1 SNORT Tran Phuong Binh C13QM15
Transcript of 1 SNORT Tran Phuong Binh C13QM15
-
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
1/20
TRIN KHAI H THNGPHT HIN XM NHPSNORT/SNORTSAM/SMS
ALERT
Hng dn: TRN PHNG BNH
Lp: C13QM15 - HUTECH
Email :[email protected] : http://facebook.com/binbin.1993
Website :http://tpbnetworking.blogspot.com
mailto:[email protected]://tpbnetworking.blogspot.com/http://tpbnetworking.blogspot.com/mailto:[email protected] -
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
2/20
http://tpbnetworking.blogspot.com Trn Phng Bnh- C13QM15
1
ITng quan v Snort IDS
Snort l mt dng IDS (Instruction Detection System). IDS l mt h thng c ci t trn mnglm nhim v gim st nhng packet vo ra h thng mng. Khi Snort pht hin mt cuc tn cngth n c th phn ng bng nhiu cch khc nhau ty thuc vo cu hnh m ngi qun tr mng
thit lp, chng hn nh n c th gi thng ip cnh bo n nh qun tr hay loi b gi tin khipht hin c s bt thng trong cc gi tin .
Snort hot ng da trn cc lut rule xy dng sn v phi c cp nht thng xuyn. Mi luti din cho mt cuc tn cng. Khi c mt packet n h thng n s c p vo tp lut, nu cs so trng snort s phn ng.
V d v 1 rule:
alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 111 (content: "|00 01 86 a5|"; msg: "external mountdaccess";)
Phn u ca lut m t cch hnh ng (rule's action) l alert, giao thc (tcp) v a ch IP ngun,ch cng nh thng tin v port. Phn ny gi l rule header.
Phn cn li ca lut, c bit nh rule option,cha thng ip bo ng v thng tin s csnort s dng kim tra xem liu lut c ph hp (match) vi gi tin khng.
IIChun b h thng
Chun b h thng nh sau tt c u c gi lp trnmy o VMWare10.(Ch : My
CentOS dng lm FireWall phi kt ni ra internet ci t Snort v SnortSam).Th mc
source ci t lin quan u c lu tr ti :https://sourceforge.net/projects/snortsnortsam/
Tn Thit B Cu hnh Ghi Ch
01 PC LINUXOS: CENTOS 6.532 bit
RAM: 800MDng lm firewall IDS/IPS
01 PC Windows OS: Windows Server 2003
RAM: 800Dng lm Web Server
01 PC Linux OS: Backtrack 5r3 Dng cho Hacker
https://sourceforge.net/projects/snortsnortsam/https://sourceforge.net/projects/snortsnortsam/https://sourceforge.net/projects/snortsnortsam/https://sourceforge.net/projects/snortsnortsam/ -
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
3/20
http://tpbnetworking.blogspot.com Trn Phng Bnh- C13QM15
2
IIIM hnh demo gii php
1.Ci t Snort
Trn my CentOS m terminal v thc hin cc lnh sau:
Bc 1:Thc hin Update Repository
#rpm -Uhvhttp://master.dl.sourceforge.net/project/snortsnortsam/rpmforge-release-0.5.2-
2.el6.rf.i686.rpm
Bc 2: Ci t cc gi cn thit cho snort
#yum -y install libdnet libdnet-devel libpcap libpcap-devel daq gcc make flex bison pcre pcre-
devel zlib zlib-devel
#yum install -y mysql-server mysql-devel php-mysql php-adodb php-pear php-gd httpd wget
Bc 3: Start dch v http, mysql
#service httpd start
#chkconfig httpd on
#service mysqld start
#chkconfig mysqld on
http://master.dl.sourceforge.net/project/snortsnortsam/rpmforge-release-0.5.2-2.el6.rf.i686.rpmhttp://master.dl.sourceforge.net/project/snortsnortsam/rpmforge-release-0.5.2-2.el6.rf.i686.rpmhttp://master.dl.sourceforge.net/project/snortsnortsam/rpmforge-release-0.5.2-2.el6.rf.i686.rpmhttp://master.dl.sourceforge.net/project/snortsnortsam/rpmforge-release-0.5.2-2.el6.rf.i686.rpmhttp://master.dl.sourceforge.net/project/snortsnortsam/rpmforge-release-0.5.2-2.el6.rf.i686.rpmhttp://master.dl.sourceforge.net/project/snortsnortsam/rpmforge-release-0.5.2-2.el6.rf.i686.rpm -
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
4/20
http://tpbnetworking.blogspot.com Trn Phng Bnh- C13QM15
3
Bc 4: Ci t DAQ
# cd /tmp ; wgethttp://master.dl.sourceforge.net/project/snortsnortsam/daq-1.1.1.tar.gz
# tar -xzvf daq-1.1.1.tar.gz
# cd daq-1.1.1/
# ./configure
# make&& make install
# ldconfig -v
Bc 5:To user snort v cc th mc cn thit
# groupadd snort
# useradd -g snort snort
# mkdir /usr/local/snort
# mkdir /etc/snort
# mkdir /var/log/snort
# mkdir /var/run/snort
# chown snort:snort /var/log/snort
# chown snort:snort /var/run/snort
#mkdir -p /usr/local/lib/snort_dynamicrules
#chown -R snort:snort /usr/local/lib/snort_dynamicrules
#chmod -R 700 /usr/local/lib/snort_dynamicrules
Bc 6:Download v Ci t Snort
# cd /tmp ; wgethttp://master.dl.sourceforge.net/project/snortsnortsam/snort-2.8.4.1.tar.gz
# tar -xzvf snort-2.8.4.1.tar.gz
# cd snort-2.8.4.1/
#./configure --with-mysql --enable-dynamicplugin
# make&& make install
# cp /tmp/snort-2.8.4.1/etc/snort.conf /etc/snort/
# cp /tmp/snort-2.8.4.1/etc/unicode.map /etc/snort/
# cp /tmp/snort-2.8.4.1/etc/classification.config /etc/snort/
# cp /tmp/snort-2.8.4.1/etc/threshold.conf /etc/snort
http://master.dl.sourceforge.net/project/snortsnortsam/daq-1.1.1.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/daq-1.1.1.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/daq-1.1.1.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snort-2.8.4.1.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snort-2.8.4.1.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snort-2.8.4.1.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snort-2.8.4.1.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/daq-1.1.1.tar.gz -
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
5/20
http://tpbnetworking.blogspot.com Trn Phng Bnh- C13QM15
4
Bc 7: Download cc rules cho Snort
#cd /tmp ; wgethttp://master.dl.sourceforge.net/project/snortsnortsam/snortrules-snapshot-
2.8.tar.gz
# tar -zxvf snortrules-snapshot-2.8.tar.gz
# cd snortrules-snapshot-2.8
#cp -R rules /etc/snort/
# chown -R snort:snort /etc/snort/
Bc 8:Chnh sa file cu hnh Snort
# vi /etc/snort/snort.conf
26:var HOME_NET 192.168.2.0/16
110:var RULE_PATH /etc/snort/rules
Bc 9: Cu hnh init script cho Snort
To mt lin kt mm (symbolic link) ca file snort binary n /usr/sbin/snort
#ln -s /usr/local/bin/snort /usr/sbin/snort
Snort cung cp cc scrip khi ng trong th mc rpm/ ; (th mc gii nn snort)
#cp /tmp/snort-2.8.4.1/rpm/snortd /etc/init.d/
#cp /tmp/snort-2.8.4.1/rpm/snort.sysconfig /etc/sysconfig/snort
#cp /tmp/snort-2.8.4.1/etc/reference.config /etc/snort/
Bc 10: Start Snort khi khi ng
# chmod +x /etc/init.d/snortd
# chkconfig snortd on
#service snortd start
Bc 11: Khi ng snort ch debug nu bn mun kim tra li:
#snort -u snort -g snort -c /etc/snort/snort.conf -i eth0
http://master.dl.sourceforge.net/project/snortsnortsam/snortrules-snapshot-2.8.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snortrules-snapshot-2.8.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snortrules-snapshot-2.8.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snortrules-snapshot-2.8.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snortrules-snapshot-2.8.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snortrules-snapshot-2.8.tar.gz -
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
6/20
http://tpbnetworking.blogspot.com Trn Phng Bnh- C13QM15
5
2.Ci t BASE & barnyard2
Bc 1:Ci t cc gi ph thuc
# pear channel-update pear.php.net
# pear install Numbers_Roman
# pear install channel://pear.php.net/Image_Canvas-0.3.5
# pear install channel://pear.php.net/Image_Graph-0.8.0
Bc 2:Cu hnh MySQL
mysqladmin -u root password 123456
# mysql -u root -p
mysql> create database snort;
Query OK, 1 row affected (0.00 sec)
mysql> grant select,insert,update,delete,create on snort.* to snort@localhost;
Query OK, 0 rows affected (0.06 sec)
mysql> set password for snort@localhost=PASSWORD('123456');
Query OK, 0 rows affected (0.00 sec)
mysql>exit
Bc 3: Cu hnh file snort#vi /etc/snort/snort.conf
709:output unified2: filename snort.u2, limit 128
Bc 4: Ci t barnyard2
#cd /tmp ; wgethttp://master.dl.sourceforge.net/project/snortsnortsam/barnyard2-1.9.tar.gz
# tar -xzvf barnyard2-1.9.tar.gz
# cd barnyard2-1.9
# ./configure --with-mysql (nu Cetnos 32bit)
#./configure -with-mysql-libraries=/usr/lib64/mysql/(nu Cetnos64bit)
# make&& make install
# cp etc/barnyard2.conf /etc/snort/
# mysql -u snort -p123456 snort < schemas/create_mysql
# touch /etc/snort/barnyard2.waldo
# chmod 777 /etc/snort/barnyard2.waldo
# chown snort:snort /etc/snort/barnyard2.waldoBc 5: Chnh sa file cu hnh barnyard2
http://master.dl.sourceforge.net/project/snortsnortsam/barnyard2-1.9.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/barnyard2-1.9.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/barnyard2-1.9.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/barnyard2-1.9.tar.gz -
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
7/20
http://tpbnetworking.blogspot.com Trn Phng Bnh- C13QM15
6
#mkdir /var/log/barnyard2
#chown snort:snort /var/log/barnyard2/
# vi /etc/snort/barnyard2.conf
29:config reference_file: /etc/snort/reference.config
30:config classification_file: /etc/snort/classification.config
31:config gen_file: /etc/snort/etc/gen-msg.map
32:config sid_file: /etc/snort/etc/sid-msg.map
44:config logdir: /var/log/barnyard2
60:config hostname: localhost
61:config interface: eth0
65:config alert_with_interface_name
164:input unified2
318:output database: alert, mysql, user=snort password=123456 dbname=snort
host=localhost
Bc 6:Chnh sa file init script cho barnyard2
# vi /etc/init.d/snortd
(Thm vo cui file ni dung sau)
BARNYARD2=/usr/local/bin/barnyard2
start()
{
[ -x $SNORTD ] || exit 5
echo -n $"Starting $prog: "
daemon --pidfile=$PID_FILE $SNORTD $LINK_LAYER $NO_PACKET_LOG
$DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l
$LOGDIR $PASS_FIRST $BPFFILE $BPF && success || failure
RETVAL=$?
$BARNYARD2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w
/etc/snort/barnyard2.waldo -u snort -g snort -D
-
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
8/20
http://tpbnetworking.blogspot.com Trn Phng Bnh- C13QM15
7
[ $RETVAL -eq 0 ] && touch $lockfile
echo
return $RETVAL
}
stop()
{
echo -n $"Stopping $prog: "
killproc $SNORTD
killproc $BARNYARD2
if [ -e $PID_FILE ]; then
chown -R $USER:$GROUP /var/run/snort_eth0.* && rm -f /var/run/snort_eth0.pi*
fi
RETVAL=$?
if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then
trap TERM
killall $prog 2>/dev/null
trap TERM
fi
[ $RETVAL -eq 0 ] && rm -f $lockfile
echo
return $RETVAL
}
Bc 7: Restart snort
-
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
9/20
http://tpbnetworking.blogspot.com Trn Phng Bnh- C13QM15
8
# /etc/init.d/snortd restart
Bc 8: Install Base
# cd /tmp ; wgethttp://master.dl.sourceforge.net/project/snortsnortsam/base-1.4.5.tar.gz
# tar -xzvf base-1.4.5.tar.gz
# cp -r base-1.4.5/ /var/www/base
# cd /var/www/base/
# cp base_conf.php.dist base_conf.php
Bc 9: Chnh sa file cu hnh base_conf
# vi base_conf.php
50:$BASE_urlpath = '/base';
80:$DBlib_path = ''/var/www/adodb';
102:$alert_dbname = 'snort';
103:$alert_host = 'localhost';
104:$alert_port = '3306';
105:$alert_user = 'snort';
106:$alert_password = 123456'';
Bc 10:Cu hnh Apache
# vi /etc/httpd/conf.d/base.conf
Alias /base /var/www/base/
AllowOverride None
Order allow,deny
Allow from all
AuthName "Snort IDS"
AuthType Basic
AuthUserFile /etc/snort/base.passwd
Require valid-user
Bc 11: To password truy cp vo web Base
#htpasswd -c /etc/snort/base.passwd snortadmin
Bc 12:To file log barnyard2
#mkdir /var/log/barnyard2/
#chown -R snort:snort /var/log/barnyard2/
Bc 13: Download adodb v thc hin gn quyn truy cp
http://master.dl.sourceforge.net/project/snortsnortsam/base-1.4.5.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/base-1.4.5.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/base-1.4.5.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/base-1.4.5.tar.gz -
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
10/20
-
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
11/20
http://tpbnetworking.blogspot.com Trn Phng Bnh- C13QM15
10
3.Ci t SnortSam
Bc 1: Ci t Libtool
#yum -y install libtool
#cd /tmp ; wgethttp://master.dl.sourceforge.net/project/snortsnortsam/libtool-2.4.2.tar.gz
#tar -zxvf libtool-2.4.2.tar.gz
#cd libtool-2.4.2
#./configure -prefix=/usr
#make&& make install
Bc 2: Download SnortSam
#cd /tmp ; wgethttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-src-2.70.tar.gz
#tar -zxvf snortsam-src-2.70.tar.gz
# cd snortsam
#chmod +x makesnortsam.sh
# sh ./makesnortsam.sh
# cp snortsam /usr/bin
Bc 2: Update cu hnh cho Snort
#cd /tmp ; wgethttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-2.8.4.1.diff# cd snort-2.8.4.1
#patch -p1 < /tmp/snortsam-2.8.4.1.diff
#chmod +x autojunk.sh
#sh ./autojunk.sh
#aclocal -I m4 --install
#cp ./m4/libprelude.m4 /usr/share/aclocal
#autoreconf -fvi -I ./m4
#aclocal
#autoheader
http://master.dl.sourceforge.net/project/snortsnortsam/libtool-2.4.2.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/libtool-2.4.2.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/libtool-2.4.2.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-src-2.70.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-src-2.70.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-src-2.70.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-2.8.4.1.diffhttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-2.8.4.1.diffhttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-2.8.4.1.diffhttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-2.8.4.1.diffhttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-src-2.70.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/libtool-2.4.2.tar.gz -
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
12/20
http://tpbnetworking.blogspot.com Trn Phng Bnh- C13QM15
11
#automake --add-missing
#autoconf
# autoreconf --force --install
#./configure --enable-zlib-enable-sourcefire
# ./configure --enable-sourcefire --enable-ipv6 --enable-dynamicplugin --with-mysql
#make&& make install
Bc 4:Cu hnh Snortsam
#cp /tmp/snortsam/conf/snortsam.conf.sample /etc/snortsam.conf
#vi /etc/snortsam.conf
(Chnh sa cc thng s sau, thm vo cui file)
accept 192.168.2.0/24
logfile /var/log/snortsam
loglevel 3
daemon
fwsam 192.168.2.254
iptables eth0
Bc 5:Chnh sa file cu hnh snort.conf
#vi /etc/snort/snort.conf
(Thm vo dng sau)
output alert_fwsam: 192.168.2.254:898
Bc 6:Chnh sa cc rule
-
Rule pht hin v chng DOS vi dng ping of death
#vi /etc/snort/rules/icmp.rules
alert icmp any any -> $HOME_NET any (msg:Phat hien tan cong Ping of Death; dsize:
>200;sid: 1000004;fwsam:src, 30 minutes;)
- Rule pht hin v chng SCAN bng nmap
#vi /etc/snort/rules/scan.rules
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flow:stateless;
flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:7;fwsam:src,
1months;)
alert tcp any any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless;
flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:7;
fwsam:src, 1 months;)
Bc 7: Bt tnh nng ip_forward
-
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
13/20
http://tpbnetworking.blogspot.com Trn Phng Bnh- C13QM15
12
#echo 1>/proc/sys/net/ipv4/ip_forward
#vi /etc/sysctl.conf
7:net.ipv4.ip_forward = 1
Bc 8: Tt SELINUX
#vi /etc/selinux/config
7:SELINUX=disabled
Bc 9: Restart Server
#init 6
Bc 10: Start dch v snortsam
#snortsam /etc/snortsam.conf
-
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
14/20
http://tpbnetworking.blogspot.com Trn Phng Bnh- C13QM15
13
IV- Kch bn test chng trnh
- Khi ng barnyard2
#barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f snort.u2
- Khi ng Snort
#snort -u snort -g snort -c /etc/snort/snort.conf -i eth0
- Khi ng Snortsam
#snortsam /etc/snortsam
-
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
15/20
-
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
16/20
-
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
17/20
http://tpbnetworking.blogspot.com Trn Phng Bnh- C13QM15
16
Ta thy trn giao din hin ln cnh bo SCAN nmap XMAS
Rule s dng pht hin:
alert tcp any any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless;
flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:7; fwsam:src,
2 months;)
Vi rule ny th ip ca attacker s b kha trong thi gian l 2 thng.
2. Attaker thc hin tn cng DOS Ping of death
-
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
18/20
http://tpbnetworking.blogspot.com Trn Phng Bnh- C13QM15
17
kch bn th nht ip 10.10.10.2 ca attcker b kha v b 1 rule ca snort pht hin. Do
vy kch bn ny a ch ip ca my attacker s phi thay i c th tip tc tn cng. Ip
ca attacker theo bi lab ny s i thnh 10.10.10.10.
Dng lnh ifconfig trn Backtrack xem ip:
Bc 1:Attacker s dng cng c hping3 gi nhiu gi tin vi kch thc ln n Web
Server.
-
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
19/20
http://tpbnetworking.blogspot.com Trn Phng Bnh- C13QM15
18
Bc 2:Kim tra trn iptables
Ta thy iptables kha (DROP) ip 10.10.10.10 ca Attacker.
Bc 4: Xem trn giao dinweb:http://192.168.2.254/base/
http://192.168.2.254/base/http://192.168.2.254/base/http://192.168.2.254/base/http://192.168.2.254/base/ -
8/10/2019 1 SNORT Tran Phuong Binh C13QM15
20/20
http://tpbnetworking.blogspot.com Trn Phng Bnh- C13QM15
19
Ta thy c cnh bo Ping of Death Detected trn web.
Rule c dng pht hin:
alert icmp any any -> any any (msg:"Ping of Death Detected"; dsize:>1000; itype:8; icode:0;
detection_filter:track by_src, count 30, seconds 1; sid:31047; classtype:denial-of-service;
rev:3;fwsam:src, 30 minutes)
Ghi ch: Snort c rt nhiu rule pht hin xm nhp. vic test cc rule khc cng tng t
nh cc bc trn.