Professional Documents
Culture Documents
Bao Cao Ids-Ips PDF
Bao Cao Ids-Ips PDF
Net
MC LC
LI NI U
CHNG I : TNG QUAN V IDS/IPS
1.1 Gii thiu v IDS/IPS
1.1.1 nh ngha
1.1.2 S khc nhau gia IDS v IPS
1.2 Phn loi IDS/IPS & phn tch u nhc im
1.2.1 Network based IDS NIDS
LI NI U
An ninh thng tin ni chung v an ninh mng ni ring ang l vn c
quan tm khng ch Vit Nam m trn ton th gii. Cng vi s pht trin
nhanh chng ca mng Internet, vic m bo an ninh cho cc h thng thng
tin cng tr nn cp thit hn bao gi ht.
Trong lnh vc an ninh mng, pht hin v phng chng tn cng xm nhp
cho cc mng my tnh l mt ti hay, thu ht c s ch ca nhiu nh
nghin cu vi nhiu hng nghin cu khc nhau. Trong xu hng , n
thc tp chuyn ngnh ny chng em mong mun c th tm hiu, nghin cu
v pht hin v phng chng xm nhp mng vi mc ch nm bt c cc
gii php, cc k thut tin tin chun b tt cho hnh trang ca mnh sau khi
ra trng. Mc d c gng ht sc nhng do kin thc v kh nng nhn
nhn vn cn hn ch nn bi lm khng trnh khi thiu st, rt mong c
s quan tm v gp thm ca thy c v tt c cc bn.
c th hon thnh c n ny , chng em xin gi li cm n su sc
nht ti thy Nguyn o Trng nhit tnh hng dn, ch bo v cung cp
cho chng em nhiu kin thc rt b ch trong sut qu trnh lm n. Nh s
gip tn tm ca thy, chng em mi c th hon thnh c n ny.
Mt ln na xin cm n thy rt nhiu !
H thng pht hin xm nhp (IDS) l h thng c nhim v theo di, pht
hin v (c th) ngn cn s xm nhp, cng nh cc hnh vi khai thc tri php
ti nguyn ca h thng c bo v m c th dn n vic lm tn hi n
tnh bo mt, tnh ton vn v tnh sn sng ca h thng.
H thng IDS s thu thp thng tin t rt nhiu ngun trong h thng c
bo v sau tin hnh phn tch nhng thng tin theo cc cch khc nhau
pht hin nhng xm nhp tri php.
Khi mt h thng IDS c kh nng ngn chn cc nguy c xm nhp m n
pht hin c th n c gi l mt h thng phng chng xm nhp hay IPS.
Hnh sau minh ho cc v tr thng ci t IDS trong mng :
Bao gm:
C s d liu cc du hiu tn
cng.
Tm kim cc so khp mu
ng.
Bao gm:
C s d liu cc hnh ng
thng thng.
Tm kim lch ca hnh
ng thc t so vi hnh ng
thng thng.
Kh cu hnh hn v a ra nhiu
d liu hn, phi c c mt khi
nim ton din v hnh vi bit hay
hnh vi c mong i ca h thng
a ra kt qu da vo tng
quan bng thng k gia hnh vi
thc t v hnh vi c mong i
ca h thng (hay chnh l da vo
lch gia thng tin thc t v
ngng cho php).
C th h tr vic t sinh thng
tin h thng mt cch t ng nhng
cn c thi gian v d liu thu thp
c phi r rng.
alert tcp any any -> 192.168.1.10/32 80 (msg: TTL=100; ttl: 100;)
Lut trn s to ra mt cnh bo i vi tt c cc gi tin t bt k ngun no
c TTL = 100 i n web server 192.168.1.10 ti cng 80.
Ngn chn a ch hay loi tr a ch
2.3.2.2 Cc ty chn
Phn Rule Option nm ngay sau phn Rule Header v c bao bc
trong du ngoc n. Nu c nhiu option th cc option s c phn cch vi
nhau bng du chm phy ,.Nu nhiu option c s dng th cc option ny
phi ng thi c tho mn tc l theo logic cc option ny lin kt vi nhau
bng AND.
Mi option c nh ngha bng cc t kho. Mt s cc option cn cha
cc tham s. Ni chung mt option gm 2 phn: mt t kho v mt tham s,
hai phn ny phn cch nhau bng du hai chm. V d dng :
msg: Detected confidented;
msg l t kho cn Detected confidented l tham s.
Sau y l chi tit mt s cc option ca lut Snort.
T kho ack
alert udp any any -> 192.168.1.0/24 6838 (msg:DoS; content: server;
classtype: DoS; priority: 1;)
Trong cu lnh th 2 th ta ghi ln gi tr priority mc nh ca lp
nh ngha.
T kho content
alert tcp 192.168.1.0/24 any -> any any (content: HTTP; offset: 4; msg:
HTTP matched;)
dept : dng xc nh v tr m t Snort s dng vic tm kim.T
kho ny cng thng c dng chung vi t kho offset va nu trn.
V d:
alert tcp 192.168.1.0/24 any -> any any (content: HTTP; offset: 4; dept:
40; msg: HTTP matched;).
T kho ny s gip cho vic tiu tn thi gian tm kim khi m on d
liu trong gi tin l kh ln.
content-list: c s dng cng vi mt file. Tn file (c ch ra trong
phn tham s ca t kho ny) l mt file text cha danh sch cc chui
cn tm trong phn d liu ca gi tin. Mi chui nm trn mt dng
ring bit. V d nh file test c dng nh sau:
test
Snort
NIDS
v ta c lut sau:
alert tcp 192.168.1.0/24 any -> any any (content-list: test;msg: This is my
Test;).
Ta cng c th dng k t ph nh ! trc tn file cnh bo i vi cc
gi tin khng tm thy mt chui no trong file .
T kho dsize
Flag
FIN (Finish Flag)
SYN Sync Flag
RST Reset Flag
PSH Push Flag
ACK Acknowledge
Flag
URG Urgent Flag
Reserved Bit 1
Reserved Bit 2
No Flag set
Phn IP header ca gi tin cha 3 bit dng chng phn mnh v tng hp
cc gi tin IP. Cc bit l:
Reserved Bit (RB) dng dnh cho tng lai.
Dont Fragment Bit (DF): nu bit ny c thit lp th tc l gi tin
khng b phn mnh.
More Fragments Bit (MF): nu c thit lp th tc l cc phn khc
(gi tin b phn mnh) ca gi tin vn ang cn trn ng i m cha ti
ch. Nu bit ny khng c thit lp th c ngha l y l phn cui
cng ca gi tin (hoc l gi duy nht). iu ny xut pht t nguyn
nhn: Ni gi i phi chia gi tin IP thnh nhiu on nh do ph thuc
vo n v truyn d liu ln nht cho php (Maximum Transfer Units MTU) trn ng truyn. Kch thc ca gi tin khng c php vt
qu kch thc ln nht ny. Do vy, bit MF ny gip bn ch c th
tng hp li cc phn khc nhau thnh mt gi tin hon chnh.
SDROP
Hnh ng SDROP cng tng t nh hnh ng DROP, iu khc bit l
ch Snort s khng ghi li thng tin nh hnh ng LOG.
REJECT
Hnh ng REJECT yu cu iptables t chi gi tin, c ngha l iptables s
loi b v gi li mt thng bo cho ngun gi gi tin . Hnh ng REJECT
khng ghi li bt c thng tin g.
Trnh t u tin ca cc lut
Trong cc phin bn gc, trnh t u tin ca cc hnh ng trong Snort l :
activation->dynamic-> alert->pass->log
Trong inline-mode, trnh t u tin ny c thay i nh sau :
activation->dynamic->pass->drop->sdrop->reject->alert->log
# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-7.9.tar.gz
download snort_inline http://snort-inline.sourceforge.net/download.html
download base t ngun http://sourceforge.net/projects/secureideas/files/
- sau khi download cc gi v tin hnh bin dch cho cc gi
+ bin dch gi libnet
cd /tmp (di chuyn vo th mc tmp)
tar xvzf libnet-1.0.2a.tar.gz (gi nn libnet)
cd Libnet-1.0.2a (di chuyn vo th mc Libnet-1.0.2a va gii nn)
./configure && make && make install (kim tra cu hnh v bin dch libnet,
du && c ngha nu cu lnh trc n thnh cng th mi thc hin cu lnh
ng sau )
+ bin dch gi libdnet
cd /tmp (di chuyn vo th mc tmp)
tar libdnet-1.12.tgz
cd libdnet-1.12 (di chuyn vo th mc libdnet-1.12 va gii nn)
./configure && make && make install (kim tra cu hnh v bin dch
libdnet, du && c ngha nu cu lnh trc n thnh cng th mi thc hin
cu lnh ng sau )
+ bin dch gi daq
cd /tmp (di chuyn n th mc tmp)
tar zxvf daq-0.3.tar.gz (gii nn daq)
cd daq-0.3 (di chuyn n th mc daq-0.3 va gii nn c)
./configure && make && make install (kim tra cu hnh v bin dch daq,
du && c ngha nu cu lnh trc n thnh cng th mi thc hin cu lnh
ng sau )
+ bin dch pcre
cd /tmp
tar xvzf pcre-7.9.tar.gz
cd pcre-7.9
./configure && make && make install (kim tra cu hnh v bin dch pcre,
du && c ngha nu cu lnh trc n thnh cng th mi thc hin cu lnh
ng sau )
+ bin dch snort_inline
cd /tmp
$alert_port = "";
$alert_user = snortuser;
$alert_password = snortpassword;
$archive_dbname = snort;
$archive_host = localhost;
$archive_port = "";
$archive_user = snortuser;
$archive_password = snortpassword;
+ by gi ci t thm c gi sau hin th nh trn base
#pear install --force Image_Color
#pear install --force Image_Canvas
#pear install --force Image_Graph
+ ci t thm webmin d dng qun l
# yum install webmin
sau khi ci t song webmin ta khi ng cc dch v
# services httpd start
# services mysql start
https://localhost.localdomain:10000
nh vy snort IDS hot ng tt, ta th rules sau cho trng hp pht hin
nmap scan cng.
[1]
[2]
[3]
[4]
[5]
Websites :
[6]
[7]
http://www.snort.org
http://netfilter.org
http://snortinline.sourceforge.net
http://hoclinux.net