IDS - Snort

B GIO DC V O TO
L C HIP
TRNG I HC S PHM K THUT HNG YN
L C HIP
TRIN KHAI H THNG IDS - SNORT TRN H IU HNH LINUX
TRIN KHAI H THNG IDS - SNORT TRN H

IU HNH LINUX
N TT NGHIP I HC
HNG YN - 2016
B GIO DC V O TO
TRNG I HC S PHM K THUT HNG YN
L C HIP
TRIN KHAI H THNG IDS - SNORT TRN H

IU HNH LINUX
NGNH: CNG NGH THNG TIN
CHUYN NGNH: MNG MY TNH V TRUYN THNG
N TT NGHIP I HC
NGI HNG DN
V XUN THNG
HNG YN - 2016
TRIN KHAI H IDS SNORT TRN H IU HNH LINUX

MC LC
DANH SCH HNH V ............................................................................................5
DANH SCH T VIT TT ....................................................................................6
CHNG 1: TNG QUAN V TI ..................................................................7
1.1 L do chn ti ..............................................................................................7
1.2 Mc tiu ca ti ...........................................................................................8
1.3 Gii hn v phm vi ca ti .........................................................................9
1.4 Ni dung thc hin ...........................................................................................9
1.5 Phng n tip cn. ..........................................................................................9
CHNG 2: TM HIU V IDS SNORT TRN HH LINUX .......................10
2.1 Phn mm IDS Snort. ..................................................................................15
2.1.1 Gii thiu v Snort. ..................................................................................15
2.1.2 Cc trng thi ...........................................................................................16
2.2 Cc thnh phn ca Snort ...............................................................................17
2.2.1 B packet sniffer ......................................................................................18
2.2.2 B Preprocessor .......................................................................................18
2.2.3 B pht hin (detection engine) ...............................................................18
2.2.4 H thng ghi v cnh bo (Logging v alerting) .....................................20
2.2.5 Cu trc ca mt lut ...............................................................................21
CHNG 3: TRIN KHAI H THNG PHT HIN XM NHP SNORT
TRN CENTOS ........................................................................................................23
3.1 M t thc nghim .........................................................................................23
3.2 H tng mng thc nghim ............................................................................25
3.3 Cc bc ci t Snort trn h iu hnh CentOS .........................................25
3.3.1 Ci h iu hnh CentOS .........................................................................25
3.3.2 Ci t v cu hnh Snort .........................................................................25
3.3.3 Cu hnh MySQL server ..........................................................................28
3.3.4 Cu hnh Snort thc hin alert vo MySQL .......................................28
3.3.5 Ci t v cu hnh Basic Analysis and Sercurity Engine .......................29
3.4 Giao din h thng sau ci t .......................................................................30
3

3.4.1 Cc thng tin cu hnh c bn .................................................................30
3.4.2 Hng dn s dng Snort ........................................................................31
3.4.3 Kt qu thng k thc nghim IDS Snort ................................................31
3.5 Cc cuc tn cng v kt qu thng k thc nghim ...................................35
3.5.1 Tn cng v IDS Snort pht hin.............................................................35
3.5.2 Ngn chn ................................................................................................36
3.5.3 Kt qu thng k thc nghim .................................................................37
CHNG 4: KT LUN ......................................................................................39
4.1 Kt qu t c. ...........................................................................................39
4.2 Hn ch ca ti. .........................................................................................39
4.3 Hng pht trin ca ti ............................................................................40
TI LIU THAM KHO ......................................................................................41
DANH MC HNH V
Hnh 2-1: M hnh kin trc h thng pht hin xm nhp (IDS)............................11
Hnh 2-2: M hnh Network IDS ..............................................................................12
Hnh 2-3: M hnh Host IDS ....................................................................................13
Hnh 2-4: Qu trnh x l gi....................................................................................17
Hnh 2-5: B pht hin xm nhp .............................................................................19
Hnh 2-6: H thng ghi nhp file log v pht cnh bo ..........................................20
Hnh 3-1: Snort ang hot ng................................................................................30
Hnh 3-2: Giao din chnh ca Base .........................................................................32
Hnh 3-3: Snort pht hin Nmap ang scanport, truy cp ssh ..................................32
Hnh 3-4: Hin th cc a ch nghi vn ....................................................................33
Hnh 3-5: Xem ni dung mt packet ........................................................................33
Hnh 3-6: Thng k theo ngy, gi ..........................................................................34
Hnh 3-7: Thng k theo ngy .................................................................................35
Hnh 3-8: IDS Snort pht hin cc gi tin c gi vo h thng ...........................36
Hnh 3-9: M hnh thc nghim ...............................................................................38
DANH MC T VIT TT
Vit tt
DdoS
Ting Anh
Distributed Denial of
Service
Ting Vit
Tn cng t chi dch v
DNS
Domain Name System
H thng tn min
DoS
Denial-of-service
Tn cng t chi dch v
FTP
File Transfer Protocol
Giao thc truyn d liu
HIDS
Host Intrusion Detection

System
h thng pht hin xm phm

c ci t trn cc my tnh
(host)
Internet Control Message
Giao thc x l cc thng bo
Protocol
trng thi cho IP
Intrusion Detection System
H thng pht hin xm nhp
IP
Internet Protocol
Giao thc Internet
IPS
Intrusion Prention System
H thng pht hin xm nhp
ICMP
IDS
MAC
NIDS
OSI
SNMP
SMTP
TCP
UTM
Media Access Control
Network Intrusion
Detection System
Open Systems
Interconnection
nh danh c gn cho thit

b mng
S dng d liu trn ton b
lu thng mng, pht hin
xm nhp.
M Hnh Mng OS
Simple Network
Giao thc gim st v iu
Management Protocol
khin thit b mng
Simple Mail Transfer
Giao thc truyn ti th tn n
Protoco
gin
Transport Control Protocol
Giao thc iu khin truyn ti
Unified Threat
Qun l thng nht cc mi
Management
nguy him
6
CHNG 1: TNG QUAN V TI

1.1
L do chn ti
Ngy nay, trn th gii cng ngh thng tin pht trin rt nhanh, mang li
nhng li ch thit thc v nhiu mt nh: kinh t, x hi, chnh tr, y t, qun s
nhng cuc hp trong t chc, c quan, cng ty hay nhng bui hi tho xuyn
quc gia, xuyn lc a (Video Conference).
Mng Internet ngy cng ng vai tr quan trng trong cc hot ng ca con
ngi. Vi lng thng tin ngy cng phong ph v a dng. Khng ch c ngha
l ni tra cu tin tc s kin ang din ra trong i sng hng ngy, Internet cn
ng vai tr cu ni lin kt con ngi vi nhau mi vng a l. Cc khong
cch v a l hu nh khng cn ngha, khi con ngi cch nhau na vng tri
t h vn c th trao i thng tin, chia s d liu cho nhau nh nhng ngi trong
cng mt vn phng.
Internet cn gp phn lm thay i phng thc hot ng kinh doanh ca cc
doanh nghip. Ngoi cc hot ng kinh doanh truyn thng, gi y cc doanh
nghip c thm mt phng thc kinh doanh hiu qu, l thng mi in t.
Trong nhng nm gn y, thng mi in t tr thnh mt b phn quan trng
trong s tng trng, pht trin ca x hi, mang li nhng li ch rt ln cho cc
doanh nghip, ng thi thc y x hi ha thng tin cho cc ngnh ngh khc,
gp phn mang li tnh hiu qu cho nn kinh t ca doanh nghip ni ring v cho
ton x hi ni chung.
i i vi s pht trin ny th bo mt mng ang l mt nhu cu cp thit
nhm bo v h thng mng bn trong, chng li nhng tn cng xm nhp v thc
hin cc trao i thng tin, giao dch qua mng c an ton. V nhng gi tr li
ch ca cng ngh thng tin mang li, nhng k xu cng li dng cng ngh ny
gy ra khng t nhng kh khn cho t chc, c quan cng nh nhng ngi p
dng cng ngh thng tin vo cuc sng.
Cng ngh no cng c u im v nhc im. Ngi tn cng (Attacker)
chng li dng nhng l hng ca h thng truy xut bt hp pht vo khai thc
nhng thng tin quan trng, nhng d liu c tnh cht bo mt, nhy cm, thng
7

tin mt ca quc phng V vy chng ta cn phi c bin php, phng php
pht hin s truy nhp tri php . pht hin s truy nhp tri php , hin nay
cng ngh pht hin chng xm nhp hiu qu c nhiu t chc, c quan, doanh
nghip trin khai v p dng vo trong h thng mng ca mnh l cng ngh Snort
IDS.
Intrusion Detection System (IDS) l h thng phng chng v pht hin xm
nhp thng minh nht hin nay. IDS pht hin nhng tn hiu, biu hin, hnh vi
ca ngi xm nhp trc khi c th gy thit hi n h thng mng nh lm cho
dch v mng ngng hot ng hay mt d liu. T chng ta c th ngn chn
thng qua cc bin php k thut khc nhau.
ti ca em vi mc tiu l xy ng mt h thng IDS Snort trn h iu
hnh CentOS, h thng ny vi mc ch pht hin v phng chng cc hnh ng
tn cng v thm nhp trong mng. Do ti tp trung nghin cu vo phng
thc hot ng v vn hnh ca h thng IDS Snort ng thi a ra cch ci t v
thit lp mt h thng IDS hon chnh trn h iu hnh CentOS. Bn cnh
chng ti a ra gii php nhm tng cng kh nng hot ng v vn hnh ca h
thng thng qua vic s dng barnyard tng cng kh nng ghi li log ca h
thng t ng lin tc cp nht rule.
Ngoi vic s dng h thng rule c sn, ti tm hiu cch to ra rule theo
yu cu nhm gim st v kim tra i vi mt lung thng tin c th khi m h
thng rule ca snort khng th p ng.
Thng qua vic nghin cu, ti ca em a mt ci nhn tng quan v h
thng IDS Snort t c th ng dng trong m hnh mng thc t.
Mc tiu ca ti
1.2
-
Nghin cu, tm hiu khi nim, cch hot ng ca IDS Snort
Ci t, cu hnh th nghim Snort trn h iu iu hnh CentOs 6.7
Kim chng kt qu t c sau khi ci t thnh cng v th nghim cc

tp Rules m rng kh nng pht hin

Gii hn v phm vi ca ti
1.3
-
Thc hin trn HH Centos
Hn ch v thi gian v ti chnh nn cha thc hin xy dng c h

thng mng tht
Vic hon thin cc module gn thm cho h thng IDS l cha c
Cch phi hp gia Firewall Iptables v IDS Snort cha c cht ch
- Cha t ng gi cnh bo n ngi qun tr thng qua email v SMS.

1.4
Trin khai trn h thng mng LAN.

Ni dung thc hin
- Tm hiu v IDS - Snort

- Trin khai h thng IDS - Snort trn CentOS
- Bo co l thuyt qu trnh tm hiu.
- CD cha video ci t v cu hnh chng trnh
1.5
Phng n tip cn
- Tm hiu h thng pht hin xm nhp IDS
- Tm hiu chi tit v IDS Snort trn h iu hnh Linux
- Xem cc m hnh tn cng mng
- Kho st qua mng.
CHNG 2: TM HIU V IDS SNORT TRN HH LINUX

2.1
Pht hin xm nhp l g?

Pht hin xm nhp l mt tp nhng cng ngh v phng thc dng pht
hin hnh ng kh nghi trn c host v mng. H thng pht hin xm nhp (IDS)
c 2 loi c bn sau: IDS signature-based (IDS da trn du hiu) v IDS anomalybased (IDS da trn s bt thng). Intruder c nhng du hiu, ging nh virus
my tnh - c th c pht hin bng cch s dng phn mm qut virus. c th c
gng tm nhng gi d liu c cha nhng du hiu lin quan n xm nhp bit
hay nhng iu bt thng lin quan n giao thc. Da trn nhng tp signature v
rules, h thng pht hin c th tm v ghi nhng hnh ng xm nhp v pht ra
cnh bo. S pht hin xm nhp da trn s bt thng thng ph thuc vo tnh
bt thng ca tiu (header) giao thc trong gi d liu. Trong nhiu trng hp,
phng php ny c th em li kt qu tt hn i vi IDS signature-based. Thng
thng mt IDS capture d liu t mng v p dng nhng rule ca n vo d liu
ny hoc pht hin nhng anomaly trong n.
Snort l mt IDS rule-base (IDS da trn tp lut) chnh, tuy nhin nhng
input plug-in gip pht hin nhng anomaly trong tiu giao thc. Snort s dng
nhng rule lu trong nhng text file, n c th xem c bng mt trnh son tho
vn bn. Nhng rule c nhm theo tng loi. Nhng rule i cng vi mi loi
c lu tr trong nhng file ring. Nhng file ny sau c tp hp trong mt
file cu hnh chnh, gi l snort.conf. Snort c nhng rule ny mi ln chy v xy
dng cc cu trc d liu bn trong n hoc p dng nhng rule capture d
liu. Vic tm nhng signature v s dng chng trong rule l mt cng vic i hi
phi tinh t, khi dng nhiu rule, s c nhiu cng vic x l hn c yu cu
capture d liu trong thi gian thc. Snort cho php nh ngha li rule cho vic
pht hin xm nhp v rt linh hot cho ta thm vo rule ring ca mnh.
10

2.2
Mt s nh ngha c bn
IDS
Intrusion Detection System (h thng pht hin xm nhp) hay IDS l phn
mm, phn cng hoc kt hp c hai, dng pht hin hnh ng ca k xm

nhp. Snort l mt IDS m ngun m sn c trn mng. Mt IDS c nhiu kh nng
khc nhau ty thuc vo phc tp ca cc thnh phn trong n. Nhiu cng ty
ng dng IDS kt hp phn cng v phn mm. Ni cch khc, mt IDS c th s
dng nhng cng ngh da trn cc du du hiu hocs bt thng hoc c hai.
Hnh 2-1: M hnh kin trc h thng pht hin xm nhp (IDS)
11
Network IDS hay NIDS

NIDS l mt IDS capture d liu trong qu trnh truyn d liu trn mng
(cp, wireless) v gn chng vo mt c s d liu ca nhng signature. Ph thuc
vo ni m mt gi bi pht hin vi mt tn hiu xm nhp, lc mt cnh bo s
c pht sinh hoc gi s c ghi vo trong mt file hay c s d liu. Mt
chuyn gia s dng Snort nh l mt NIDS.
Hnh 2-2: M hnh Network IDS
12
Host IDS hay HIDS

Nhng h thng HIDS c ci t nh l nhng agent (tc nhn) trn mt
host. Nhng h thng ny c th nhn vo trong nhng log file ng dng pht
hin ra hnh vi k xm nhp. Mt vi loi l reactive, c ngha n chng ch bo
cho ta bit khi m mi vic xy ra. Cng c mt s l proactive (on trc),
chng qut lu lng mng ti nhng HIDS c ci t v pht cnh bo ngay
cho ta.
Hnh 2-3: M hnh Host IDS
Signatures (du hiu)

Khi chng ta nhn vo trong gi d liu, ta rt ra c mt mu (ly mu d
liu), mu gi l signature. Mt signature dng pht hin mt hoc nhiu loi
tn cng. Cho v d, chui script/iisad-min trong gi d liu i vo web server c
th ni cho ta bit l mt hnh vi xm nhp.
Signatures c th trnh by nhiu thnh phn khc nhau trong mt gi d liu
ph thuc vo cch tn cng t nhin. Cho v d, ban c th tm signature trong IP
13

header, transport layer header (TCP, UDP) v/hoc application layer header hay
payload. Thng th IDS ph thuc vo signature tm nhng hnh vi xm nhp.
Mt vi sn phm IDS cn phi cp nht t nh cung cp nhng signature mi khi
c mt loi tn cng no ra i. Trong IDS khc, nh Snort, c th cp nht
signature ca ring mnh.
Alerts (cnh bo)
Alerts l nhng loi thng bo ngi dng ca mt hnh vi xm nhp. Khi
mt IDS pht hin ra mt intruder, n s bo cho ngi qun tr bo mt bng cch
dng nhng cnh bo ny. Alerts c th l mt dng ca s pop-up, dng console,
gi mt e-mail, v.v Alerts cng c th c lu trong nhng log file hay c s d
liu, ni m chng c th xem li v sau.
Snort c th pht ra Alerts trong nhiu hnh thc v c iu khin bi
nhng output plug-ins. Snort cng c th gi cng mt alert n nhiu im ch.
Cho v d, n c th ghi Alerts vo trong c s d liu v pht ra SNMP trap cng
mt lc. Mt vi plug-ins cng c th thay i cu hnh firewall nhm ngn nhng
host xm phm vo firewall hay router.
Logs
Thng ip log thng c lu trong mt file. Mc nh, Snort lu nhng
thng ip ny di th mc /var/log/snort. Tuy hin, v tr ca n c th thay i
bng cch s dng lnh khi khi ng Snort. Thng ip log c th lu dng text
(vn bn) hay binary (nh phn). Nhng file binary c th xem sau ny bng Snort
hay chng trnh tcpdump. Mt cng c mi gi l Barnyard cng c th phn tch
nhng log file nh phn. Ghi dng nh phn th nhanh hn bi v n lu theo mc
cao. Ghi theo dng nh phn rt hu dng trong trng hp khi thc thi Snort i
hi tc cao.
False Alarms (cnh bo li):
False alarm l loi cnh bo pht ra biu thi mt du hiu m khng c hnh vi
xm nhp no. Cho v d, nhng host bn trong mng do cu hnh sai c th nhng
thng ip broadcast khp vi mt rule no , kt qu l n pht ra mt cnh bo
14

sai. mt vi router nh Linksys, n sinh ra nhiu cnh bo lost of UpnP
realated. trnh nhng li trn, phi thay i iu chnh nhng rule mc nh
khc. Trong vi trng hp, cn phi disable mt vi rule trnh False alarm.
2.3
Phn mm IDS Snort

Gii thiu v Snort
Snort l mt phn mm pht hin xm nhp m ngun m hot ng da trn
cc du hiu cho php gim st, pht hin nhng du hin tn cng mng. Snort
c nhiu t chc, doanh nghip pht trin v bin thnh sn phm thng mi
nh Sourcefire, Astaro,
Snort ch yu l mt IDS da trn lut, tuy nhin cc input plug-in cng tn
ti pht hin s bt thng trong cc header ca giao thc. Snort s dng cc lut
c lu tr trong cc file text, c th c chnh sa bi ngi qun tr. Cc lut
c nhm thnh cc kiu. Cc lut thuc v mi loi c lu trong cc file khc
nhau. File cu hnh chnh ca Snort l snort.conf. Snort c nhng lut ny vo lc
khi to v xy dng cu trc d liu cung cp cc lut bt gi d liu. Tm ra
cc du hiu v s dng chng trong cc lut l mt vn i hi s tinh t, v
chng ta cng s dng nhiu lut th nng lc x l cng c i hi thu thp
d liu trong thc t. Snort c mt tp hp cc lut c nh ngha trc pht
hin cc hnh ng xm nhp. Cc lut trn Snort c tnh m, cho php ngi qun
tr mng to ra cc lut mi v chng ta c th thm vo cc lut ca chnh mnh.
Chng ta cng c th xa mt vi lut c to trc trnh vic bo ng sai.
Cc c im chnh ca Snort:
- H tr nhiu platform: Linux, OpenBSD, FreeBSD, Solaris, Windows,
- C kh nng pht hin mt s lng ln cc kiu thm d, xm nhp khc
nhau nh: Buffer overflow, CGI-attack, d tm h iu hnh, ICMP, virus,
- Pht hin nhanh cc xm nhp theo thi gian thc.
- Cung cp cho nh qun tr cc thng tin cn thit x l cc s c khi b
xm nhp.
- Gip ngi qun tr t t ra cc du hiu xm nhp mi mt cch d dng.
15

- L phn mm m ngun m (Open Source) v khng tn km chi ph u t.
Cc trng thi
Snort c th c cu hnh chy ba trng thi:
+ Sniffer Mode: L ch bt gi tin v ch hin th header ca cc gi
TCP/IP ra mn hnh. Cu trc lnh nh sau:
snort -v: Lnh ny ch chy snort v hin th IP/TCP/UDP/ICMP header.
snort -vd: Lnh ny va hin th cc header va cho thy cc gi d liu.
snort -vde: Tng t nh trn nhng trnh by r rng hn. Th hin c header
ca lp Datalink.
+ Packet Logger Mode: Trong trng hp mun ghi nhn li cc gi bt
c v ni lu tr tin cho vic theo di v sau th ch packet logger s h
tr tt cho qun tr mng. Ch ny ch nh ni lu tr v khi s dng c php
sau, snort s t ng lu li thng tin vo th mc :
snort -vde -l /usr/local/log/snort
Log c lu dng nh phn, lm tng c kh nng bt gi tin ca Snort.
Hu ht cc h thng c th bt gi v ghi thnh file log tc 100Mbps m
khng xy ra vn g.
ghi nhn file log ch nh phn s dng c -b
snort -b l /usr/local/log/snort/temp.log
Khi bt c gi, chng ta c th c li file va to vi c -r v phn hin
th ging nh mode sniffer.
snort -r /usr/local/log/snort/temp.log
+ NIDS Mode: Snort pht hin xm nhp ch yu da vo mt b lut m
ngi qun tr mng nh ngha trong file snort.cfg. Hu ht cc hnh vi xm nhp
u c mt vi du hiu. Thng tin v cc du hiu ny c s dng to ra cc
lut ca Snort. Cc du hiu c th tn ti trong header ca cc gi tin. Cc lut ca
Snort c th kim tra nhiu phn ca gi tin pht hin ra cc du hiu ny.
m ch ny, s dng c php:
snort -dve -l /usr/local/log -h 192.168.0. 0/24 -c snort.cfg
16

Nu admin s dng Snort vi ch ny trong thi gian lu th nn loi b -v,
-e ra khi cu lnh. V qu trnh ghi d liu ra mn hnh s lm chm tc hot
ng ca h thng, i khi gy mt gi tin trong khi Snort ang ghi nhn. Vic lu
li cc header ca lp Datalink cng khng cn thit, nn c th loi b ra khi
dng lnh.
Lnh cu hnh cho Snort chy hnh thi c bn ca ch NIDS.
snort -d -l /usr/local/log -h 192.168.0.0/24 -c snort.cfg
2.4
Cc thnh phn ca Snort

Snort c xy dng vi mc ch tho mn cc tnh nng c bn sau: C
hiu nng cao, n gin v c tnh uyn chuyn cao.

Cc thnh phn chnh ca Snort gm c:
B bt gi (Packet sniffer)
B tin x l (Preprocessor)
B pht hin (Detection engine)
H thng L ogging v alerting.
C c thnh phn ny da trn c s ca th vin Libpcap, l th vin cung
cp kh nng lng nghe v lc packet trn mng.
Hnh 2-4: Qu trnh x l gi
17

B packet sniffer
B Packet Sniffer: B bt gi l mt thit b (phn cng hay phn mm) c
t vo trong h thng, lm nhim v bt lu lng ra vo trong mng. B bt gi
cho php mt ng dng hay mt thit b c kh nng nghe ln ton b d liu i
trong h thng mng.
B Preprocessor
B Preprocessor: Sau khi bt c ton b cc gi tin, lc ny cc gi tin s
c chuyn n b tin x l kim tra cc gi tin c hp l khng. B tin x l
s so snh cc gi tin ny vi cc plug -in (v d nh RPC Plug -in, HTTP plug-in,
port scanning plug -in, v.v). Cc gi tin s c kim tra hnh vi xem c khp
vi cc hnh vi c nu trong plug -in hay cha, nu khp ri, cc gi tin ny
s c chuyn n b phn pht hin xm nhp.
B tin x l l mt thnh phn rt hu dng trong Snort. V y l mt plugin c th m hoc tt ty nn gip ch rt nhiu trong vic ty chnh ti nguyn h
thng hay ty chnh mc bo ng. V d khi qun tr mng nhn c thng bo
port scan qu nhiu ln trong khi lm vic, h c th tt plug-in ny i trong khi cc
plug-in khc vn hot ng bnh thng.
B pht hin (detection engine)
Sau khi cc gi tin i qua b tin x l, chng c chuyn n b phn pht
hin xm nhp. Nu mt gi tin ging vi bt k lut no, chng s c gi n b
x l cnh bo.
B phn pht hin xm nhp v cc b lut chim mt phn rt ln trong s
nhng kin thc phi bit hiu c Snort. Snort c nhng c php lnh ring
s dng vi cc b lut. Cc c php ny c th lin quan n giao thc mng, ni
dung, chiu di, phn header v rt nhiu nhng thnh phn khc, bao gm c
nhng c im nhn dng buffer overflow.
Snort dng cc rules pht hin ra cc xm nhp trn mng. Xem rules
sau:
alert tcp !192.168.0.0/24 any -> any any (flags: SF; msg: SYN-FIN
Scan;)
18

Mt rules c hai thnh phn: Header v Option
Header: alert tcp !192.168.0.0/24 any -> any any
Option: (flags: SF; msg: SYN-FIN Scan;)
Hnh 2-5: B pht hin xm nhp

Mi du hiu xm nhp s c th hin bng mt rule. Vy Snort qun l
tp cc rules nh th no? Snort dng cu trc d liu qun l cc rules gi
l Chain Headers v Chain Options. Cu trc d liu ny bao gm mt dy cc
Header v mi Header s lin kt n dy cc Option. S d da trn cc Header l
v y l thnh phn t thay i ca nhng rules c vit cho cng mt kiu pht
hin xm nhp v Option l thnh phn d c sa i nht.
V d: chng ta c 60 rules c vit cho kiu thm d CGI-BIN, thc cht
cc rules ny c chung IP source, IP ch, port source, port ch, ngha l c chung
Header. Mi packet s c so trng ln lt trong cc dy cho n khi tm thy
mu u tin th hnh ng tng ng s c thc hin.
19
H thng ghi v cnh bo (Logging v alerting)

Dng thng bo cho qun tr mng v ghi nhn li cc hnh ng xm
nhp h thng. Hin ti c 3 dng logging v 5 kiu alerting.
Cc dng logging, c chn khi chy Snort:
- Dng decoded: y l dng log th nht, cho php thc hin nhanh.
- Dng nh phn tcpdump: theo dng tng t nh tcpdump v ghi vo a
nhanh chng, thch hp vi nhng h thng i hi performance cao.
- Dng cy th mc IP: Sp sp h thng log theo cu trc cy th mc IP,
d hiu i vi ngi dng.
Hnh 2-6: H thng ghi nhp file log v pht cnh bo

Cc dng alerting:
- Ghi alert vo syslog
- Ghi alert vo trong file text
- Gi thng ip Winpopup dng chng trnh smbclient
- Full alert: Ghi li thng ip alert cng vi ni dung gi d liu
- Fast alert: Ch ghi nhn li header ca gi d liu. Cch ny thng dng
trong cc h thng cn performance cao.
20

Cu trc ca mt lut
Tp lut ca Snort n gin ta hiu v vit, nhng cng mnh c
th pht hin tt c cc hnh ng xm nhp trn mng. C ba hnh ng chnh
c Snort thc hin khi so trng mt packet vi cc mu trong rules:
- Pass: Loi b packet m Snort bt c
- Log: Tu theo dng logging c chn m packet s c ghi nhn theo
dng .
- Alert: Sinh ra mt alert ty theo dng alert c chn v log ton b
packet dng dng logging chn.
Dng c bn nht ca mt rule bao gm protocol, chiu ca gi d liu v
port cn quan tm, khng cn n phn Option:
log tcp any any -> 192.168.0. 0/24 80
Rule ny s log tt c cc gi d liu i vo mng 192.168.0.0/24 port 80.

Mt rule khc c cha Option:
alert tcp any any -> 192.168.0.0/24 80 (content:"/cgi-bin/phf";
msg: "PHF probe!";)
Rule ny s pht hin cc truy cp vo dch v PHF trn web server v alert
s c to ra cng vi vic ghi nhn li ton b gi d liu.
Vng a ch IP trong cc rules c vit di dng CIDR block netmask,
cc port c th c xc nh ring l hoc theo vng, port bt u v port kt
thc c ngn cch bi du :
alert
tcp
any
any
->
192.168.
0.
0/24
6000:6010
(msg:
"X
traffic";)
Cc option ph bin ca Snort:

1. content: Search the packet payload for the a specified pattern.
2. flags: Test the TCP flags for specified settings.
3. ttl: Check the IP header's time-to-live (TTL) field.
4. itype: Match on the ICMP type field.
5. icode: Match on the ICMP code field.
6. minfrag: Set the threshold value for IP fragment size.
21

7. ack: Look for a specific TCP header acknowledgement number.
8. seq: Log for a specific TCP header sequence number.
9. logto: Log packets matching the rule to the specified filename.
10. dsize: Match on the size of the packet payload.
11. offset: Modifier for the content option, sets the offset into the packet
payload to begin the content search.
12. depth: Modifier for the content option, sets the number of bytes from
the start position to search through.
13. msg: Sets the message to be sent when a packet generates an event.
22
CHNG 3: TRIN KHAI H THNG SNORT TRN CENTOS

3.1
M t thc nghim
- Trn 90% cc mng c kt ni ang s dng IDS pht hin l hng bo
mt my tnh.
- Vin an ninh my tnh bo co c n 80% thit hi ti chnh vt qua
455 triu la b gy ra bi s xm nhp v m nguy him.
- Hng triu cng vic b nh hng do s xm nhp.
- Nu s dng mt phn mm chng virus th bn phi xem xt n vic b
sung thm mt IDS cho chin lc bo mt ca mnh. Hu ht cc t chc s dng
phn mm chng virus khng s dng IDS.
- Ngy nay do cng ngh ngy cng pht trin nn khng c mt gii php bo
mt no c th tn ti lu di. Theo nh gi ca cc t chc hng u v cng ngh
thng tin trn th gii, tnh hnh an ninh mng vn trn bt n v tip tc c
coi l nm bo ng ca an ninh mng ton cu khi c nhiu l hng an ninh
nghim trng c pht hin, hnh thc tn cng thay i v c nhiu cuc tn cng
ca gii ti phm cng ngh cao vo cc h thng cng ngh thng tin ca cc
doanh nghip.
- Ly v d vi h iu hnh Vista c th b tn cng bi mt l hng "blue
screen of death" hay vn thng c gi l mn hnh xanh cht chc. Hacker c
th gi ti h thng mt yu cu cha cc m lnh tn cng trc tip vo h thng
ca Vista v lm ngng li mi hot ng.
- H thng pht hin xm nhp tri php IDS l mt phng php bo mt c
kh nng chng li cc kiu tn cng mi, cc v lm dng, dng sai xut pht t
trong h thng v c th hot ng tt vi cc phng php bo mt truyn thng.
N c nghin cu, pht trin v ng dng t lu trn th gii v th hin
vai tr quan trng trong cc chnh sch bo mt.
Ngy nay, nhu cu trao i d liu qua h thng mng my tnh tr thnh v
cng quan trng trong mi hot ng ca x hi. Vn bo m an ninh, an ton
cho thng tin trn mng ngy cng l mi quan tm hng u ca cc cng ty, cc t
chc, cc nh cung cp dch v. Cng vi thi gian, cc k thut tn cng ngy
23

cng tinh vi hn khin cc h thng an ninh mng tr nn mt hiu qu. Cc h
thng an ninh mng truyn thng thun ty da trn cc tng la nhm kim sot
lung thng tin ra vo h thng mng mt cch cng nhc da trn cc lut bo v
c nh. Vi kiu phng th ny, cc h thng an ninh s bt lc trc k thut tn
cng mi, c bit l cc cuc tn cng nhm vo im yu ca h thng. V vy
cn phi c mt h thng nhm gim st lung thng tin vo ra trn mng v bo v
cc h thng mng khi s tn cng t Internet. Kim sot ti nguyn v hot ng
ca h thng mng, s dng thng tin thu thp c t nhng ngun ny, thng bo
cho nhng ngi c trch nhim khi n xc nh c kh nng c s xm nhp.
Hn na tng la ch lm vic vi nhng gi tin khi chng i vo v i ra
khi mng. Mt khi k xm nhp vt qua c tng la, ngi c th tung
honh trn mng. l l do ti sao h thng pht hin xm nhp c vai tr quan
trng. H thng pht hin xm nhp IDS l h thng phn mm hay phn cng t
ng thc hin quy trnh gim st cc s kin din ra trong h thng my tnh hay
mng my tnh, phn tch cc pht hin ra nhng vn an ninh cho h thng
24
3.2
H tng mng thc nghim

H tng thc nghim s xy dng h thng Firewall v IDS trn my CentOS,
c hai card mng, mt card mng c a ch l 192.168.0.38 ni vi mng ngoi

internet v card cn li c a ch 192.168.211.130 kt ni vi mng bn trong
gm web server, ftp server c a ch l 192.168.211.131, gateway
192.168.211.130. m phng, chng ta to cc kt ni nhng ssh, ping, http, ftp
t ngoi hoc t trong vo my Firewall v IDS, trong cng thi im chng ta
dng h thng Firewall v IDS theo di s pht hin xm nhp vo h thng.
Firewall c th ngn chn c cc lu lng mng c n IDS c th kim sot c
tt c lu lng bn trong ln bn ngoi. Lu lng c hi khi i vo h thng s
c IDS pht hin bo cho nh qun tr mng bit kp thi ngn chn s xm
nhp tri php bng h thng firewall Trong m hnh ny n gin chng ta
ch kho st tn cng t ngoi vo h thng Firewall v IDS. Khi c s tn cng vo
h thng IDS s gi cnh bo n nh qun tr thng qua cng c phn tch Base
(Basic Analysis and Sercurity Engine)
M hnh thc nghim ny c thit k mc n gin, d hiu ngi c
d hiu v d hnh dung hn.
3.3
Cc bc ci t Snort trn h iu hnh CentOS

Ci h iu hnh CentOS
- Tn h iu hnh: Linux CentOS 6.7
- Kernel: 2.6.18-92.el5
- Ti khon
+ User : root
+ Pass : 123456
Ci t v cu hnh Snort
Ci t cc gi ph thuc: Yu cu my phi kt ni vi internet
# yum install gcc gcc-c++ kernel-devel patch make libxml2 pcredevel php php-common php-gd php-cli php-mysql flex binson libcap
libcap-devel mysql mysql-devel mysql-bench mysql-server y
25

Ci pear t trang web
# wget http://pear.php.net/go-pear
# php q go-pear
Base hin c th chy cc lnh:

# pear install Image_Color-1.0.3
# pear install Image_Canvas-0.3.2
# pear install Log-1.12.0
# pear install Numbers_Roman-1.0.2
# pear install Numbers_Words-0.16.1
# pear install Image_Graph-0.7.2
# pear install Image_GraphViz-1.3.0RC3
Download Libnet t http://www.filewatcher.com/m/libnet-1.0.2a.tar.gz

# cd /usr/local/
# tar zxvf /Download/libnet-1.0.2a.tar.gz
# cd Libnet-1.0.2a/
# ./configure && make && make install
Download Snort v Snort rules t trang web http://www.snort.org

ng k mt account ti snort.org v down b ruleset v my registereduser
# cd /usr/local/
# tar zxvf /Download/snort-2.8.4.1.tar.gz
# cd snort-2.8.4.1/
# ./configure enable-sourcefire enable-targetbased with-mysql
# make && make install
To ti khon v vng lu tr Snort

# mkdir /etc/snort
# mkdir /var/log/snort
# groupadd snort
# useradd -g snort snort
# chown snort:snort /var/log/snort
# cd /etc/snort/
# tar zxvf /Download/snortrules-snapshot-CURRENT.tar.gz
# cp etc/* /etc/snort/
26

# ln s /usr/local/bin/snort /usr/sbin/snort
# cd /etc/snort/so_rules/precompiled/CentOS-5.0/i386/2.8.4.1
# cp * /usr/local/lib/snort_dynamicrules/
Cu hnh Snort
Sa file cu hnh t /etc/snort/snort.conf
Var HOME_NET 192.168.0.0/24
Var RULE_PATH /etc/snort/rules
Var SO_RULE_PATH /etc/snort/so_rules
Var PREPROC_RULE_PATH /etc/snort/preproc_rules
To mt s lut thc nghim Snort

# vi /etc/snort/rules/local. Rules
alert tcp any any -> any 23 (msg:"Telnet Connection=> Attempt";
sid:100001;)
alert
tcp
any
any
->
192.168.0.0/24
any
(msg:"SYN-FIN=>scan
detected"; sid:1000002;)
alert
icmp
any
any
->
192.168.0.0/24
any
(flags:
A;
ack:
0;
msg:"TCP ping detected"; sid:100003;)

alert
tcp
any
any
->
any
22
(msg:"ssh
connection=>Attempt";
sid:1000004;)
- Khi to Snort ln u tin:

#
/usr/local/bin/snort
-Dq
-u
snort
-g
snort
-c
/etc/snort/snort.conf
Kim tra xem Snort hot ng ghi log c cha:
# cd /var/log/snort
# ls l
Total 12144
-rw---------- 1 root root 6205014 Dec 3 16:32 snort.alert
-rw---------- 1 root root 6205014 Dec 3 16:32 snort.log
Ci Barnyard
Barnyard l mt ng dng c s dng offload ti vic xut ra file log
v cnh bo cho Snort. Do , Snort dnh ti nguyn cho chc nng ca n.
# wget http://snort.org/dl/barnyanrd2-1.8.tar.gz
# cd /usr/local/
27

# tar zxvf /Download/Barnyard2-1.8.tar.gz
# cd barnayrd2-1.8/
#./configure with-mysql
# make && make install
# cd etc/
# cp barnyard.conf /etc/snort
Cu hnh MySQL server

To c s d liu vi MySQL
# service mysqld start
# mysql
Mysql> set password for root@localhost=password(123456);
Mysql> create database snort;
Mysql> grant create, insert, select, delete, update on snort.* to
snort@localhost;
Mysql> set password for snort@localhost=password(123456);
Mysql> exit
# cd /usr/local/snort-2.8.4.1/schemas/
# mysql p < create_mysql snort
Enter password:
Mysql> show databases;
Mysql> user snort;
Mysql> show tables;
Mysql> exit
Cu hnh Snort thc hin alert vo MySQL

# vi /etc/snort/snort.conf
- Tm dng di y, b ch thch u dng v chnh sa cc gi tr cho ph

hp:
output
database:
log,
mysql,
user=snort
password=123456
dbname=snort host=localhost
- Khi ng li snort v kim tra xem Snort v Barnyard2 tng tc ghi log
vo database hay cha:
#
mysql
usnort
-p"123456"
-D
snort
-e
"select
count(*)
from
event"
Count(*)
28

280278
Nu s khc 0 th Snort v Barnyard2 ng b vi nhau

Ci t ADODB
Ti ADODB ti http://nchc.dl.sourceforge.net/sourceforge/adodb/
# cd /var/www/html/
# tar zxvf /Download/adodb4991.tgz
Ci t v cu hnh Basic Analysis and Sercurity Engine (Base)

BASE l mt ng dng cung cp giao din web truy vn v phn tch cc
Snort alert
# cd /var/www/html
# tar zxvf /Download/base-1.4.5.tgr.gz
# mv base-1.4.5 base
# chmod 777 base
# cd base
# cp base_conf.php.dist base_conf.php
Cu hnh base:
# vi base_conf.php
Sa cc dng sau:
$BASE_urlpath=/base;
$Dblib_path=/var/www/html/adodb;
$alert_dbname=snort;
$alert_password=123456;
$archive_exists=1; # set this to 1 if you have an archive DB
$archive_dbname=snort;
$archive_user=snort;
$archive_password=123456;
$external_whois_link=index.php;
$external_dns_link=index.php;
$external_all_link=index.php;
n y v c bn Snort hot ng c. C th kim tra bng cch s

dng cu lnh sau:
# snort c /etc/snort/snort.conf i eth0
29
Hnh 3-1: Snort ang hot ng

Sau khi Snort kim tra tt c nhng thng tin cn thit snort hot ng th
chng ta s thy xut hin dng sau:
Not Using PCAP_FRANES
Lc ny Snort ang hot ng v ghi li tt c nhng g m Snort pht hin, c
du hiu kh nghi.
dng s hot ng ca Snort, bm Ctrl_C
3.4
Giao din h thng sau ci t

Cc thng tin cu hnh c bn
Firewall v IDS gm c 2 network interface, hin ang c cm nh sau:
+ eth0 dng qun tr v lng nghe s xm nhp t ngoi vo
+ eth1 giao tip vi mng bn trong http, ssh, ftp
Thng tin v h iu hnh CentOS
- Account qun tr: root/root
- Eth0 interface
+ IP:
192.168.0.38/24
+ Netmask:
255.255.255.0
+ Network:
192.168.0.0/24
+ Broadcast:
192.168.0.255
30

+ Gateway:
192.168.0.254
- Cc phn mm ci t:
+ Iptables
+ Snort 2.8.4.1
+ MySQL Server
+ PHP
+ Barnyard2
+ Basic Analysis and Security Engine 1.4.5
Hng dn s dng Snort
- File cu hnh: /etc/snort/snort. conf
- Th mc cha tp lut: /etc/snort/rules/
- File log:
/var/log/snort/
Kch hot tin trnh Snort g lnh:

# /etc/init.d/snort start
Hoc
# /usr/local/bin/snort Dq u snort g snort i eth0 c /etc/snort/snort.conf
hy tin trnh snort g lnh:
# pkill snort
Kt qu thng k thc nghim IDS Snort
S dng phn mm Base qun tr kim tra thng k thc nghim. Base
cung cp cng c bng giao din, cho php ngi dng truy xut v phn tch cc
cnh bo.
31
Hnh 3-2: Giao din chnh ca Base

mc Traffic Profile by Protocol Click vo mc TCP xem tn sut cc
alert xut hin.
Hnh 3-3: Snort pht hin Nmap ang scanport, truy cp ssh
Trn bng Summary Statistics, click vo link Destination hng
Unique addresses xem cc a ch ch b tn cng.
32
Hnh 3-4: Hin th cc a ch nghi vn

Xem payload cc packets
xem payload cc packet, click vo ct ID tng ng ca alert
V d: click vo link #6-(2-296605) xem ni dung gi tin tng ng
Hnh 3-5: Xem ni dung mt packet
33

Tnh nng ny c bit rt hu ch, cho php IDS admin review li c
ton b gi tin to ra alert, gip cho qu trnh tinh chnh cc rules chnh xc
hn.
Graph Alert Detection Time
Ti trang chnh, click vo "Grap Alert Detection Time" xem biu th
hin tn sut cc alert theo gi, ngy hoc theo thng.
Dng biu ny rt hu ch, cho php xc nh nhng thi im bt
thng, qua gip nh hng ngi qun tr tp trung vo nhng im quan
trng.
Biu di thng k s pht hin xm nhp theo ngy, gi.
Hnh 3-6: Thng k theo ngy, gi
34
Xem biu m snort pht hin s xm nhp vo h thng theo ngy
Hnh 3-7: Thng k theo ngy

3.5
Cc cuc tn cng v kt qu thng k thc nghim

Tn cng v IDS Snort pht hin
Attacker s dng phng php tn cng gy ngp lt (PINGFLOOD) vo h
thng firewall v IDS, bng cch ping gi nhiu gi package vo h thng firewall
v IDS.
C:\>ping 192.168.0.38 -l 1000 -t
Pinging 192.168.0.38 with 1000 bytes of data:
Reply from 192.168.0.38: bytes=1000 time=1ms TTL=64
Reply from 192.168.0.38: bytes=1000 time<1ms TTL=64
Khi h thng IDS pht hin c k ang tin hnh ping gy ngp lt, ngi
Qun tr kim tra trn h thng c IDS pht hin v lu li tt c nhng
s kin xy ra v thy rng, trn h thng ca mnh ang c k tn cng gy ngp
35

lt. Ngi qun tr phi c trch nhim thit lp lut trn firewall hn ch vic
attacker tn cng vo h thng ca mnh.
Hnh 3-8: IDS Snort pht hin cc gi tin c gi vo h thng

Ngn chn
Ngi qun tr thit lp lut trn firewall Iptables chng li nhng cuc tn
cng gy ngp lt h thng bng tp lut nh sau:
#iptables N CHECK_FLOOD
#iptables A CHECK_FLOOD m limit --limit-burst 6 -limit 2/m j
RETURN
#iptables A CHECK_FLOOD j DROP
#iptables A INPUT -s 0/0 i eth0 p icmp --icmp-type echo-request
j CHECK_FLOOD
Tp lut trn, u tin lnh iptables N CHECK_FLOOD to mt chain

mi tn l CHECK_FLOOD. Ty chn A thm lut mi vo chain
CHECK_FLOOD. i vi chain CHECK_FLOOD, chng ta gii hn limit-burst
mc 6 gi, limit l 2 gi/pht, nu tha lut s tr v RETURN, cn khng s b
DROP. Su chng ta ni thm chain CHECK_FLOOD vo chain INPUT, vi
ty chn card mng vo l eth0, giao thc icmp, loi icmp l echo-request. Lut ny
s gii hn cc gi Ping ti eth0 l 2 gi/pht sau khi t ti 6 gi.
36

Lut c p dng trong firewall iptables, ch 6 gi u trong pht u tin
c chp nhn, tha lut RETURN . By gi t n mc nh l 6 gi, lp
tc iptables s gii hn Ping ti eth0 l 2 gi trn mi pht bt chp c bao nhiu
gi c Ping ti eth0. Nu trong pht ti khng c gi no Ping ti, iptables s
gim limit i 2 gi, ngha l tc ang 2 gi trn pht s tng ln 4 gi trn pht.
Nu trong pht na khng c gi n, limit s gim i 2 gi na v tr li trng thi
t mc nh 6 gi. Qu trnh c tip tc nh vy.
Kt qu thng k thc nghim
Qua thc nghim kim tra chng ta thy iptables lm vic rt hiu qu, gii
hn c s lng cc package gi n, lm cho h thng ca chng ta chng li
c tn cng theo kiu gy ngp lt h thng. Cc ty chn rt linh hot, chng ta
c th thit lp lut ty theo mc cho php s lng gi tin vo trong h thng.
Xem kt qu Ip gii hn gi tin vo h thng
C:\>ping 192.168.0.38 l 1000 -t
Pinging 192.168.0.38 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.38:
Packets: Sent = 43, Received = 12, Lost = 31 (72% loss),
Theo ghi nhn li ca h thng c 43 packets c gi n, nhng h thng

ch nhn 12 packets, loi b 31 gi, t l mt gi 72%.
37
Hnh 3-9: M hnh thc nghim H-IDS
38
CHNG 4:
KT LUN
H thng pht hin xm nhp (IDS) tuy ch mi xut hin sau ny nhng hin
ng vai tr khng km phn quan trng. IDS gip con ngi khm ph, phn tch
mt nguy c tn cng mi. T n ngi ta vch ra phng n phng chng. mt
gc no , c th ln tm c th phm gy ra mt cuc tn cng. Mt t chc
ln khng th no thiu IDS.
4.1
Kt qu t c
-
Nm c c ch hot ng Snort IDS
C ci nhn trc quan khi thc hin th nghim mt s loi tn cng
Nm bt c c ch hot ng ca h thng pht hin xm nhp IDS

Snort cng cc tp lut.
4.2
Ci t v cu hnh mt h thng pht hin xm nhp m ngun m
Trin khai c h thng IDS Snort th nghim.
Hn ch ca ti
-
Ch dng li trin khai h thng th nghim.
Trin khai h thng trong mng LAN.
Vn v IDS Snort rt rng ln, hin nhng cch thc tn cng mi

ngy nay c nhng thay i ln. Do cha thc s hiu r cch
hot ng ca n.
Tp lut b sung ang trong giai on ti u v b sung nn khng

trnh by trong bo co.
39
4.3
Hng pht trin ca ti

-
Trin khai trn h thng Internet.
iu chnh cc rule ca Snort hot ng mt cch linh hot v ng b

hn, nhm ti u ha v tn dng ti a ton b h thng thc hin
vic ngn chn xm nhp hay tn cng mt cch hiu qu nht.
IDS s t ng bo tin n ngi qun tr thng qua email, SMS v t

ng a ra phng n thch hp v hiu ho tn cng .
p dng vo thc t cho cc cng ty, doanh nghip, trng hc.
40
TI LIU THAM KHO

[1] GSTS Nguyn Thc Hi - Mng my tnh v cc h thng m - NXB
Gio dc 2001
[2] Nguyn Phng Lan, Hong c Hi - Lp trnh Linux - NXBGD
2001
[3] Nguyn Quc Cng, H Thng Pht Hin Xm Nhp Mng
[4] Karen Scarfone, Peter Mell. Guide to Intrusion Detection and
Prevention Systems (IDPS)
[5] Juniper Networks CA 94089 USA. Intrusion Detection and
Prevention Concepts & Examples Guide
[6] Andy Firman , Build a Debian based Intrusion Detection Sensor (IDS)
[7] http://snort.org, http://netfilter.org
[8] http://hoclinux.net
41

IDS - Snort

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

IDS - Snort

Cargado por

Copyright:

Formatos disponibles

B GIO DC V O TO

TRNG I HC S PHM K THUT HNG YN

TRIN KHAI H THNG IDS - SNORT TRN H IU HNH LINUX

TRIN KHAI H THNG IDS - SNORT TRN H

TRIN KHAI H THNG IDS - SNORT TRN H

TRIN KHAI H IDS SNORT TRN H IU HNH LINUX

TRIN KHAI H IDS SNORT TRN H IU HNH LINUX

TRIN KHAI H IDS SNORT TRN H IU HNH LINUX

TRIN KHAI H IDS SNORT TRN H IU HNH LINUX

Domain Name System

Tn cng t chi dch v

File Transfer Protocol

Giao thc truyn d liu

Host Intrusion Detection

h thng pht hin xm phm

Internet Control Message

Giao thc x l cc thng bo

trng thi cho IP

Intrusion Detection System

H thng pht hin xm nhp

Giao thc Internet

Intrusion Prention System

H thng pht hin xm nhp

Media Access Control

nh danh c gn cho thit

Giao thc gim st v iu

khin thit b mng

Simple Mail Transfer

Giao thc truyn ti th tn n

Transport Control Protocol

Giao thc iu khin truyn ti

Qun l thng nht cc mi

TRIN KHAI H IDS SNORT TRN H IU HNH LINUX

CHNG 1: TNG QUAN V TI

TRIN KHAI H IDS SNORT TRN H IU HNH LINUX

Nghin cu, tm hiu khi nim, cch hot ng ca IDS Snort

Ci t, cu hnh th nghim Snort trn h iu iu hnh CentOs 6.7

Kim chng kt qu t c sau khi ci t thnh cng v th nghim cc

TRIN KHAI H IDS SNORT TRN H IU HNH LINUX

Thc hin trn HH Centos

Hn ch v thi gian v ti chnh nn cha thc hin xy dng c h

Vic hon thin cc module gn thm cho h thng IDS l cha c

Cch phi hp gia Firewall Iptables v IDS Snort cha c cht ch

- Cha t ng gi cnh bo n ngi qun tr thng qua email v SMS.

Trin khai trn h thng mng LAN.

- Tm hiu v IDS - Snort

TRIN KHAI H IDS SNORT TRN H IU HNH LINUX

CHNG 2: TM HIU V IDS SNORT TRN HH LINUX

Pht hin xm nhp l g?

TRIN KHAI H IDS SNORT TRN H IU HNH LINUX

mm, phn cng hoc kt hp c hai, dng pht hin hnh ng ca k xm

TRIN KHAI H IDS SNORT TRN H IU HNH LINUX

Network IDS hay NIDS

Hnh 2-2: M hnh Network IDS

TRIN KHAI H IDS SNORT TRN H IU HNH LINUX

Host IDS hay HIDS

Hnh 2-3: M hnh Host IDS

Signatures (du hiu)

TRIN KHAI H IDS SNORT TRN H IU HNH LINUX

TRIN KHAI H IDS SNORT TRN H IU HNH LINUX

Phn mm IDS Snort

TRIN KHAI H IDS SNORT TRN H IU HNH LINUX

TRIN KHAI H IDS SNORT TRN H IU HNH LINUX

Cc thnh phn ca Snort