1 SNORT Tran Phuong Binh C13QM15

8/10/2019 1 SNORT Tran Phuong Binh C13QM15

1/20

TRIN KHAI H THNGPHT HIN XM NHPSNORT/SNORTSAM/SMS

ALERT

Hng dn: TRN PHNG BNH

Lp: C13QM15 - HUTECH

Email :[email protected] : http://facebook.com/binbin.1993

Website :http://tpbnetworking.blogspot.com
mailto:[email protected]://tpbnetworking.blogspot.com/http://tpbnetworking.blogspot.com/mailto:[email protected]


2/20

http://tpbnetworking.blogspot.com Trn Phng Bnh- C13QM15

1

ITng quan v Snort IDS

Snort l mt dng IDS (Instruction Detection System). IDS l mt h thng c ci t trn mnglm nhim v gim st nhng packet vo ra h thng mng. Khi Snort pht hin mt cuc tn cngth n c th phn ng bng nhiu cch khc nhau ty thuc vo cu hnh m ngi qun tr mng

thit lp, chng hn nh n c th gi thng ip cnh bo n nh qun tr hay loi b gi tin khipht hin c s bt thng trong cc gi tin .

Snort hot ng da trn cc lut rule xy dng sn v phi c cp nht thng xuyn. Mi luti din cho mt cuc tn cng. Khi c mt packet n h thng n s c p vo tp lut, nu cs so trng snort s phn ng.

V d v 1 rule:

alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 111 (content: "|00 01 86 a5|"; msg: "external mountdaccess";)

Phn u ca lut m t cch hnh ng (rule's action) l alert, giao thc (tcp) v a ch IP ngun,ch cng nh thng tin v port. Phn ny gi l rule header.

Phn cn li ca lut, c bit nh rule option,cha thng ip bo ng v thng tin s csnort s dng kim tra xem liu lut c ph hp (match) vi gi tin khng.

IIChun b h thng

Chun b h thng nh sau tt c u c gi lp trnmy o VMWare10.(Ch : My

CentOS dng lm FireWall phi kt ni ra internet ci t Snort v SnortSam).Th mc

source ci t lin quan u c lu tr ti :https://sourceforge.net/projects/snortsnortsam/

Tn Thit B Cu hnh Ghi Ch

01 PC LINUXOS: CENTOS 6.532 bit

RAM: 800MDng lm firewall IDS/IPS

01 PC Windows OS: Windows Server 2003

RAM: 800Dng lm Web Server

01 PC Linux OS: Backtrack 5r3 Dng cho Hacker
https://sourceforge.net/projects/snortsnortsam/https://sourceforge.net/projects/snortsnortsam/https://sourceforge.net/projects/snortsnortsam/https://sourceforge.net/projects/snortsnortsam/


3/20


2

IIIM hnh demo gii php

1.Ci t Snort

Trn my CentOS m terminal v thc hin cc lnh sau:

Bc 1:Thc hin Update Repository

#rpm -Uhvhttp://master.dl.sourceforge.net/project/snortsnortsam/rpmforge-release-0.5.2-

2.el6.rf.i686.rpm

Bc 2: Ci t cc gi cn thit cho snort

#yum -y install libdnet libdnet-devel libpcap libpcap-devel daq gcc make flex bison pcre pcre-

devel zlib zlib-devel

#yum install -y mysql-server mysql-devel php-mysql php-adodb php-pear php-gd httpd wget

Bc 3: Start dch v http, mysql

#service httpd start

#chkconfig httpd on

#service mysqld start

#chkconfig mysqld on
http://master.dl.sourceforge.net/project/snortsnortsam/rpmforge-release-0.5.2-2.el6.rf.i686.rpmhttp://master.dl.sourceforge.net/project/snortsnortsam/rpmforge-release-0.5.2-2.el6.rf.i686.rpmhttp://master.dl.sourceforge.net/project/snortsnortsam/rpmforge-release-0.5.2-2.el6.rf.i686.rpmhttp://master.dl.sourceforge.net/project/snortsnortsam/rpmforge-release-0.5.2-2.el6.rf.i686.rpmhttp://master.dl.sourceforge.net/project/snortsnortsam/rpmforge-release-0.5.2-2.el6.rf.i686.rpmhttp://master.dl.sourceforge.net/project/snortsnortsam/rpmforge-release-0.5.2-2.el6.rf.i686.rpm


4/20


3

Bc 4: Ci t DAQ

# cd /tmp ; wgethttp://master.dl.sourceforge.net/project/snortsnortsam/daq-1.1.1.tar.gz

# tar -xzvf daq-1.1.1.tar.gz

# cd daq-1.1.1/

# ./configure

# make&& make install

# ldconfig -v

Bc 5:To user snort v cc th mc cn thit

# groupadd snort

# useradd -g snort snort

# mkdir /usr/local/snort

# mkdir /etc/snort

# mkdir /var/log/snort

# mkdir /var/run/snort

# chown snort:snort /var/log/snort

# chown snort:snort /var/run/snort

#mkdir -p /usr/local/lib/snort_dynamicrules

#chown -R snort:snort /usr/local/lib/snort_dynamicrules

#chmod -R 700 /usr/local/lib/snort_dynamicrules

Bc 6:Download v Ci t Snort

# cd /tmp ; wgethttp://master.dl.sourceforge.net/project/snortsnortsam/snort-2.8.4.1.tar.gz

# tar -xzvf snort-2.8.4.1.tar.gz

# cd snort-2.8.4.1/

#./configure --with-mysql --enable-dynamicplugin


# cp /tmp/snort-2.8.4.1/etc/snort.conf /etc/snort/

# cp /tmp/snort-2.8.4.1/etc/unicode.map /etc/snort/

# cp /tmp/snort-2.8.4.1/etc/classification.config /etc/snort/

# cp /tmp/snort-2.8.4.1/etc/threshold.conf /etc/snort
http://master.dl.sourceforge.net/project/snortsnortsam/daq-1.1.1.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/daq-1.1.1.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/daq-1.1.1.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snort-2.8.4.1.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snort-2.8.4.1.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snort-2.8.4.1.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snort-2.8.4.1.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/daq-1.1.1.tar.gz


5/20


4

Bc 7: Download cc rules cho Snort

#cd /tmp ; wgethttp://master.dl.sourceforge.net/project/snortsnortsam/snortrules-snapshot-

2.8.tar.gz

# tar -zxvf snortrules-snapshot-2.8.tar.gz

# cd snortrules-snapshot-2.8

#cp -R rules /etc/snort/

# chown -R snort:snort /etc/snort/

Bc 8:Chnh sa file cu hnh Snort

# vi /etc/snort/snort.conf

26:var HOME_NET 192.168.2.0/16

110:var RULE_PATH /etc/snort/rules

Bc 9: Cu hnh init script cho Snort

To mt lin kt mm (symbolic link) ca file snort binary n /usr/sbin/snort

#ln -s /usr/local/bin/snort /usr/sbin/snort

Snort cung cp cc scrip khi ng trong th mc rpm/ ; (th mc gii nn snort)

#cp /tmp/snort-2.8.4.1/rpm/snortd /etc/init.d/

#cp /tmp/snort-2.8.4.1/rpm/snort.sysconfig /etc/sysconfig/snort

#cp /tmp/snort-2.8.4.1/etc/reference.config /etc/snort/

Bc 10: Start Snort khi khi ng

# chmod +x /etc/init.d/snortd

# chkconfig snortd on

#service snortd start

Bc 11: Khi ng snort ch debug nu bn mun kim tra li:

#snort -u snort -g snort -c /etc/snort/snort.conf -i eth0
http://master.dl.sourceforge.net/project/snortsnortsam/snortrules-snapshot-2.8.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snortrules-snapshot-2.8.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snortrules-snapshot-2.8.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snortrules-snapshot-2.8.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snortrules-snapshot-2.8.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snortrules-snapshot-2.8.tar.gz


6/20


5

2.Ci t BASE & barnyard2

Bc 1:Ci t cc gi ph thuc

# pear channel-update pear.php.net

# pear install Numbers_Roman

# pear install channel://pear.php.net/Image_Canvas-0.3.5

# pear install channel://pear.php.net/Image_Graph-0.8.0

Bc 2:Cu hnh MySQL

mysqladmin -u root password 123456

# mysql -u root -p

mysql> create database snort;

Query OK, 1 row affected (0.00 sec)

mysql> grant select,insert,update,delete,create on snort.* to snort@localhost;

Query OK, 0 rows affected (0.06 sec)

mysql> set password for snort@localhost=PASSWORD('123456');

Query OK, 0 rows affected (0.00 sec)

mysql>exit

Bc 3: Cu hnh file snort#vi /etc/snort/snort.conf

709:output unified2: filename snort.u2, limit 128

Bc 4: Ci t barnyard2

#cd /tmp ; wgethttp://master.dl.sourceforge.net/project/snortsnortsam/barnyard2-1.9.tar.gz

# tar -xzvf barnyard2-1.9.tar.gz

# cd barnyard2-1.9

# ./configure --with-mysql (nu Cetnos 32bit)

#./configure -with-mysql-libraries=/usr/lib64/mysql/(nu Cetnos64bit)


# cp etc/barnyard2.conf /etc/snort/

# mysql -u snort -p123456 snort < schemas/create_mysql

# touch /etc/snort/barnyard2.waldo

# chmod 777 /etc/snort/barnyard2.waldo

# chown snort:snort /etc/snort/barnyard2.waldoBc 5: Chnh sa file cu hnh barnyard2
http://master.dl.sourceforge.net/project/snortsnortsam/barnyard2-1.9.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/barnyard2-1.9.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/barnyard2-1.9.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/barnyard2-1.9.tar.gz


7/20


6

#mkdir /var/log/barnyard2

#chown snort:snort /var/log/barnyard2/

# vi /etc/snort/barnyard2.conf

29:config reference_file: /etc/snort/reference.config

30:config classification_file: /etc/snort/classification.config

31:config gen_file: /etc/snort/etc/gen-msg.map

32:config sid_file: /etc/snort/etc/sid-msg.map

44:config logdir: /var/log/barnyard2

60:config hostname: localhost

61:config interface: eth0

65:config alert_with_interface_name

164:input unified2

318:output database: alert, mysql, user=snort password=123456 dbname=snort

host=localhost

Bc 6:Chnh sa file init script cho barnyard2

# vi /etc/init.d/snortd

(Thm vo cui file ni dung sau)

BARNYARD2=/usr/local/bin/barnyard2

start()

{

[ -x $SNORTD ] || exit 5

echo -n $"Starting $prog: "

daemon --pidfile=$PID_FILE $SNORTD $LINK_LAYER $NO_PACKET_LOG

$DUMP_APP -D $PRINT_INTERFACE $INTERFACE -u $USER -g $GROUP $CONF -l

$LOGDIR $PASS_FIRST $BPFFILE $BPF && success || failure

RETVAL=$?

$BARNYARD2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w

/etc/snort/barnyard2.waldo -u snort -g snort -D


8/20


7

[ $RETVAL -eq 0 ] && touch $lockfile

echo

return $RETVAL

}

stop()

{

echo -n $"Stopping $prog: "

killproc $SNORTD

killproc $BARNYARD2

if [ -e $PID_FILE ]; then

chown -R $USER:$GROUP /var/run/snort_eth0.* && rm -f /var/run/snort_eth0.pi*

fi

RETVAL=$?

if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then

trap TERM

killall $prog 2>/dev/null

trap TERM

fi

[ $RETVAL -eq 0 ] && rm -f $lockfile

echo

return $RETVAL

}

Bc 7: Restart snort


9/20


8

# /etc/init.d/snortd restart

Bc 8: Install Base

# cd /tmp ; wgethttp://master.dl.sourceforge.net/project/snortsnortsam/base-1.4.5.tar.gz

# tar -xzvf base-1.4.5.tar.gz

# cp -r base-1.4.5/ /var/www/base

# cd /var/www/base/

# cp base_conf.php.dist base_conf.php

Bc 9: Chnh sa file cu hnh base_conf

# vi base_conf.php

50:$BASE_urlpath = '/base';

80:$DBlib_path = ''/var/www/adodb';

102:$alert_dbname = 'snort';

103:$alert_host = 'localhost';

104:$alert_port = '3306';

105:$alert_user = 'snort';

106:$alert_password = 123456'';

Bc 10:Cu hnh Apache

# vi /etc/httpd/conf.d/base.conf

Alias /base /var/www/base/

AllowOverride None

Order allow,deny

Allow from all

AuthName "Snort IDS"

AuthType Basic

AuthUserFile /etc/snort/base.passwd

Require valid-user

Bc 11: To password truy cp vo web Base

#htpasswd -c /etc/snort/base.passwd snortadmin

Bc 12:To file log barnyard2

#mkdir /var/log/barnyard2/

#chown -R snort:snort /var/log/barnyard2/

Bc 13: Download adodb v thc hin gn quyn truy cp
http://master.dl.sourceforge.net/project/snortsnortsam/base-1.4.5.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/base-1.4.5.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/base-1.4.5.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/base-1.4.5.tar.gz


10/20


11/20


10

3.Ci t SnortSam

Bc 1: Ci t Libtool

#yum -y install libtool

#cd /tmp ; wgethttp://master.dl.sourceforge.net/project/snortsnortsam/libtool-2.4.2.tar.gz

#tar -zxvf libtool-2.4.2.tar.gz

#cd libtool-2.4.2

#./configure -prefix=/usr

#make&& make install

Bc 2: Download SnortSam

#cd /tmp ; wgethttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-src-2.70.tar.gz

#tar -zxvf snortsam-src-2.70.tar.gz

# cd snortsam

#chmod +x makesnortsam.sh

# sh ./makesnortsam.sh

# cp snortsam /usr/bin

Bc 2: Update cu hnh cho Snort

#cd /tmp ; wgethttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-2.8.4.1.diff# cd snort-2.8.4.1

#patch -p1 < /tmp/snortsam-2.8.4.1.diff

#chmod +x autojunk.sh

#sh ./autojunk.sh

#aclocal -I m4 --install

#cp ./m4/libprelude.m4 /usr/share/aclocal

#autoreconf -fvi -I ./m4

#aclocal

#autoheader
http://master.dl.sourceforge.net/project/snortsnortsam/libtool-2.4.2.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/libtool-2.4.2.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/libtool-2.4.2.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-src-2.70.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-src-2.70.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-src-2.70.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-2.8.4.1.diffhttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-2.8.4.1.diffhttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-2.8.4.1.diffhttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-2.8.4.1.diffhttp://master.dl.sourceforge.net/project/snortsnortsam/snortsam-src-2.70.tar.gzhttp://master.dl.sourceforge.net/project/snortsnortsam/libtool-2.4.2.tar.gz


12/20


11

#automake --add-missing

#autoconf

# autoreconf --force --install

#./configure --enable-zlib-enable-sourcefire

# ./configure --enable-sourcefire --enable-ipv6 --enable-dynamicplugin --with-mysql

#make&& make install

Bc 4:Cu hnh Snortsam

#cp /tmp/snortsam/conf/snortsam.conf.sample /etc/snortsam.conf

#vi /etc/snortsam.conf

(Chnh sa cc thng s sau, thm vo cui file)

accept 192.168.2.0/24

logfile /var/log/snortsam

loglevel 3

daemon

fwsam 192.168.2.254

iptables eth0

Bc 5:Chnh sa file cu hnh snort.conf

#vi /etc/snort/snort.conf

(Thm vo dng sau)

output alert_fwsam: 192.168.2.254:898

Bc 6:Chnh sa cc rule

-

Rule pht hin v chng DOS vi dng ping of death

#vi /etc/snort/rules/icmp.rules

alert icmp any any -> $HOME_NET any (msg:Phat hien tan cong Ping of Death; dsize:

>200;sid: 1000004;fwsam:src, 30 minutes;)

- Rule pht hin v chng SCAN bng nmap

#vi /etc/snort/rules/scan.rules

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flow:stateless;

flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:7;fwsam:src,

1months;)

alert tcp any any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless;

flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:7;

fwsam:src, 1 months;)

Bc 7: Bt tnh nng ip_forward


13/20


12

#echo 1>/proc/sys/net/ipv4/ip_forward

#vi /etc/sysctl.conf

7:net.ipv4.ip_forward = 1

Bc 8: Tt SELINUX

#vi /etc/selinux/config

7:SELINUX=disabled

Bc 9: Restart Server

#init 6

Bc 10: Start dch v snortsam

#snortsam /etc/snortsam.conf


14/20


13

IV- Kch bn test chng trnh

- Khi ng barnyard2

#barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f snort.u2

- Khi ng Snort

#snort -u snort -g snort -c /etc/snort/snort.conf -i eth0

- Khi ng Snortsam

#snortsam /etc/snortsam


15/20


16/20


17/20


16

Ta thy trn giao din hin ln cnh bo SCAN nmap XMAS

Rule s dng pht hin:

alert tcp any any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless;

flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:7; fwsam:src,

2 months;)

Vi rule ny th ip ca attacker s b kha trong thi gian l 2 thng.

2. Attaker thc hin tn cng DOS Ping of death


18/20


17

kch bn th nht ip 10.10.10.2 ca attcker b kha v b 1 rule ca snort pht hin. Do

vy kch bn ny a ch ip ca my attacker s phi thay i c th tip tc tn cng. Ip

ca attacker theo bi lab ny s i thnh 10.10.10.10.

Dng lnh ifconfig trn Backtrack xem ip:

Bc 1:Attacker s dng cng c hping3 gi nhiu gi tin vi kch thc ln n Web

Server.


19/20


18

Bc 2:Kim tra trn iptables

Ta thy iptables kha (DROP) ip 10.10.10.10 ca Attacker.

Bc 4: Xem trn giao dinweb:http://192.168.2.254/base/
http://192.168.2.254/base/http://192.168.2.254/base/http://192.168.2.254/base/http://192.168.2.254/base/


20/20


19

Ta thy c cnh bo Ping of Death Detected trn web.

Rule c dng pht hin:

alert icmp any any -> any any (msg:"Ping of Death Detected"; dsize:>1000; itype:8; icode:0;

detection_filter:track by_src, count 30, seconds 1; sid:31047; classtype:denial-of-service;

rev:3;fwsam:src, 30 minutes)

Ghi ch: Snort c rt nhiu rule pht hin xm nhp. vic test cc rule khc cng tng t

nh cc bc trn.

1 SNORT Tran Phuong Binh C13QM15

Documents

Transcript of 1 SNORT Tran Phuong Binh C13QM15