Documentos de Académico
Documentos de Profesional
Documentos de Cultura
L C HIP
L C HIP
N TT NGHIP I HC
HNG YN - 2016
B GIO DC V O TO
TRNG I HC S PHM K THUT HNG YN
L C HIP
N TT NGHIP I HC
NGI HNG DN
V XUN THNG
HNG YN - 2016
DANH MC HNH V
Hnh 2-1: M hnh kin trc h thng pht hin xm nhp (IDS)............................11
Hnh 2-2: M hnh Network IDS ..............................................................................12
Hnh 2-3: M hnh Host IDS ....................................................................................13
Hnh 2-4: Qu trnh x l gi....................................................................................17
Hnh 2-5: B pht hin xm nhp .............................................................................19
Hnh 2-6: H thng ghi nhp file log v pht cnh bo ..........................................20
Hnh 3-1: Snort ang hot ng................................................................................30
Hnh 3-2: Giao din chnh ca Base .........................................................................32
Hnh 3-3: Snort pht hin Nmap ang scanport, truy cp ssh ..................................32
Hnh 3-4: Hin th cc a ch nghi vn ....................................................................33
Hnh 3-5: Xem ni dung mt packet ........................................................................33
Hnh 3-6: Thng k theo ngy, gi ..........................................................................34
Hnh 3-7: Thng k theo ngy .................................................................................35
Hnh 3-8: IDS Snort pht hin cc gi tin c gi vo h thng ...........................36
Hnh 3-9: M hnh thc nghim ...............................................................................38
DANH MC T VIT TT
Vit tt
DdoS
Ting Anh
Distributed Denial of
Service
Ting Vit
Tn cng t chi dch v
DNS
H thng tn min
DoS
Denial-of-service
FTP
HIDS
Protocol
IP
Internet Protocol
IPS
ICMP
IDS
MAC
NIDS
OSI
SNMP
SMTP
TCP
UTM
Network Intrusion
Detection System
Open Systems
Interconnection
Simple Network
Management Protocol
Protoco
gin
Unified Threat
Management
nguy him
6
L do chn ti
Ngy nay, trn th gii cng ngh thng tin pht trin rt nhanh, mang li
nhng li ch thit thc v nhiu mt nh: kinh t, x hi, chnh tr, y t, qun s
nhng cuc hp trong t chc, c quan, cng ty hay nhng bui hi tho xuyn
quc gia, xuyn lc a (Video Conference).
Mng Internet ngy cng ng vai tr quan trng trong cc hot ng ca con
ngi. Vi lng thng tin ngy cng phong ph v a dng. Khng ch c ngha
l ni tra cu tin tc s kin ang din ra trong i sng hng ngy, Internet cn
ng vai tr cu ni lin kt con ngi vi nhau mi vng a l. Cc khong
cch v a l hu nh khng cn ngha, khi con ngi cch nhau na vng tri
t h vn c th trao i thng tin, chia s d liu cho nhau nh nhng ngi trong
cng mt vn phng.
Internet cn gp phn lm thay i phng thc hot ng kinh doanh ca cc
doanh nghip. Ngoi cc hot ng kinh doanh truyn thng, gi y cc doanh
nghip c thm mt phng thc kinh doanh hiu qu, l thng mi in t.
Trong nhng nm gn y, thng mi in t tr thnh mt b phn quan trng
trong s tng trng, pht trin ca x hi, mang li nhng li ch rt ln cho cc
doanh nghip, ng thi thc y x hi ha thng tin cho cc ngnh ngh khc,
gp phn mang li tnh hiu qu cho nn kinh t ca doanh nghip ni ring v cho
ton x hi ni chung.
i i vi s pht trin ny th bo mt mng ang l mt nhu cu cp thit
nhm bo v h thng mng bn trong, chng li nhng tn cng xm nhp v thc
hin cc trao i thng tin, giao dch qua mng c an ton. V nhng gi tr li
ch ca cng ngh thng tin mang li, nhng k xu cng li dng cng ngh ny
gy ra khng t nhng kh khn cho t chc, c quan cng nh nhng ngi p
dng cng ngh thng tin vo cuc sng.
Cng ngh no cng c u im v nhc im. Ngi tn cng (Attacker)
chng li dng nhng l hng ca h thng truy xut bt hp pht vo khai thc
nhng thng tin quan trng, nhng d liu c tnh cht bo mt, nhy cm, thng
7
1.2
-
1.3
-
Phng n tip cn
- Tm hiu h thng pht hin xm nhp IDS
- Tm hiu chi tit v IDS Snort trn h iu hnh Linux
- Xem cc m hnh tn cng mng
- Kho st qua mng.
hin hnh ng kh nghi trn c host v mng. H thng pht hin xm nhp (IDS)
c 2 loi c bn sau: IDS signature-based (IDS da trn du hiu) v IDS anomalybased (IDS da trn s bt thng). Intruder c nhng du hiu, ging nh virus
my tnh - c th c pht hin bng cch s dng phn mm qut virus. c th c
gng tm nhng gi d liu c cha nhng du hiu lin quan n xm nhp bit
hay nhng iu bt thng lin quan n giao thc. Da trn nhng tp signature v
rules, h thng pht hin c th tm v ghi nhng hnh ng xm nhp v pht ra
cnh bo. S pht hin xm nhp da trn s bt thng thng ph thuc vo tnh
bt thng ca tiu (header) giao thc trong gi d liu. Trong nhiu trng hp,
phng php ny c th em li kt qu tt hn i vi IDS signature-based. Thng
thng mt IDS capture d liu t mng v p dng nhng rule ca n vo d liu
ny hoc pht hin nhng anomaly trong n.
Snort l mt IDS rule-base (IDS da trn tp lut) chnh, tuy nhin nhng
input plug-in gip pht hin nhng anomaly trong tiu giao thc. Snort s dng
nhng rule lu trong nhng text file, n c th xem c bng mt trnh son tho
vn bn. Nhng rule c nhm theo tng loi. Nhng rule i cng vi mi loi
c lu tr trong nhng file ring. Nhng file ny sau c tp hp trong mt
file cu hnh chnh, gi l snort.conf. Snort c nhng rule ny mi ln chy v xy
dng cc cu trc d liu bn trong n hoc p dng nhng rule capture d
liu. Vic tm nhng signature v s dng chng trong rule l mt cng vic i hi
phi tinh t, khi dng nhiu rule, s c nhiu cng vic x l hn c yu cu
capture d liu trong thi gian thc. Snort cho php nh ngha li rule cho vic
pht hin xm nhp v rt linh hot cho ta thm vo rule ring ca mnh.
10
Mt s nh ngha c bn
IDS
Intrusion Detection System (h thng pht hin xm nhp) hay IDS l phn
Hnh 2-1: M hnh kin trc h thng pht hin xm nhp (IDS)
11
12
2.3
cc du hiu cho php gim st, pht hin nhng du hin tn cng mng. Snort
c nhiu t chc, doanh nghip pht trin v bin thnh sn phm thng mi
nh Sourcefire, Astaro,
Snort ch yu l mt IDS da trn lut, tuy nhin cc input plug-in cng tn
ti pht hin s bt thng trong cc header ca giao thc. Snort s dng cc lut
c lu tr trong cc file text, c th c chnh sa bi ngi qun tr. Cc lut
c nhm thnh cc kiu. Cc lut thuc v mi loi c lu trong cc file khc
nhau. File cu hnh chnh ca Snort l snort.conf. Snort c nhng lut ny vo lc
khi to v xy dng cu trc d liu cung cp cc lut bt gi d liu. Tm ra
cc du hiu v s dng chng trong cc lut l mt vn i hi s tinh t, v
chng ta cng s dng nhiu lut th nng lc x l cng c i hi thu thp
d liu trong thc t. Snort c mt tp hp cc lut c nh ngha trc pht
hin cc hnh ng xm nhp. Cc lut trn Snort c tnh m, cho php ngi qun
tr mng to ra cc lut mi v chng ta c th thm vo cc lut ca chnh mnh.
Chng ta cng c th xa mt vi lut c to trc trnh vic bo ng sai.
Cc c im chnh ca Snort:
- H tr nhiu platform: Linux, OpenBSD, FreeBSD, Solaris, Windows,
- C kh nng pht hin mt s lng ln cc kiu thm d, xm nhp khc
nhau nh: Buffer overflow, CGI-attack, d tm h iu hnh, ICMP, virus,
- Pht hin nhanh cc xm nhp theo thi gian thc.
- Cung cp cho nh qun tr cc thng tin cn thit x l cc s c khi b
xm nhp.
- Gip ngi qun tr t t ra cc du hiu xm nhp mi mt cch d dng.
15
Cc trng thi
Snort c th c cu hnh chy ba trng thi:
+ Sniffer Mode: L ch bt gi tin v ch hin th header ca cc gi
TCP/IP ra mn hnh. Cu trc lnh nh sau:
snort -v: Lnh ny ch chy snort v hin th IP/TCP/UDP/ICMP header.
snort -vd: Lnh ny va hin th cc header va cho thy cc gi d liu.
snort -vde: Tng t nh trn nhng trnh by r rng hn. Th hin c header
ca lp Datalink.
+ Packet Logger Mode: Trong trng hp mun ghi nhn li cc gi bt
c v ni lu tr tin cho vic theo di v sau th ch packet logger s h
tr tt cho qun tr mng. Ch ny ch nh ni lu tr v khi s dng c php
sau, snort s t ng lu li thng tin vo th mc :
snort -vde -l /usr/local/log/snort
Log c lu dng nh phn, lm tng c kh nng bt gi tin ca Snort.
Hu ht cc h thng c th bt gi v ghi thnh file log tc 100Mbps m
khng xy ra vn g.
ghi nhn file log ch nh phn s dng c -b
snort -b l /usr/local/log/snort/temp.log
Khi bt c gi, chng ta c th c li file va to vi c -r v phn hin
th ging nh mode sniffer.
snort -r /usr/local/log/snort/temp.log
+ NIDS Mode: Snort pht hin xm nhp ch yu da vo mt b lut m
ngi qun tr mng nh ngha trong file snort.cfg. Hu ht cc hnh vi xm nhp
u c mt vi du hiu. Thng tin v cc du hiu ny c s dng to ra cc
lut ca Snort. Cc du hiu c th tn ti trong header ca cc gi tin. Cc lut ca
Snort c th kim tra nhiu phn ca gi tin pht hin ra cc du hiu ny.
m ch ny, s dng c php:
snort -dve -l /usr/local/log -h 192.168.0. 0/24 -c snort.cfg
16
2.4
17
18
19
Rule ny s pht hin cc truy cp vo dch v PHF trn web server v alert
s c to ra cng vi vic ghi nhn li ton b gi d liu.
Vng a ch IP trong cc rules c vit di dng CIDR block netmask,
cc port c th c xc nh ring l hoc theo vng, port bt u v port kt
thc c ngn cch bi du :
alert
tcp
any
any
->
192.168.
0.
0/24
6000:6010
(msg:
"X
traffic";)
22
M t thc nghim
- Trn 90% cc mng c kt ni ang s dng IDS pht hin l hng bo
mt my tnh.
- Vin an ninh my tnh bo co c n 80% thit hi ti chnh vt qua
455 triu la b gy ra bi s xm nhp v m nguy him.
- Hng triu cng vic b nh hng do s xm nhp.
- Nu s dng mt phn mm chng virus th bn phi xem xt n vic b
sung thm mt IDS cho chin lc bo mt ca mnh. Hu ht cc t chc s dng
phn mm chng virus khng s dng IDS.
- Ngy nay do cng ngh ngy cng pht trin nn khng c mt gii php bo
mt no c th tn ti lu di. Theo nh gi ca cc t chc hng u v cng ngh
thng tin trn th gii, tnh hnh an ninh mng vn trn bt n v tip tc c
coi l nm bo ng ca an ninh mng ton cu khi c nhiu l hng an ninh
nghim trng c pht hin, hnh thc tn cng thay i v c nhiu cuc tn cng
ca gii ti phm cng ngh cao vo cc h thng cng ngh thng tin ca cc
doanh nghip.
- Ly v d vi h iu hnh Vista c th b tn cng bi mt l hng "blue
screen of death" hay vn thng c gi l mn hnh xanh cht chc. Hacker c
th gi ti h thng mt yu cu cha cc m lnh tn cng trc tip vo h thng
ca Vista v lm ngng li mi hot ng.
- H thng pht hin xm nhp tri php IDS l mt phng php bo mt c
kh nng chng li cc kiu tn cng mi, cc v lm dng, dng sai xut pht t
trong h thng v c th hot ng tt vi cc phng php bo mt truyn thng.
N c nghin cu, pht trin v ng dng t lu trn th gii v th hin
vai tr quan trng trong cc chnh sch bo mt.
Ngy nay, nhu cu trao i d liu qua h thng mng my tnh tr thnh v
cng quan trng trong mi hot ng ca x hi. Vn bo m an ninh, an ton
cho thng tin trn mng ngy cng l mi quan tm hng u ca cc cng ty, cc t
chc, cc nh cung cp dch v. Cng vi thi gian, cc k thut tn cng ngy
23
24
3.2
# yum install gcc gcc-c++ kernel-devel patch make libxml2 pcredevel php php-common php-gd php-cli php-mysql flex binson libcap
libcap-devel mysql mysql-devel mysql-bench mysql-server y
25
26
Cu hnh Snort
Sa file cu hnh t /etc/snort/snort.conf
Var HOME_NET 192.168.0.0/24
Var RULE_PATH /etc/snort/rules
Var SO_RULE_PATH /etc/snort/so_rules
Var PREPROC_RULE_PATH /etc/snort/preproc_rules
tcp
any
any
->
192.168.0.0/24
any
(msg:"SYN-FIN=>scan
detected"; sid:1000002;)
alert
icmp
any
any
->
192.168.0.0/24
any
(flags:
A;
ack:
0;
tcp
any
any
->
any
22
(msg:"ssh
connection=>Attempt";
sid:1000004;)
/usr/local/bin/snort
-Dq
-u
snort
-g
snort
-c
/etc/snort/snort.conf
Kim tra xem Snort hot ng ghi log c cha:
# cd /var/log/snort
# ls l
Total 12144
-rw---------- 1 root root 6205014 Dec 3 16:32 snort.alert
-rw---------- 1 root root 6205014 Dec 3 16:32 snort.log
Ci Barnyard
Barnyard l mt ng dng c s dng offload ti vic xut ra file log
v cnh bo cho Snort. Do , Snort dnh ti nguyn cho chc nng ca n.
# wget http://snort.org/dl/barnyanrd2-1.8.tar.gz
# cd /usr/local/
27
database:
log,
mysql,
user=snort
password=123456
dbname=snort host=localhost
- Khi ng li snort v kim tra xem Snort v Barnyard2 tng tc ghi log
vo database hay cha:
#
mysql
usnort
-p"123456"
-D
snort
-e
"select
count(*)
from
event"
Count(*)
28
Cu hnh base:
# vi base_conf.php
Sa cc dng sau:
$BASE_urlpath=/base;
$Dblib_path=/var/www/html/adodb;
$alert_dbname=snort;
$alert_password=123456;
$archive_exists=1; # set this to 1 if you have an archive DB
$archive_dbname=snort;
$archive_user=snort;
$archive_password=123456;
$external_whois_link=index.php;
$external_dns_link=index.php;
$external_all_link=index.php;
29
192.168.0.38/24
+ Netmask:
255.255.255.0
+ Network:
192.168.0.0/24
+ Broadcast:
192.168.0.255
30
192.168.0.254
- Cc phn mm ci t:
+ Iptables
+ Snort 2.8.4.1
+ MySQL Server
+ PHP
+ Barnyard2
+ Basic Analysis and Security Engine 1.4.5
Hng dn s dng Snort
- File cu hnh: /etc/snort/snort. conf
- Th mc cha tp lut: /etc/snort/rules/
- File log:
/var/log/snort/
31
Hnh 3-3: Snort pht hin Nmap ang scanport, truy cp ssh
Trn bng Summary Statistics, click vo link Destination hng
Unique addresses xem cc a ch ch b tn cng.
32
33
34
thng firewall v IDS, bng cch ping gi nhiu gi package vo h thng firewall
v IDS.
C:\>ping 192.168.0.38 -l 1000 -t
Pinging 192.168.0.38 with 1000 bytes of data:
Reply from 192.168.0.38: bytes=1000 time=1ms TTL=64
Reply from 192.168.0.38: bytes=1000 time<1ms TTL=64
Reply from 192.168.0.38: bytes=1000 time<1ms TTL=64
Reply from 192.168.0.38: bytes=1000 time<1ms TTL=64
Khi h thng IDS pht hin c k ang tin hnh ping gy ngp lt, ngi
Qun tr kim tra trn h thng c IDS pht hin v lu li tt c nhng
s kin xy ra v thy rng, trn h thng ca mnh ang c k tn cng gy ngp
35
37
38
CHNG 4:
KT LUN
H thng pht hin xm nhp (IDS) tuy ch mi xut hin sau ny nhng hin
ng vai tr khng km phn quan trng. IDS gip con ngi khm ph, phn tch
mt nguy c tn cng mi. T n ngi ta vch ra phng n phng chng. mt
gc no , c th ln tm c th phm gy ra mt cuc tn cng. Mt t chc
ln khng th no thiu IDS.
4.1
Kt qu t c
-
4.2
Hn ch ca ti
-
39
4.3
40
41