Escolar Documentos
Profissional Documentos
Cultura Documentos
- Intrusion Prevention system ( IPS ): L mt h thng bao gm c chc nng pht hin
xm nhp (Intrusion DetectionID) v kh nng ngn chn cc xm nhp tri php
2. Chc nng
Cc ng dng c bn ca h IDS:
- Nhn din cc nguy c c th xy ra
- Ghi nhn thng tin, log phc v cho vic kim sot nguy c
- Nhn din cc hot ng thm d h thng
- Nhn din cc yu khuyt ca chnh sch bo mt
- Ngn chn vi phm chnh sch bo mt
Cc tnh nng chnh ca h IDS:
- Lu gi thng tin lin quan n cc i tng quan st
2. c im chnh
Snort bao gm nhiu thnh phn, vi mi phn c mt chc nng ring. Cch
thnh phn chnh l:
Module gii m gi tin (Packet Decoder)
Module tin x l (Preprocessors)
Module pht hin (Detection Engine)
Module log v cnh bo (Logging and Alerting System)
Module kt xut thng tin (Output Module)
Rule Option:
* Rule option theo sau rule header v c t trong cp du ngoc n. C th mt
la chn hay nhiu la chn truyn vo cng du. Nu bn s dng nhiu la
chn, dng la chn ny l AND. Hnh ng trong rule header ch c gi
khi tt c nhng tiu chun trong la chn l ng. Bn s dng option nh
msg v ttl trong v d trc ri . Tt c nhng la chn c nh ngha bi t
kha. Nhng Rule option cha cc i s. Thng th nhng la chn c 2 phn:
mt t kha v mt i s. Nhng i s truyn vo t la chn t kha bng mt
du :. Chng hn nh:msg: "Detected confidential
La chn msg l t kha v Detected confidential l i s cho t kha ny.Sau y
l nhng t kha thng dng . N hot ng trn nhng giao thc ring, cho nn c
ngha khc nhau i theo giao thc.
CHNG IV. HONYPORT TRONG H THNG IDS/IPS
1. Gii thiu
- Honeypot l mt h thng ti nguyn thng tin c xy dng vi mc ch gi dng
nh la nhng k s dng v xm nhp khng hp php, thu ht s ch ca chng,
ngn khng cho chng tip xc vi h thng tht.
- H thng ti nguyn thng tin c ngha l Honeypot c th gi dng bt c loi my ch
ti nguyn no nh l Mail Server, Domain Name Server, Web Server Honeypot s
trc tip tng tc vi tin tc v tm cch khai thc thng tin v tin tc nh hnh thc tn
cng, cng c tn cng hay cch thc tin hnh thay v b tn cng.
2. Cc loi hnh ca Honeypot
Gm hai loi chnh: Tng tc thp v tng tc cao
+ Tng tc thp: M phng gi cc dch v, ng dng, v h iu hnh. Mc ri ro
thp, d trin khai v bo dng nhng b gii hn v dch v.
+ Tng tc cao: L cc dch v, ng dng v h iu hnh thc. Mc thng tin thu
thp c cao. Nhng ri ro cao v tn thi gian vn hnh v bo dng.
3. C ch hot ng
3.1.C ch kim sot d liu.
Vic kim sot d liu c thc hin ngay ti Gateway(Honeywall), v da trn
c ch l:
- Mt l gii hn s lng k ni ra bn ngoi.
- Hai l lc gi tinc hi Packer Scrubbed.
A. GII HN S LNG K NI RA BN NGOI
C ch ny cho php bt k kt ni no i vo nhng li gii hn kim sot s
lng kt ni ra bn ngoi v khi t ti gii hn th tt c cc kt ni ra bn ngoi
v sau s b chn li. Vic gii hn c thit lp bi ngi qun tr. Nu tng s
lng kt ni ra bn ngoi s cho php hot ng tn cng ca hacker din ra
nhiu hn t chng ta thu thp c nhiu thng tin song cng gy ra nhiu
nguy him hn. Cn nu cho php t hoc khng cho php kt ni ra bn ngoi th
s gim c nguy c nhng s gy ra nghi ng cho k tn cng v c th pht
hin ra chng ang tng tc vi h thng Honeynet.
B. LC GI TIN C HI(PACKER SCRUBBED)
C ch ny c nhim v pht hin ra nhng lung d liu gy nguy him cho h
thng. C ch lc gi tin c hi thng c thc hin bi h thng ngn chn
xmnhp mc mng NIPS (Network Intrustion Prevention Systems), c th y
l h thngIDS-Snort
Hot ng mc mng
Hot ng mc h thng
Hot ng mc ng dng
4. i cht v Honetnet
4.1 Gii thiu
- Honeynet l hnh thc honeypot tng tc cao. hc vi cc honeypots, Honeynet l
mt h thng tht, hon ton ging mt mng lm vic bnh thng. Honeynet cung
cp cc h thng, ng dng, cc dch v tht.
- Quan trng nht khi xy dng mt honeynet chnh l honeywall. Honeywall l
gateway gia honeypots v mng bn ngoi. N hot ng tng 2 nh l Bridged.
Cc lung d liu khi vo v ra t honeypots u phi i qua honeywall.
c. Phn tch d liu: Mc ch chnh ca honey net chnh l thu thp thng tin. hi c
thng tin th ngi dng cn phi c kh nng phn tch cc thng tin ny.
d. Thu thp d liu: Thu thp d liu t cc honeynets v mt ngun tp trung. Ch p
dng cho cc t chc c nhiu honeynets. a s cc t chc ch c mt honeynet
1.M Hnh
2. Cc bc thc hin v kt qu t c
Ci t cc gi cnthit
#yum install -y mysql-bench
mysql-server
mysql-devel
yum-utils
php-mysql
httpdgcc
pcre-devel
php-gd
gd
distcache-devel
mod_ssl
glib2-devel
gcc-c++
php
php-pear
#yum --disablerepo=\*--enablerepo=c5-media groupinstall "Development Tools"
#yum --disablerepo=\*--enablerepo=c5-media groupinstall "Development Libraries"
#yum --disablerepo=\*--enablerepo=c5-media groupinstall "MySQL Database"
Ci t cc gi Pear
#pear install Numbers_Roman-1.0.2 Numbers_Words-0.16.1 Image_Color-1.3
Image_Canvas-0.3.2 Image_GraphViz-1.3.0RC3 Image_Graph-0.7.2 Log-1.12.0
Tt cc dch v khng cn thit v bt dch v httpd v mysql
#service iptables stop
Cit Snort
Vothmcsnort-2.8.4.1
#cd snort/snort-2.8.4.1
# ./configure --with-mysql-libraries=/usr/lib64/mysql --enable-dynamicplugin
#mysql -p
To password cho ti khon snort.
mysql> use mysql;
mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY '123456';
To CSDL cho snort.
mysql>use snort;
mysql>show tables
;
Ci t BASE v ADODB
-Chp base-1.4.4.gz v adodb.gz vo /var/www/html
-Giinn 2 file trn
-ithmc base-1.4.4 thnh base
#cd /var/www/html
#mv base-1.4.4 /base
-Coppy gi base_conf.php.disttrongthmc basevitnthnh base_conf.php
#cd /var/www/html/base
#cp base_conf.php.dist base_conf.php
-Cu hnh base sa file base_conf.php
Sa cc thng tin trong file base nh sau:
57 $BASE_urlpath =/base;
79 $DBlib_path = /var/www/html/adodb;
101 $alert_dbname=snort;
Dng trnh duyt web trn centos volocalhost/base chn Setup page
Create BASE AG
Vo li localhost base xem lu lng chy qua( ch cn phi chy snort ch debug)