vic nh ngha v m t c im ca cc hnh vi c th chp
nhn ca h thng phn bit chng vi cc hnh vi khng mong mun hoc
bt thng, tm ra cc thay i, cc hnh vi bt hp php.
Nh vy, b pht hin s khng bnh thng phi c kh nng phn bit gia
nhng hin tng thng thng v hin tng bt thng.
Ranh gii gia dng thc chp nhn c v dng thc bt thng ca on
m v d liu lu tr c nh ngha r rng (ch cn mt bit khc nhau), cn
ranh gii gia hnh vi hp l v hnh vi bt thng th kh xc nh hn.
Pht hin s khng bnh thng c chia thnh hai loi tnh v ng
1.3.2.1 Pht hin tnh
Da trn gi thit ban u l phn h thng c kim sot phi lun
lun khng i. y, ta ch quan tm n phn mm ca vng h thng
(vi gi s l phn cng khng cn phi kim tra). Phn tnh ca mt h thng
bao gm 2 phn con: m h thng v d liu ca phn h thng . Hai thng
tin ny u c biu din di dng mt xu bit nh phn hoc mt tp cc
xu. Nu biu din ny c s sai khc so vi dng thc gc th hoc c li xy
ra hoc mt k xm nhp no thay i n. Lc ny, b pht hin tnh s
c thng bo kim tra tnh ton vn d liu.
C th l: b pht hin tnh a ra mt hoc mt vi xu bit c nh nh
ngha trng thi mong mun ca h thng. Cc xu ny gip ta thu c mt
biu din v trng thi , c th dng nn. Sau , n so snh biu din trng
thi thu c vi biu din tng t c tnh ton da trn trng thi hin ti
ca cng xu bit c nh. Bt k s khc nhau no u l th hin li nh hng

phn cng hoc c xm nhp.
Biu din trng thi tnh c th l cc xu bit thc t c chn nh ngha
cho trng thi h thng, tuy nhin iu kh tn km v lu tr cng nh v
cc php ton so snh. Do vn cn quan tm l vic tm ra c s sai khc
cnh bo xm nhp ch khng phi ch ra sai khc u nn ta c th s
dng dng biu din c nn gim chi ph. N l gi tr tm tt tnh c t
mt xu bit c s. Php tnh ton ny phi m bo sao cho gi tr tnh c t
cc xu bit c s khc nhau l khc nhau. C th s dng cc thut ton
checksums, message-digest (phn loi thng ip), cc hm bm.
Mt s b pht hin xm nhp kt hp cht ch vi meta-data (d liu m t
cc i tng d liu) hoc thng tin v cu trc ca i tng c kim tra.
V d, meta-data cho mt log file bao gm kch c ca n. Nu kch c ca log
file tng th c th l mt du hiu xm nhp.
1.3.2.2 Pht hin ng
Trc ht ta a ra khi nim hnh vi ca h thng (behavior). Hnh vi
ca h thng c nh ngha l mt chui cc s kin phn bit, v d nh rt
nhiu h thng pht hin xm nhp s dng cc bn ghi kim tra (audit record),
sinh ra bi h iu hnh nh ngha cc s kin lin quan, trong trng hp
ny ch nhng hnh vi m kt qu ca n l vic to ra cc bn ghi kim tra ca
h iu hnh mi c xem xt.
Cc s kin c th xy ra theo trt t nghim ngt hoc khng v thng tin
phi c tch lu. Cc ngng c nh ngha phn bit ranh gii gia
vic s dng ti nguyn hp l hay bt thng.
Nu khng chc chn hnh vi l bt thng hay khng, h thng c th da
vo cc tham s c thit lp trong sut qu trnh khi to lin quan n hnh
vi. Ranh gii trong trng hp ny l khng r rng do c th dn n nhng
cnh bo sai.
Cch thc thng thng nht xc nh ranh gii l s dng cc phn loi
thng k v cc lch chun. Khi mt phn loi c thit lp, ranh gii c
th c vch ra nh s dng mt s lch chun. Nu hnh vi nm bn ngoi
th s cnh bo l c xm nhp.
C th l: cc h thng pht hin ng thng to ra mt profile (d liu) c
s m t c im cc hnh vi bnh thng, chp nhn c. Mt d liu bao
gm tp cc o lng c xem xt v hnh vi, mi i lng o lng gm

nhiu chiu:
Lin quan n cc la chn: thi gian ng nhp, v tr ng nhp,
Cc ti nguyn c s dng trong c qu trnh hoc trn mt n v thi
gian: chiu di phin giao dch, s cc thng ip gi ra mng trong mt
n v thi gian,
Chui biu din cc hnh ng.
Sau khi khi to d liu c s, qu trnh pht hin xm nhp c th c bt
u. Pht hin ng lc ny cng ging nh pht hin tnh chng kim sot
hnh vi bng cch so snh m t c im hin ti v hnh vi vi m t ban u
ca hnh vi c mong i (chnh l d liu c s), tm ra s khc nhau. Khi
h thng pht hin xm nhp thc hin, n xem xt cc s kin lin quan n
thc th hoc cc hnh ng l thuc tnh ca thc th. Chng xy dng thm
mt d liu hin ti.
Cc h thng pht hin xm nhp th h trc phi ph thuc vo cc bn ghi
kim tra (audit record) bt gi cc s kin hoc cc hnh ng lin quan.
Cc h thng sau ny th ghi li mt c s d liu c t cho pht hin xm
nhp. Mt s h thng hot ng vi thi gian thc, hoc gn thi gian thc,
quan st trc tip s kin trong khi chng xy ra hn l i h iu hnh to ra
bn ghi m t s kin.
Kh khn chnh i vi cc h thng pht hin ng l chng phi xy dng
cc d liu c s mt cch chnh xc, v sau nhn dng hnh vi sai tri nh
cc d liu.
Cc d liu c s c th xy dng nh vic gi chy h thng hoc quan st
hnh vi ngi dng thng thng qua mt thi gian di.
1.3.3 So snh gia hai m hnh
Pht hin s lm dng
Pht hin s bt thng
Bao gm:
C s d liu cc du hiu tn
cng.
Tm kim cc so khp mu
ng.
Bao gm:
C s d liu cc hnh ng
thng thng.
Tm kim lch ca hnh
ng thc t so vi hnh ng
thng thng.
Hiu qu trong vic pht hin cc
Hiu qu trong vic pht hin cc
dng tn cng bit, hay cc bin

th (thay i nh) ca cc dng tn
cng bit. Khng pht hin c
cc dng tn cng mi.
D cu hnh hn do i hi t hn
v thu thp d liu, phn tch v cp
nht
a ra kt lun da vo php so
khp mu (pattern matching).
C th kch hot mt thng ip

cnh bo nh mt du hiu chc
chn, hoc cung cp d liu h tr
cho cc du hiu khc.
dng tn cng mi m mt h thng

pht hin s lm dng b qua.
Kh cu hnh hn v a ra nhiu
d liu hn, phi c c mt khi
nim ton din v hnh vi bit hay
hnh vi c mong i ca h thng
a ra kt qu da vo tng
quan bng thng k gia hnh vi
thc t v hnh vi c mong i
ca h thng (hay chnh l da vo
lch gia thng tin thc t v
ngng cho php).
C th h tr vic t sinh thng
tin h thng mt cch t ng nhng
cn c thi gian v d liu thu thp
c phi r rng.
Bng So snh 2 m hnh pht hin
c c mt h thng pht hin xm nhp tt nht ta tin hnh kt hp c

hai phng php trn trong cng mt h thng. H thng kt hp ny s cung
cp kh nng pht hin nhiu loi tn cng hn v hiu qu hn.
S h thng kt hp nh sau:
Hnh I : H thng kt hp 2 m hnh pht hin
1.4 Mt s sn phm ca IDS/IPS

Phn ny gii thiu mt s sn phm IDS, IPS thng mi cng nh min
ph ph bin, nhng sn phm in hnh trong lnh vc pht hin v phng
chng xm nhp.
Cisco IDS-4235
Cisco IDS (cn c tn l NetRanger) l mt h thng NIDS, c kh nng theo
di ton b lu thng mng v i snh tng gi tin pht hin cc du hiu
xm nhp.
Cisco IDS l mt gii php ring bit, c Cisco cung cp ng b phn
cng v phn mm trong mt thit b chuyn dng.
Gii php k thut ca Cisco IDS l mt dng lai gia gii m (decode) v
i snh (grep). Cisco IDS hot ng trn mt h thng Unix c ti u ha
v cu hnh v c giao din tng tc CLI (Cisco Command Line Interface)
quen thuc ca Cisco.
ISS Proventia A201

Proventia A201 l sn phm ca hng Internet Security Systems. V mt bn
cht, Proventia khng ch l mt h thng phn mm hay phn cng m n l
mt h thng cc thit b c trin khai phn tn trong mng c bo v. Mt
h thng Proventia bao gm cc thit b sau:
Intrusion Protection Appliance: L trung tm ca ton b h thng
Proventia. N lu tr cc cu hnh mng, cc d liu i snh cng nh
cc quy nh v chnh sch ca h thng. V bn cht, n l mt phin
bn Linux vi cc driver thit b mng c xy dng ti u cng nh
cc gi dch v c ti thiu ha.
Proventia Network Agent: ng vai tr nh cc b cm bin (sensor). N
c b tr ti nhng v tr nhy cm trong mng nhm theo di ton b
lu thng trong mng v pht hin nhng nguy c xm nhp tim n.
SiteProtector: L trung tm iu khin ca h thng Proventia. y l ni
ngi qun tr mng iu khin ton b cu hnh cng nh hot ng ca
h thng.
Vi gii php ca Proventia, cc thit b s c trin khai sao cho ph hp
vi cu hnh ca tng mng c th c th t c hiu qu cao nht.
NFR NID-310
NFR l sn phm ca NFR Security Inc. Cng ging nh Proventia, NFR
NID l mt h thng hng thit b (appliance-based). im c bit trong kin
trc ca NFR NID l h cc b cm bin c kh nng thch ng vi rt nhiu
mng khc nhau t mng 10Mbps n cc mng gigabits vi thng lng rt
ln.
Mt im c sc ca NFR NID l m hnh iu khin ba lp. Thay v cc
thit b trong h thng c iu khin trc tip bi mt giao din qun tr
(Administration Interface AI) ring bit, NFR cung cp mt c ch iu khin
tp trung vi cc middle-ware lm nhim v iu khin trc tip cc thit b.
SNORT
Snort l phn mm IDS m ngun m, c pht trin bi Martin Roesh.
Snort u tin c xy dng trn nn Unix sau pht trin sang cc nn tng
khc. Snort c nh gi l IDS m ngun m ng ch nht vi nhng tnh
nng rt mnh. Chi tit v Snort s c trnh by trong phn chng II ca
ti .
CHNG II : NGHIN CU NG DNG SNORT TRONG

IDS/IPS
2.1 Gii thiu v snort
Snort l mt NIDS c Martin Roesh pht trin di m hnh m ngun
m. Tuy Snort min ph nhng n li c rt nhiu tnh nng tuyt vi m khng
phi sn phm thng mi no cng c th c c. Vi kin trc thit k theo
kiu module, ngi dng c th t tng cng tnh nng cho h thng Snort ca
mnh bng vic ci t hay vit thm mi cc module. C s d liu lut ca
Snort ln ti 2930 lut v c cp nht thng xuyn bi mt cng ng
ngi s dng. Snort c th chy trn nhiu h thng nn nh Windows, Linux,
OpenBSD, FreeBSD, NetBSD, Solaris, HP-UX, AIX, IRIX, MacOS.
Bn cnh vic c th hot ng nh mt ng dng thu bt gi tin thng
thng, Snort cn c th c cu hnh chy nh mt NIDS. Snort h tr
kh nng hot ng trn cc giao thc sau: Ethernet, 802.11,Token Ring, FDDI,
Cisco HDLC, SLIP, PPP, v PF ca OpenBSD.
2.2 Kin trc ca snort
Snort bao gm nhiu thnh phn, vi mi phn c mt chc nng ring.
Cc phn chnh l:
Mun gii m gi tin (Packet Decoder)
Mun tin x l (Preprocessors)
Mun pht hin (Detection Engine)
Mun log v cnh bo (Logging and Alerting System)
Mun kt xut thng tin (Output Module)
Kin trc ca Snort c m t trong hnh sau:
Hnh IV : M hnh kin trc h thng Snort
Khi Snort hot ng n s thc hin vic lng nghe v thu bt tt c cc gi

tin no di chuyn qua n. Cc gi tin sau khi b bt c a vo Mun Gii
m gi tin. Tip theo gi tin s c a vo mun Tin x l, ri mun Pht
hin. Ti y ty theo vic c pht hin c xm nhp hay khng m gi tin c
th c b qua lu thng tip hoc c a vo mun Log v cnh bo
x l. Khi cc cnh bo c xc nh mun Kt xut thng tin s thc hin
vic a cnh bo ra theo ng nh dng mong mun. Sau y ta s i su vo
chi tit hn v c ch hot ng v chc nng ca tng thnh phn.
2.2.1 Modun gii m gi tin

Snort s dng th vin pcap bt mi gi tin trn mng lu thng qua
h thng. Hnh sau m t vic mt gi tin Ethernet s c gii m th no:
Hnh V: X l mt gi tin Ethernet
Mt gi tin sau khi c gii m s c a tip vo mun tin x l.

2.2.2 M un tin x l
Mun tin x l l mt mun rt quan trng i vi bt k mt h thng
IDS no c th chun b gi d liu a v cho mun Pht hin phn tch.
Ba nhim v chnh ca cc mun loi ny l:
Kt hp li cc gi tin: Khi mt lng d liu ln c gi i, thng tin s
khng ng gi ton b vo mt gi tin m phi thc hin vic phn mnh, chia
gi tin ban u thnh nhiu gi tin ri mi gi i. Khi Snort nhn c cc gi
tin ny n phi thc hin vic ghp ni li c c d liu nguyn dng ban
u, t mi thc hin c cc cng vic x l tip. Nh ta bit khi mt
phin lm vic ca h thng din ra, s c rt nhiu gi tin uc trao i trong
phin . Mt gi tin ring l s khng c trng thi v nu cng vic pht hin
xm nhp ch da hon ton vo gi tin s khng em li hiu qu cao.
Module tin x l stream gip Snort c th hiu c cc phin lm vic khc
nhau (ni cch khc em li tnh c trng thi cho cc gi tin) t gip t
c hiu qu cao hn trong vic pht hin xm nhp.
Gii m v chun ha giao thc (decode/normalize): cng vic pht hin xm
nhp da trn du hiu nhn dng nhiu khi b tht bi khi kim tra cc giao
thc c d liu c th c th hin di nhiu dng khc nhau. V d: mt web
server c th chp nhn nhiu dng URL nh URL c vit di dng m
hexa/Unicode, URL chp nhn c du \ hay / hoc nhiu k t ny lin tip
cng lc. Chng hn ta c du hiu nhn dng scripts/iisadmin, k tn cng c
th vt qua c bng cch ty bin cc yu cu gi n web server nh sau:
scripts/./iisadmin
scripts/examples/../iisadmin
scripts\iisadmin
scripts/.\iisadmin
Hoc thc hin vic m ha cc chui ny di dng khc. Nu Snort ch
thc hin n thun vic so snh d liu vi du hiu nhn dng s xy ra tnh
trng b st cc hnh vi xm nhp. Do vy, mt s mun tin x l ca Snort
phi c nhim v gii m v chnh sa, sp xp li cc thng tin u vo ny
thng tin khi a n mun pht hin c th pht hin c m khng b st.
Hin nay Snort h tr vic gii m v chun ha cho cc giao thc: telnet,
http, rpc, arp.
Pht hin cc xm nhp bt thng (nonrule /anormal): cc plugin tin x l

dng ny thng dng i ph vi cc xm nhp khng th hoc rt kh pht
hin c bng cc lut thng thng hoc cc du hiu bt thng trong giao
thc. Cc mun tin x l dng ny c th thc hin vic pht hin xm nhp
theo bt c cch no m ta ngh ra t tng cng thm tnh nng cho Snort.
V d, mt plugin tin x l c nhim v thng k thng lng mng ti thi
im bnh thng ri khi c thng lng mng bt thng xy ra n c th
tnh ton, pht hin v a ra cnh bo (pht hin xm nhp theo m hnh thng
k). Phin bn hin ti ca Snort c i km hai plugin gip pht hin cc xm
nhp bt thng l portscan v bo (backoffice). Portcan dng a ra cnh
bo khi k tn cng thc hin vic qut cc cng ca h thng tm l hng.
Bo dng a ra cnh bo khi h thng b nhim trojan backoffice v k
tn cng t xa kt ni ti backoffice thc hin cc lnh t xa.
2.2.3 Mun pht hin
y l mun quan trng nht ca Snort. N chu trch nhim pht hin
cc du hiu xm nhp. Mun pht hin s dng cc lut c nh ngha
trc so snh vi d liu thu thp c t xc nh xem c xm nhp xy
ra hay khng. Ri tip theo mi c th thc hin mt s cng vic nh ghi log,
to thng bo v kt xut thng tin.
Mt vn rt quan trng trong mun pht hin l vn thi gian x l
cc gi tin: mt IDS thng nhn c rt nhiu gi tin v bn thn n cng c
rt nhiu cc lut x l. C th mt nhng khong thi gian khc nhau cho vic
x l cc gi tin khc nhau. V khi thng lng mng qu ln c th xy ra vic
b st hoc khng phn hi c ng lc. Kh nng x l ca mun pht
hin da trn mt s yu t nh: s lng cc lut, tc ca h thng ang
chy Snort, ti trn mng. Mt s th nghim cho bit, phin bn hin ti ca
Snort khi c ti u ha chy trn h thng c nhiu b vi x l v cu hnh
my tnh tng i mnh th c th hot ng tt trn c cc mng c Giga.
Mt mun pht hin cng c kh nng tch cc phn ca gi tin ra v p
dng cc lut ln tng phn no ca gi tin . Cc phn c th l:
IP header
Header tng giao vn: TCP, UDP
Header tng ng dng: DNS header, HTTP header, FTP header,
Phn ti ca gi tin (bn cng c th p dng cc lut ln cc phn d
liu c truyn i ca gi tin)
Mt vn na trong Mun pht hin l vic x l th no khi mt gi

tin b pht hin bi nhiu lut. Do cc lut trong Snort cng c nh th t u
tin, nn mt gi tin khi b pht hin bi nhiu lut khc nhau, cnh bo c
a ra s l cnh bo ng vi lut c mc u tin ln nht.
2.2.4 Mun log v cnh bo
Ty thuc vo vic mun Pht hin c nhn dng uc xm nhp hay khng
m gi tin c th b ghi log hoc a ra cnh bo. Cc file log l cc file text d
liu trong c th c ghi di nhiu nh dng khc nhau chng hn
tcpdump.
2.2.5 M un kt xut thong tin
Mun ny c th thc hin cc thao tc khc nhau ty theo vic bn mun
lu kt qu xut ra nh th no. Ty theo vic cu hnh h thng m n c th
thc hin cc cng vic nh l:
Ghi log file
Ghi syslog: syslog v mt chun lu tr cc file log c s dng rt
nhiu trn cc h thng Unix, Linux.
Ghi cnh bo vo c s d liu.
To file log dng xml: vic ghi log file dng xml rt thun tin cho vic
trao i v chia s d liu.
Cu hnh li Router, firewall.
Gi cc cnh bo c gi trong gi tin s dng giao thc SNMP. Cc
gi tin dng SNMP ny s c gi ti mt SNMP server t gip cho
vic qun l cc cnh bo v h thng IDS mt cch tp trung v thun
tin hn.
Gi cc thng ip SMB (Server Message Block) ti cc my tnh
Windows.
Nu khng hi lng vi cc cch xut thng tin nh trn, ta c th vit cc
mun kt xut thng tin ring tu theo mc ch s dng.
2.3 B lut ca snort
2.3.1 Gii thiu
Cng ging nh virus, hu ht cc hot ng tn cng hay xm nhp u c
cc du hiu ring. Cc thng tin v cc du hiu ny s c s dng to
nn cc lut cho Snort. Thng thng, cc by (honey pots) c to ra tm
hiu xem cc k tn cng lm g cng nh cc thng tin v cng c v cng
ngh chng s dng. V ngc li, cng c cc c s d liu v cc l hng bo

mt m nhng k tn cng mun khai thc. Cc dng tn cng bit ny c
dng nh cc du hiu pht hin tn cng xm nhp. Cc du hiu c th
xut hin trong phn header ca cc gi tin hoc nm trong phn ni dung ca
chng. H thng pht hin ca Snort hot ng da trn cc lut (rules) v cc
lut ny li c da trn cc du hiu nhn dng tn cng. Cc lut c th
c p dng cho tt c cc phn khc nhau ca mt gi tin d liu .
Mt lut c th c s dng to nn mt thng ip cnh bo, log mt
thng ip hay c th b qua mt gi tin.
2.3.2 Cu trc lut ca Snort
Hy xem xt mt v d n gin :
alert tcp 192.168.2.0/24 23 -> any any (content:confidential; msg: Detected
confidential)
Ta thy cu trc ca mt lut c dng nh sau:
Hnh VI : Cu trc lut ca Snort

Din gii:
Tt c cc Lut ca Snort v logic u gm 2 phn: Phn header v phn

Option.
Phn Header cha thng tin v hnh ng m lut s thc hin khi
pht hin ra c xm nhp nm trong gi tin v n cng cha cc tiu
chun p dng lut vi gi tin .
Phn Option cha mt thng ip cnh bo v cc thng tin v cc phn
ca gi tin dng to nn cnh bo. Phn Option cha cc tiu chun
ph thm i snh lut vi gi tin. Mt lut c th pht hin c mt
hay nhiu hot ng thm d hay tn cng. Cc lut thng minh c kh
nng p dng cho nhiu du hiu xm nhp.
Di y l cu trc chung ca phn Header ca mt lut Snort:
Hnh VII : Header lut ca Snort
Action: l phn qui nh loi hnh ng no c thc thi khi cc du

hiu ca gi tin c nhn dng chnh xc bng lut . Thng thng,
cc hnh ng to ra mt cnh bo hoc log thng ip hoc kch hot

mt lut khc.
Protocol: l phn qui nh vic p dng lut cho cc packet ch thuc mt
giao thc c th no . V d nh IP, TCP, UDP
Address: l phn a ch ngun v a ch ch. Cc a ch c th l mt
my n, nhiu my hoc ca mt mng no . Trong hai phn a ch
trn th mt s l a ch ngun, mt s l a ch ch v a ch no
thuc loi no s do phn Direction -> qui nh.
Port: xc nh cc cng ngun v ch ca mt gi tin m trn lut
c p dng.
Direction: phn ny s ch ra u l a ch ngun, u l a ch ch.
V d:
alert icmp any any -> any any (msg: Ping with TTL=100;ttl: 100;)
Phn ng trc du m ngoc l phn Header ca lut cn phn cn li l
phn Option. Chi tit ca phn Header nh sau:
Hnh ng ca lut y l alert : mt cnh bo s c to ra nu nh
cc iu kin ca gi tin l ph hp vi lut(gi tin lun c log li mi
khi cnh bo c to ra).
Protocol ca lut y l ICMP tc l lut ch p dng cho cc gi tin
thuc loi ICMP. Bi vy, nu nh mt gi tin khng thuc loi ICMP
th phn cn li ca lut s khng cn i chiu.
a ch ngun y l any: tc l lut s p dng cho tt c cc gi tin
n t mi ngun cn cng th cng l any v i vi loi gi tin ICMP
th cng khng c ngha. S hiu cng ch c ngha vi cc gi tin
thuc loi TCP hoc UDP thi.
Cn phn Option trong du ng ngoc ch ra mt cnh bo cha dng
Ping with TTL=100 s c to khi tm thy iu kin TTL=100. TTL
l Time To Live l mt trng trong Header IP.
2.3.2.1 Phn tiu

Nh phn trn trnh by, Header ca lut bao gm nhiu phn. Sau
y, l chi tit c th ca tng phn mt.
Hnh ng ca lut (Rule Action)
L phn u tin ca lut, ch ra hnh ng no c thc hin khi m cc

iu kin ca lut c tho mn. Mt hnh ng c thc hin khi v ch khi
tt c cc iu kin u ph hp. C 5 hnh ng c nh ngha nhng ta
c th to ra cc hnh ng ring tu thuc vo yu cu ca mnh. i vi cc

phin bn trc ca Snort th khi nhiu lut l ph hp vi mt gi tin no
th ch mt lut c p dng. Sau khi p dng lut u tin th cc lut tip
theo s khng p dng cho gi tin y na. Nhng i vi cc phin bn sau ca
Snort th tt c cc lut s c p dng gi tin .
Pass: Hnh ng ny hng dn Snort b qua gi tin ny. Hnh ng ny
ng vai tr quan trng trong vic tng cng tc hot ng ca Snort
khi m ta khng mun p dng cc kim tra trn cc gi tin nht nh. V
d ta s dng cc by (t trn mt my no ) nh cc hacker tn
cng vo th ta phi cho tt c cc gi tin i n c my . Hoc l
dng mt my qut kim tra an ton mng ca mnh th ta phi b
qua tt c cc gi tin n t my kim tra .
Log: Hnh ng ny dng log gi tin. C th log vo file hay vo c
s d liu tu thuc vo nhu cu ca mnh.
Alert: Gi mt thng ip cnh bo khi du hiu xm nhp c pht
hin. C nhiu cch gi thng ip nh gi ra file hoc ra mt
Console. Tt nhin l sau khi gi thng ip cnh bo th gi tin s c
log li.
Activate: s dng to ra mt cnh bo v kch hot mt lut khc kim
tra thm cc iu kin ca gi tin.
Dynamic: ch ra y l lut c gi bi cc lut khc c hnh ng l
Activate.
Cc hnh ng do ngi dng nh ngha: mt hnh ng mi c nh
ngha theo cu trc sau:
ruletype action_name
{
action definition
}
ruletype l t kho.
Hnh ng c nh ngha chnh xc trong du ngoc nhn: c th l mt
hm vit bng ngn ng C chng hn.
V d nh:
ruletype smb_db_alert
{
type alert
output alert_smb: workstation.list
output database: log, mysql, user=test password=test

dbname=snort host = localhost
}
y l hnh ng c tn l smb_db_alert dng gi thng ip cnh bo
di dng ca s pop-up SMB ti cc my c tn trong danh sch lit k trong
file workstation.list v ti c s d liu MySQL tn l snort.
Protocols
L phn th hai ca mt lut c chc nng ch ra loi gi tin m lut s c

p dng. Hin ti Snort hiu c cc protocol sau :
IP
ICMP
TCP
UDP
Nu l IP th Snort s kim tra header ca lp lin kt xc nh loi gi tin.
Nu bt k giao thc no khc c s dng th Snort s dng header IP xc
nh loi protocol. Protocol ch ng vai tr trong vic ch r tiu chun trong
phn header ca lut. Phn option ca lut c th c cc iu kin khng lin
quan g n protocol.
Address
C hai phn a ch trong mt lut ca Snort. Cc a ch ny c dng

kim tra ngun sinh ra v ch n ca gi tin. a ch c th l a ch ca mt
IP n hoc l a ch ca mt mng. Ta c th dng t any p dng lut cho
tt c cc a ch.
a ch c vit ngay theo sau mt du gch cho v s bt trong subnet
mask. V d nh a ch 192.168.2.0/24 th hin mng lp C 192.168.2.0 vi 24
bt ca subnet mask. Subnet mask 24 bt chnh l 255.255.255.0. Ta bit rng :
Nu subnet mask l 24 bt th l mng lp C
Nu subnet mask l 16 bt th l mng lp B
Nu subnet mask l 8 bt th l mng lp A
Nu subnet mask l 32 bt th l a ch IP n.
Trong hai a ch ca mt lut Snort th c mt a ch l a ch ngun v a
ch cn li l a ch ch. Vic xc nh u l a ch ngun, u l a ch
ch th ph thuc vo phn hng (direction).
V d nh lut :
alert tcp any any -> 192.168.1.10/32 80 (msg: TTL=100; ttl: 100;)
Lut trn s to ra mt cnh bo i vi tt c cc gi tin t bt k ngun no
c TTL = 100 i n web server 192.168.1.10 ti cng 80.
Ngn chn a ch hay loi tr a ch
Snort cung cp cho ta k thut loi tr a ch bng cch s dng du ph

nh (du !). Du ph nh ny ng trc a ch s ch cho Snort khng kim
tra cc gi tin n t hay i ti a ch . V d, lut sau s p dng cho tt c
cc gi tin ngoi tr cc gi c ngun xut pht t mng lp C 192.168.2.0.
alert icmp ![192.168.2.0/24] any -> any any (msg: Ping with TTL=100;
ttl: 100;)
Danh sch a ch
Ta c th nh r ra danh sch cc a ch trong mt lut ca Snort. V d nu

bn mun p dng lut cho tt c cc gi tin tr cc gi xut pht t hai mng
lp C 192.168.2.0 v 192.168.8.0 th lut c vit nh sau:
alert icmp ![192.168.2.0/24, 192.168.8.0/24] any -> any any (msg: Ping
with TTL=100; ttl: 100;)
Hai du [] ch cn dng khi c du ! ng trc.
Cng (Port Number)
S hiu cng dng p dng lut cho cc gi tin n t hoc i n mt

cng hay mt phm vi cng c th no . V d ta c th s dng s cng
ngun l 23 p dng lut cho tt c cc gi tin n t mt server Telnet. T
any cng c dng i din cho tt c cc cng. Ch l s hiu cng ch
c ngha trong cc giao thc TCP v UDP thi. Nu protocol ca lut l IP
hay ICMP th s hiu cng khng ng vai tr g c.
V d :
alert tcp 192.168.2.0/24 23 -> any any (content: confidential; msg: Detected
confidential;)
S hiu cng ch hu dng khi ta mun p dng mt lut ch cho mt loi gi
tin d liu c th no . V d nh l mt lut chng hack cho web th ta ch
cn s dng cng 80 pht hin tn cng.
Dy cng hay phm vi cng:
Ta c th p dng lut cho dy cc cng thay v ch cho mt cng no .

Cng bt u v cng kt thc phn cch nhau bi du hai chm :.
V d :
alert udp any 1024:2048 -> any any (msg: UDP ports;)
Ta cng c th dn cng theo kiu cn trn v cn di, tc l ch s dng

cng bt u hoc cng kt thc m thi. V d nh l 1024: hoc l :2048
Du ph nh cng c p dng trong vic s dng cng. V d sau s log
tt c cc gi tin ngoi tr cc gi tin xut pht t cng 53.
log udp any !53 -> any any log udp
Sau y l mt s cng thng dng hay l cc cng ca cc dch v thng
dng nht:
20 FTP data
21 FTP
22 SSH
23 Telnet
24 SMTP
53 DNS Server
80 HTTP
110 POP3
161 SNMP
443 HTTPS
3360 MySQL
Hng Direction
Ch ra u l ngun u l ch, c th l -> hay <- hoc <>. Trng hp <>

l khi ta mun kim tra c Client v Server.
2.3.2.2 Cc ty chn
Phn Rule Option nm ngay sau phn Rule Header v c bao bc
trong du ngoc n. Nu c nhiu option th cc option s c phn cch vi
nhau bng du chm phy ,.Nu nhiu option c s dng th cc option ny
phi ng thi c tho mn tc l theo logic cc option ny lin kt vi nhau
bng AND.
Mi option c nh ngha bng cc t kho. Mt s cc option cn cha
cc tham s. Ni chung mt option gm 2 phn: mt t kho v mt tham s,
hai phn ny phn cch nhau bng du hai chm. V d dng :
msg: Detected confidented;
msg l t kho cn Detected confidented l tham s.
Sau y l chi tit mt s cc option ca lut Snort.
T kho ack
Trong header TCP c cha trng Acknowledgement Number vi di 32

bit. Trng ny c ngha l ch ra s th t tip theo gi tin TCP ca bn gi
ang c ch nhn. Trng ny ch c ngha khi m c ACK c thit
lp.
Cc cng c nh Nmap s dng c im ny ping mt my. V d, n c th
gi mt gi tin TCP ti cng 80 vi c ACK c bt v s th t l 0. Bi
vy, bn nhn s thy gi tin khng hp l v s gi tr li gi tin RST. Khi m
Nmap nhn c gi tin RST th tc l a ch ch ang sng. Phng php
ny vn lm vic tt i vi cc my khng tr li gi tin thuc dng ping
ICMP ECHO REQUEST.
Vy kim tra loi ping TCP ny th ta c th dng lut nh sau:
alert tcp any any -> 192.168.1.0/24 any (flags: A; ack: 0; msg: TCP
ping detected)
T kho classtype
Cc lut c th c phn loi v gn cho mt s ch u tin no

nhm v phn bit chng vi nhau. hiu r hn v t kho ny ta u tin
phi hiu c file classification.config (c bao gm trong file snort.conf s
dng t kho include). Mi dng trong file classification.config c c php nh
sau:
config classification: name, description, priority
trong :
name: l tn dng phn loi, tn ny s c dng vi t kho
classtype trong cc lut Snort.
description: m t v loi lp ny
priority: l mt s ch u tin mc nh ca lp ny. u tin ny c
th c iu chnh trong t kho priority ca phn option trong lut ca
Snort.
V d :
config classification: DoS , Denial of Service Attack, 2
v trong lut:
alert udp any any -> 192.168.1.0/24 6838 (msg:DoS; content: server;
classtype: DoS;)
alert udp any any -> 192.168.1.0/24 6838 (msg:DoS; content: server;
classtype: DoS; priority: 1;)
Trong cu lnh th 2 th ta ghi ln gi tr priority mc nh ca lp
nh ngha.
T kho content
Mt c tnh quan trng ca Snort l n c kh nng tm mt mu d liu bn

trong mt gi tin. Mu ny c th di dng chui ASCII hoc l mt chui nh
phn di dng cc k t h 16. Ging nh virus, cc tn cng cng c cc du
hiu nhn dng v t kho content ny dng tm cc du hiu bn trong
gi tin. V d:
alert tcp 192.168.1.0/24 any -> ![192.168.1.0/24] any (content: GET; msg:
GET match;)
Lut trn tm mu GET trong phn d liu ca tt c cc gi tin TCP c
ngun i t mng 192.168.1.0/24 v i n cc a ch khng thuc mng .
T GET ny rt hay c dng trong cc tn cng HTTP.
Mt lut khc cng thc hin ng nhim v ging nh lnh trn nhng mu
d liu li di dng h 16 l:
alert tcp 192.168.1.0/24 any -> ![192.168.1.0/24] any (content: |47 45 54|;
msg: GET match;)
rng s 47 h 16 chnh l bng k t ASCII : G v tng t 45 l E v
54 l T. Ta c th dng c hai dng trn trong cng mt lut nhng nh l phi
dng thp lc phn gia cp k t ||.
Tuy nhin khi s dng t kho content ta cn nh rng:
i snh ni dung s phi x l tnh ton rt ln v ta phi ht sc cn nhc
khi s dng nhiu lut c i snh ni dung.
Ta c th s dng nhiu t kho content trong cng mt lut tm nhiu du
hiu trong cng mt gi tin.
i snh ni dung l cng vic rt nhy cm.
C 3 t kho khc hay c dng cng vi t kho content dng b sung
thm cc iu kin tm kim l :
offset: dng xc nh v tr bt u tm kim (chui cha trong t kho
content ) l offset tnh t u phn d liu ca gi tin. V d sau s tm
chui HTTP bt u t v tr cch u on d liu ca gi tin l 4
byte:
alert tcp 192.168.1.0/24 any -> any any (content: HTTP; offset: 4; msg:
HTTP matched;)
dept : dng xc nh v tr m t Snort s dng vic tm kim.T
kho ny cng thng c dng chung vi t kho offset va nu trn.
V d:
alert tcp 192.168.1.0/24 any -> any any (content: HTTP; offset: 4; dept:
40; msg: HTTP matched;).
T kho ny s gip cho vic tiu tn thi gian tm kim khi m on d
liu trong gi tin l kh ln.
content-list: c s dng cng vi mt file. Tn file (c ch ra trong
phn tham s ca t kho ny) l mt file text cha danh sch cc chui
cn tm trong phn d liu ca gi tin. Mi chui nm trn mt dng
ring bit. V d nh file test c dng nh sau:
test
Snort
NIDS
v ta c lut sau:
alert tcp 192.168.1.0/24 any -> any any (content-list: test;msg: This is my
Test;).
Ta cng c th dng k t ph nh ! trc tn file cnh bo i vi cc
gi tin khng tm thy mt chui no trong file .
T kho dsize
Dng i snh theo chiu di ca phn d liu. Rt nhiu tn cng s

dng li trn b m bng cch gi cc gi tin c kch thc rt ln. S dng t
kho ny, ta c th so snh ln ca phn d liu ca gi tin vi mt s no
.
alert ip any any -> 192.168.1.0/24 any (dsize: > 6000; msg: Goi tin co kich
thuoc lon;)
T kho flags
T kho ny c dng pht hin xem nhng bit c flag no c bt

(thit lp) trong phn TCP header ca gi tin. Mi c c th c s dng nh
mt tham s trong t kho flags. Sau y l mt s cc c s dng trong t kho
flags:
Flag
FIN (Finish Flag)
SYN Sync Flag
RST Reset Flag
PSH Push Flag
ACK Acknowledge
Flag
URG Urgent Flag
Reserved Bit 1
Reserved Bit 2
No Flag set
K t tham s dng trong lut

ca Snort
F
S
R
P
A
U
1
2
0
Bng Cc c s dng vi t kho flags
Ta c th s dng cc du +, * v ! thc hin cc php ton logic AND,

OR v NOT trn cc bit c mun kim tra. V d lut sau y s pht hin mt
hnh ng qut dng gi tin TCP SYN-FIN:
alert tcp any any -> 192.168.1.0/24 any (flags: SF; msg: SYNC-FIN packet
detected;)
T kho fragbits
Phn IP header ca gi tin cha 3 bit dng chng phn mnh v tng hp
cc gi tin IP. Cc bit l:
Reserved Bit (RB) dng dnh cho tng lai.
Dont Fragment Bit (DF): nu bit ny c thit lp th tc l gi tin
khng b phn mnh.
More Fragments Bit (MF): nu c thit lp th tc l cc phn khc
(gi tin b phn mnh) ca gi tin vn ang cn trn ng i m cha ti
ch. Nu bit ny khng c thit lp th c ngha l y l phn cui
cng ca gi tin (hoc l gi duy nht). iu ny xut pht t nguyn
nhn: Ni gi i phi chia gi tin IP thnh nhiu on nh do ph thuc
vo n v truyn d liu ln nht cho php (Maximum Transfer Units MTU) trn ng truyn. Kch thc ca gi tin khng c php vt
qu kch thc ln nht ny. Do vy, bit MF ny gip bn ch c th
tng hp li cc phn khc nhau thnh mt gi tin hon chnh.
i khi cc bit ny b cc hacker s dng tn cng v khai thc thng tin

trn mng ca ta. V d, bit DF c th c dng tm MTU ln nht v nh
nht trn ng i t ngun xut pht n ch n.
S dng fragbits, ta c th kim tra xem cc bit trn c c thit lp hay
khng. V d lut sau s pht hin xem bit DF trong gi tin ICMP c c bt
hay khng:
alert icmp any any -> 192.168.1.0/24 any (fragbits: D; msg: Dont Fragment bit
set;)
Trong lut ny , D dng cho bit DF, R cho bit d tr v M cho bit MF. Ta
cng c th dng du ph nh ! trong lut ny kim tra khi bit khng c
bt:
alert icmp any any -> 192.168.1.0/24 any (fragbits: !D; msg: Dont Fragment
bit not set;)
2.4 Ch ngn chn ca Snort : Snort Inline
2.4.1 Tch hp kh nng ngn chn vo Snort
Snort-inline l mt nhnh pht trin ca Snort do William Metcalf khi
xng v lnh o. n phin bn 2.3.0 RC1 ca Snort, inline-mode c
tch hp vo bn chnh thc do snort.org pht hnh. S kin ny bin Snort
t mt IDS thun ty tr thnh mt h thng c cc kh nng ca mt IPS, mc
d ch ny vn ch l ty chn ch khng phi mc nh.
tng chnh ca inline-mode l kt hp kh nng ngn chn ca iptables
vo bn trong snort. iu ny c thc hin bng cch thay i mun pht
hin v mun x l cho php snort tng tc vi iptables. C th, vic chn
bt cc gi tin trong Snort c thc hin thng qua Netfilter v th vin
libpcap s c thay th bng vic s dng ipqueue v th vin libipq. Hnh
ng ngn chn ca snort-inline s c thc hin bng devel-mode ca
iptables.
2.4.2 Nhng b sung cho cu trc lut ca Snort h tr Inline mode
h tr tnh nng ngn chn ca Snort-inline, mt s thay i v b sung
c a vo b lut Snort. l a thm 3 hnh ng DROP, SDROP,
INJECT v thay i trnh t u tin ca cc lut trong Snort.
DROP
Hnh ng DROP yu cu iptables loi b gi tin v ghi li thng tin nh
hnh ng LOG.
SDROP
Hnh ng SDROP cng tng t nh hnh ng DROP, iu khc bit l
ch Snort s khng ghi li thng tin nh hnh ng LOG.
REJECT
Hnh ng REJECT yu cu iptables t chi gi tin, c ngha l iptables s
loi b v gi li mt thng bo cho ngun gi gi tin . Hnh ng REJECT
khng ghi li bt c thng tin g.
Trnh t u tin ca cc lut
Trong cc phin bn gc, trnh t u tin ca cc hnh ng trong Snort l :
activation->dynamic-> alert->pass->log
Trong inline-mode, trnh t u tin ny c thay i nh sau :
activation->dynamic->pass->drop->sdrop->reject->alert->log
CHNG III: CI T V CU HNH SNORT TRN NN CENTOS,

TH NGHIM KH NNG PHN NG CA SNORT IDS/IPS
3.1 S LC V QU TRNH CI T
3.1.1 Ci cc gi yu cu sau
- Ln lt ci cc gi ph thuc:
( mysql, mysql-bench, mysql-server, mysql-devel, yum-utils, php-mysql,
httpd, gcc, pcre-devel, php-gd, gd, distcache-devel, mod_ssl, glib2-devel, gccc++, libpcap-devel, php, php-pear)
- dng lnh (yum install package) ci t cho cc gi tin.
- mt s gi cn thi cho snort cn phi bin dch t soure
( libnet, libdnet, daq, pcre, Snortinline, BASE, adodb )
# cd /tmp
# wget http://www.filewatcher.com/m/libnet-.0.2a.tar.gz.140191.0.0.html
# wget http://code.google.com/p/libdnet/downloads/detail?name=libdnet1.12.tgz&can=2&q=
# wget http://sourceforge.net/projects/adodb/files/adodb-php-4-and-5/adodb4991-for-php/adodb4991.tgz/download
# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-7.9.tar.gz
download snort_inline http://snort-inline.sourceforge.net/download.html
download base t ngun http://sourceforge.net/projects/secureideas/files/
- sau khi download cc gi v tin hnh bin dch cho cc gi
+ bin dch gi libnet
cd /tmp (di chuyn vo th mc tmp)
tar xvzf libnet-1.0.2a.tar.gz (gi nn libnet)
cd Libnet-1.0.2a (di chuyn vo th mc Libnet-1.0.2a va gii nn)
./configure && make && make install (kim tra cu hnh v bin dch libnet,
du && c ngha nu cu lnh trc n thnh cng th mi thc hin cu lnh
ng sau )
+ bin dch gi libdnet
cd /tmp (di chuyn vo th mc tmp)
tar libdnet-1.12.tgz
cd libdnet-1.12 (di chuyn vo th mc libdnet-1.12 va gii nn)
./configure && make && make install (kim tra cu hnh v bin dch
libdnet, du && c ngha nu cu lnh trc n thnh cng th mi thc hin
cu lnh ng sau )
+ bin dch gi daq
cd /tmp (di chuyn n th mc tmp)
tar zxvf daq-0.3.tar.gz (gii nn daq)
cd daq-0.3 (di chuyn n th mc daq-0.3 va gii nn c)
./configure && make && make install (kim tra cu hnh v bin dch daq,
ng sau )
+ bin dch pcre
cd /tmp
tar xvzf pcre-7.9.tar.gz
cd pcre-7.9
./configure && make && make install (kim tra cu hnh v bin dch pcre,
ng sau )
+ bin dch snort_inline
cd /tmp
tar -xvf snort_inline-2.4.5a.tar.gz

cd snort_inline
./configure --with-mysql && make && make install (kim tra cu hnh v
bin dch snort, du && c ngha nu cu lnh trc n thnh cng th mi
thc hin cu lnh ng sau )
+ to password cho ti khon root trong mysql
# mysqladmin -u root password new_root_password
+ to database
# mysql -u root -p
>create database snort;
+ cp ton quyn cho ti khon snort trong c s d liu snort
grant all on snort.* to snortuser@localhost identified by 'snortpassword';
+ cu hnh cc cnh bo s c xut vo c s d liu mysql
#nano /etc/snort_inline/snort_inline.conf
chnh li dng
output database: log, mysql, user=snortuser password=snortpassword
dbname=snort host=localhost
+sau khi cu hnh song snort_inline vy l qu trnh ci t snort_inline
song. gi mun hin th v qun l cc cnh bo mt cch d dng ta ci t
thm base v adodb.
+ ci t base
# tar -xvzf base-1.4.5.tar.gz
# mv /tmp/base-1.4.5 /var/www/html/base
+ ci t adodb
#tar -xvzf adodb490.tgz
#mv /tmp/adodb490 /var/www/html/adodb
+ cu hnh base
#mv /var/www/html/base/base_conf.php.dist
/var/www/html/base/base_conf.php
cu hnh cc bin nh sau
$DBlib_path="./adodb";
$DBtype="mysql";
$alert_dbname = snort;
$alert_host = localhost;
$alert_port = "";
$alert_user = snortuser;
$alert_password = snortpassword;
$archive_dbname = snort;
$archive_host = localhost;
$archive_port = "";
$archive_user = snortuser;
$archive_password = snortpassword;
+ by gi ci t thm c gi sau hin th nh trn base
#pear install --force Image_Color
#pear install --force Image_Canvas
#pear install --force Image_Graph
+ ci t thm webmin d dng qun l
# yum install webmin
sau khi ci t song webmin ta khi ng cc dch v
# services httpd start
# services mysql start
https://localhost.localdomain:10000
Tt c cc thng tin cu hnh ca Snort c lu trong file snort.conf. File

snort.conf bao gm 4 phn :
nh ngha cc bin xc nh cu hnh mng.
Cu hnh mun tin x l.
Cu hnh mun kt xut thng tin.
Cu hnh b lut s dng.
Sau y l ni dung c th v ngha ca cc thng tin trong snort.conf.
3.1 nh ngha cc bin
Snort cho php nh ngha cc bin xc nh cc thng s mng theo nh
dng :
var : <name> <value>
Cc bin ny s c s dng trong ton b file cu hnh t v sau. V d,
nu nh ngha : var : MY_NET 192.168.1.0/24 th trong ton b file config
hay cc file lut k hiu MY_NET s c thay th bng gi tr 192.168.1.0/24.
3.2 Cu hnh mun tin x l
Cc thng tin cu hnh cho mun tin x l c nh ngha nh sau :
preprocessor <name>:<options>
Quy nh v name v options ty thuc vo tng plugin ca mun tin x

l. V d : cu hnh ca plugin Portscan detection do Patrick Mullen vit nh
sau :
preprocessor portscan 192.168.0.1/24 5 7 /var/log/portscan.log
trong :
192.168.0.1/24 l mng c theo di nguy c qut cng.
5 l s lng cng truy cp ng thi trong qu trnh qut.
7 l thi gian theo di xc nh nguy c qut cng.
/var/log/portscan.log l file ghi li log ca qu trinh pht hin.
3.3Cu hnh mun kt xut thng tin
Cu hnh cho mun kt xut thng tin cng c nh ngha tng t cu
hnh cho mun tin x l.
output <name>:<options>
V d, cu hnh cho Snort kt xut thng tin cnh bo ra syslog ca mt my
trong mng nh sau :
output alert_syslog: host=192.168.0.1:123, LOG_AUTH LOG_ALERT
Trong , host l ip v cng syslog ca my c ghi, LOG_AUTH v
LOG_ALERT l cc loi log c ghi li.
Snort kt xut thng tin ra c s d liu, cu hnh nh sau :
database: <log | alert>, <database type>, <parameter list>
Trong :
log | alert : ch ra ghi li thng tin g? Log hay alert ?
database type : Loi c s d liu. Snort h tr mysql, postgre sql v ms
sql server.
Parameter list : danh sch tham s phc v cho vic kt ni vi c s d
liu. C th ty thuc vo tng loi c s d liu c th. V d, parameter
list ca mysql l nh sau : dbname=snort user=snort host=localhost
password=xyz.
3.4 Cu hnh b lut

Phn ny ch ra cc file lut c dng. C php nh sau :
include RULE_PATH/RULE_FILE
V d : yu cu Snort s dng lut pht hin ddos bng dng lnh sau :
include $RULE_PATH/ddos.rules
Trong , $RULE_PATH l bin ch n th mc cha cc file lut c

nh ngha trong phn nh ngha cc bin cn ddos.rules l file lut.
3.5 TH NGHIM KH NNG PHN NG CA SNORT IDS/IPS
truy cp vo base http://127.0.0.1/base
lc ny cha c cnh bo no v ta cha khi chy snort. gi s ta to mt rules

vi du hiu nh sau:
sau include n vo file /etc/snort_inline/snort_inline.conf

v khi chy snort: # snort_inline -c /etc/snort_inline/snort_inline.conf -Q
ri t mt my khc ping n vi a ch ca my ping l 192.168.1.121
v a ch ca my IDS l 192.168.1.111 ta c kt qu sau.
nh vy snort IDS hot ng tt, ta th rules sau cho trng hp pht hin
nmap scan cng.
sau include scan.rules vo file /etc/snort_inline/snort_inline.conf
khi ng li snort_inline. t my tn cng bt nmap v scan cng ta nhn

c kt qu. nh vy snort th hin l mt IPS
vo my snort v xem kt qu.
TI LIU THAM KHO

Ti liu ting Vit :
[1]
[2]
Mng my tnh v cc h thng m

Tc gi : GSTS Nguyn Thc Hi
NXB Gio dc 1999
Lp trnh LINUX tp 1
Tc gi : Nguyn Phng Lan, Hong c Hi
NXB Gio Dc 2001
Ti liu ting Anh :
[3]
[4]
[5]
Intrusion Detection with Snort

Tc gi : Rafeeq Rehman
NXB Prentice Hall 2003
Snort User Manual
Tc gi : Martin Roesch, Chris Green
The Snort Project 2003
Snort 2.1 Intrusion Detection
Websites :
[6]
[7]
http://www.snort.org
http://netfilter.org
http://snortinline.sourceforge.net
http://hoclinux.net

Bao Cao Ids-Ips PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bao Cao Ids-Ips PDF

Uploaded by

Copyright:

Available Formats

Shared at SinhVienIT.Net Thanks For hocLinux.

1.2.2 Host based IDS HIDS

1.3 C ch hot ng ca h thng IDS/IPS

1.3.1 M hnh pht hin s lm dng

1.3.2 M hnh pht hin s bt thng

1.4 Mt s sn phm ca IDS/IPS

2.1 Gii thiu v snort

2.2.1 Modun gii m gi tin

Shared at SinhVienIT.Net Thanks For hocLinux.Net

2.4.1 Tch hp kh nng ngn chn vo Snort

Shared at SinhVienIT.Net Thanks For hocLinux.Net

CHNG I : TNG QUAN V IDS/IPS

Shared at SinhVienIT.Net Thanks For hocLinux.Net

Hnh : Cc v tr t IDS trong mng

1.1.2 S khc nhau gia IDS v IPS

Shared at SinhVienIT.Net Thanks For hocLinux.Net

nhiu hn do tnh cht kt hp gia pht hin, cnh bo v ngn chn ca n.

Hnh I : M hnh NIDS

Shared at SinhVienIT.Net Thanks For hocLinux.Net

Mt NIDS truyn thng vi hai b cm bin trn cc on mng khc nhau

Chi ph thp : Do ch cn ci t NIDS nhng v tr trng yu l c th

B hn ch vi Switch: Nhiu li im ca NIDS khng pht huy c

Shared at SinhVienIT.Net Thanks For hocLinux.Net

Vn ny dn ti yu cu t chc cn phi mua mt lng ln cc b

Shared at SinhVienIT.Net Thanks For hocLinux.Net

Xc nh c kt qu ca cuc tn cng: Do HIDS s dng d liu log

Kh qun tr : cc h thng host-based yu cu phi c ci t trn tt

Shared at SinhVienIT.Net Thanks For hocLinux.Net

Chim ti nguyn h thng : Do ci t trn cc my cn bo v nn

1.3 C ch hot ng ca h thng IDS/IPS

Shared at SinhVienIT.Net Thanks For hocLinux.Net

gii quyt kh khn ny, cc h thng th h th hai a ra cc biu din

Shared at SinhVienIT.Net Thanks For hocLinux.Net

ca cng xu bit c nh. Bt k s khc nhau no u l th hin li nh hng

Shared at SinhVienIT.Net Thanks For hocLinux.Net

gm tp cc o lng c xem xt v hnh vi, mi i lng o lng gm

1.3.3 So snh gia hai m hnh

Pht hin s lm dng

Pht hin s bt thng

Hiu qu trong vic pht hin cc

Hiu qu trong vic pht hin cc

Shared at SinhVienIT.Net Thanks For hocLinux.Net

dng tn cng bit, hay cc bin

C th kch hot mt thng ip

dng tn cng mi m mt h thng

Bng So snh 2 m hnh pht hin

c c mt h thng pht hin xm nhp tt nht ta tin hnh kt hp c

Shared at SinhVienIT.Net Thanks For hocLinux.Net

Hnh I : H thng kt hp 2 m hnh pht hin

1.4 Mt s sn phm ca IDS/IPS

Shared at SinhVienIT.Net Thanks For hocLinux.Net

ISS Proventia A201

Shared at SinhVienIT.Net Thanks For hocLinux.Net

CHNG II : NGHIN CU NG DNG SNORT TRONG

Shared at SinhVienIT.Net Thanks For hocLinux.Net

Hnh IV : M hnh kin trc h thng Snort

Khi Snort hot ng n s thc hin vic lng nghe v thu bt tt c cc gi

2.2.1 Modun gii m gi tin

Hnh V: X l mt gi tin Ethernet

Shared at SinhVienIT.Net Thanks For hocLinux.Net

Mt gi tin sau khi c gii m s c a tip vo mun tin x l.

Shared at SinhVienIT.Net Thanks For hocLinux.Net

Pht hin cc xm nhp bt thng (nonrule /anormal): cc plugin tin x l