MC LC

CHNG I: TNG QUAN V AN NINH MNG ...................................................................... 2

CHNG II: TNG QUAN V IDS/IPS ..................................................................................... 2
I. GII THIU C BN V IDS/IPS ....................................................................................... 2
1. nh ngha .......................................................................................................................... 2
2. Chc nng ........................................................................................................................... 3
3. S khc nhau gia IDS v IPS ............................................................................................ 4
4. C ch hot ng ca h thng IDS /IPS........................................................................... 4
CHNG III. SNORT TRONG H THNG IDS/IPS ................................................................. 5
1. Gii thiu ................................................................................................................................ 5
2. c im chnh ....................................................................................................................... 5
3. Kin trc ca Snort ................................................................................................................. 5
3.1 Modun gii m gi tin ....................................................................................................... 6
3.2 Modun tin x l.............................................................................................................. 6
3.3 Modun pht hin ............................................................................................................... 6
3.4 Modun log v cnh bo ..................................................................................................... 7
3.5 Modun kt xut thng tin .................................................................................................. 7
4. Tp lut (rulesets) trong Snort ................................................................................................ 8
4.1 Cu trc ca mt rule ........................................................................................................ 8
CHNG IV. HONYPORT TRONG H THNG IDS/IPS ........................................................ 9
1. Gii thiu ................................................................................................................................ 9
2. Cc loi hnh ca Honeypot .................................................................................................... 9
3. C ch hot ng .................................................................................................................. 11
3.1.C ch kim sot d liu................................................................................................. 11
4. i cht v Honetnet ............................................................................................................ 13
4.1 Gii thiu ........................................................................................................................ 13
4.2. M hnh kin trc honeynet (GenII) .............................................................................. 13
CHNG V. DEMO SNORT GIM ST THEO DI H THNG MNG ........................... 14
1.M Hnh ................................................................................................................................. 14
2. Cc bc thc hin v kt qu t c ............................................................................... 14

CHNG I: TNG QUAN V AN NINH MNG

Bo mt l mt vn ln i vi tt c cc mng trong mi trng doanh nghip ngy
nay. Hacker v Intruder (k xm nhp) nhiu ln thnh cng trong vic xm nhp vo
mng cng ty v em ra ngoi rt nhiu thng tin gi tr. c nhiu phng php c
pht trin m bo cho h tng mng v giao tip trn Internet nh: s dng firewall,
encryption (m ha), VPN (mng ring o) trong c h thng pht hin xm nhp.
Pht hin xm nhp l mt tp nhng cng ngh v phng thc dng pht hin hnh
ng kh nghi trn c host v mng. Cc phng php pht hin xm nhp bt u xut
hin nhng nm gn y. S dng phng thc pht hin xm nhp, bn c th thu thp,
s dng thng tin t nhng loi tn cng bit tm ra mt ai c gng tn cng
vo mng hayvo mng hay my c nhn. Thng tin thu thp theo cch ny c th s
dng lm cho mng chng ta an ton hn, n hon ton hp php. Sn phm thng mi
v m ngun m u sn c cho mc ch ny.
H thng pht hin xm nhp IDS (Intrusion Detection System) l mt phng php bo
mt c kh nng pht hin v chng li cc kiu tn cng mi, cc v lm dng, dng
sai xut pht t trong h thng v c th hot ng tt vi cc phng php bo mt
truyn thng. N c nghin cu, pht trin, ng dng t lu trn th gii v th
hin vai tr quan trng trong cc chnh sch bo mt. Mc d cc phng php pht hin
xm nhp cn mi, nhng IDS gi v tr l h thng cht lng thuc loi top (hng u)
ngy nay.
T nhng vn nu trn, ti thc hin n ny vi mong mun khng ch gip cc
bn hiu v nhng kin thc c bn chung ca h thng IDS, m cn c th gip cc bn
t xy dng c mt h thng IDS ph hp vi tng yu cu s dng v c th ng
dng rng ri trong thc tin
CHNG II: TNG QUAN V IDS/IPS
I. GII THIU C BN V IDS/IPS
1. nh ngha
- Intrusion Detection system ( IDS ): L mt h thng gim st hot ng trn h thng
mng v phn tch tm ra cc du hiu tn cng, t nhp.

Hnh sau minh ha cc v tr thng ci t IDS trong mng :

- Intrusion Prevention system ( IPS ): L mt h thng bao gm c chc nng pht hin
xm nhp (Intrusion DetectionID) v kh nng ngn chn cc xm nhp tri php
2. Chc nng
Cc ng dng c bn ca h IDS:
- Nhn din cc nguy c c th xy ra
- Ghi nhn thng tin, log phc v cho vic kim sot nguy c
- Nhn din cc hot ng thm d h thng
- Nhn din cc yu khuyt ca chnh sch bo mt
- Ngn chn vi phm chnh sch bo mt
Cc tnh nng chnh ca h IDS:
- Lu gi thng tin lin quan n cc i tng quan st

- Cnh bo nhng s kin quan trng lin quan n i tng quan st

- Xut bo co.
3. S khc nhau gia IDS v IPS
Name :
IDS(H thng pht hin xm nhp)
IPS(H thng pht hin & ngn chn xm nhp)
Chc nng:
- IDS( pht hin v bo co xm nhp)
- IPS(Pht hin ,bo co & ngn chn)
Thuc vo quy m, tnh cht ca tng mng my tnh
Trong trng hp cc mng c quy m nh, vi mt my ch an ninh, th gii php IPS
l hp l nht
Vi cc mng ln hn th chc nng ngn chn thng c giao ph cho mt sn phm
chuyn dng(firewall..)
4. C ch hot ng ca h thng IDS /IPS
C hai cch tip cn c bn i vi vic pht trin v phng chng xm nhp l :
Pht hin s lm dng (Misuse Detection Model) : H thng s pht hin cc xm nhp
bng cch tm kim cc hnh ng tng ng vi cc k thut xm nhp c bit n
hoc cc im d b tn cng ca h thng.
Pht hin s bt thng (Anomaly Detection Model ): H thng s pht hin cc xm
nhp bng cch tm kim cc hnh ng khc vi hnh vi thng thng ca ngi dng
hay h thng.

CHNG III. SNORT TRONG H THNG IDS/IPS

1. Gii thiu

SNORT l mt phn mm IDS m ngun m kiu signature-based . t hp li

ch ca du hiu, giao thc v du hiu bt thng, Snort l cng ngh IDS IPS
c trin khai rng ri trn ton th gii.
Snort l mt ng dng bo mt hin i c ba chc nng chnh: n c th phc v
nh mt b phn lng nghe gi tin, lu li thng tin gi tin hoc mt h thng pht
hin xm nhp mng (NIDS).
Snort ch yu phn tch v cnh bo trn giao thc TCP IP.

2. c im chnh

Snort ch yu l mt IDS da trn lut, tuy nhin cc input plug-in cng tn ti

pht hin s bt thng trong cc header ca giao thc
D liu c thu thp v phn tch bi Snort, sau Snort lu tr d liu v
database phn tch sau ny
Snort s dng cc lut c lu tr trong cc file text, c th c chnh sa bi
ngi qun tr. Cc lut c nhm thnh cc kiu. Cc lut thuc v mi loi
c lu trong cc file khc nhau

3. Kin trc ca Snort

Snort bao gm nhiu thnh phn, vi mi phn c mt chc nng ring. Cch
thnh phn chnh l:
Module gii m gi tin (Packet Decoder)
Module tin x l (Preprocessors)
Module pht hin (Detection Engine)
Module log v cnh bo (Logging and Alerting System)
Module kt xut thng tin (Output Module)

3.1 Modun gii m gi tin

Packet decoder (B phn gii m gi) ly nhng gi t nhng loi khc nhau ca
giao din mng v chun b a chng vo preprocessor hoc gi n qua
detection engine.
3.2 Modun tin x l
Preprocessors (B phn x l trc) l nhng thnh phn hay nhng plug-in c
s dng cng vi Snort sp xp v thay i nhng gi d liu trc khi
detection engine thc hin cng vic tm kim nu gi d liu l nguy him.
Mt vi preprocessor cn c th thc hin tm ra nhng du hiu bt thng trong
tiu gi v sinh ra cnh bo.
Preprocessor rt quan trng i vi IDS nhm chun b nhng gi d liu phn
tch cho vic thit lp rule trong detection engine
3.3 Modun pht hin
Detection engine l thnh phn quan trng nht trong Snort. N chu trch
nhim pht hin nu c hnh vi xm nhp trong mt gi.
Detection engine tn dng nhng rule Snort lm vic ny. Nhng rule c c
trong cu trc d liu bn trong hay buc cht chng vo ni m chng s so khp
vi tt c cc gi. Nu mt gi no khp vi rule, hnh ng thch hp s sinh

ra, chng hn gi s b hy. Nhng hnh ng c th l ghi gi hay sinh

cnh bo.
* S vn hnh ca Detection engine ph thuc vo cc yu t sau:
S rule trn .
Sc mnh ca h thng trn c Snort ang chy.
Thng lng bn trong .
Lu lng trn mng
3.4 Modun log v cnh bo
Ph thuc vo detection engine tm trong gi, gi c th c dng ghi hnh
ng hay sinh cnh bo. Vic ghi lu trong nhng text file n gin, loi file
tcpdump hay nhng hnh thc ghi khc. Mc nh tt c nhng log file
c lu trong snort log . Bn c th s dng dng lnh l thay i v tr
sinh log file hay cnh bo. C nhiu la chn dng lnh s c tho lun trong
phn sau v chi tit thng tin v cch ghi log file hay cnh bo.
3.5 Modun kt xut thng tin
Output modules c th lm nhng vic sau:
n gin ch ghi vo snort log hay nhng th mc khc
Gi SNMP traps
Gi thng ip n syslog.
Ghi vo c s d liu nh MySQL hay Oracle.
Sinh ra dn xut eXtensible Markup Language (XML)
B sung cu hnh trn router v firewall.

 Gi thng ip Server Message Block (SMB) n h thng Microsoft Window.

Nhng cng c khc cng c th gi cnh bo trong nhng nh dng khc nh e-mail
hay qua giao din web.
4. Tp lut (rulesets) trong Snort
Ging nh virus, hu ht hnh ng xm nhp c vi loi signature. Thng tin v nhng
signature ny dng to Snort rules.
4.1 Cu trc ca mt rule
* Tt c cc rule u c 2 phn logic: rule header v rule options.
Cu trc Rule
* Rule header :cha thng tin v hot ng m rule ly. N cng cha tiu chun
cho vic so snh mt lut da vo gi d liu. Rule option thng cha mt thng
ip cnh bo v thng tin v thng ip s c s dng pht sinh cnh bo.
* Rule option :cng cha tiu chun cho vic so snh mt lut da vo gi d liu.
Mt rule c th pht hin mt loi hay nhiu loi hnh vi xm nhp. Rule thng
minh l rule c th p dng ln nhiu du hiu xm nhp.
Cu trc chung ca rule header nh sau:
* Action dng xc nh loi hnh ng m n ly v khi tiu chun gp c v
mt rule c so snh chnh xc mt gi d liu. Nhng hot ng in hnh l
sinh ra mt cnh bo hoc ghi thng ip hoc din chng cho rule khc
* Protocol dng p dng rule ln gi ch vi mt giao thc ring.
* Trong giao thc TCP UDP, port xc nh cng ngun v ch ca gi khi rule p
dng ln . Trong trng hp nhng giao thc lp network nh IP v
ICMP, port numbers khng c ngha.

Rule Option:
* Rule option theo sau rule header v c t trong cp du ngoc n. C th mt
la chn hay nhiu la chn truyn vo cng du. Nu bn s dng nhiu la
chn, dng la chn ny l AND. Hnh ng trong rule header ch c gi
khi tt c nhng tiu chun trong la chn l ng. Bn s dng option nh
msg v ttl trong v d trc ri . Tt c nhng la chn c nh ngha bi t
kha. Nhng Rule option cha cc i s. Thng th nhng la chn c 2 phn:
mt t kha v mt i s. Nhng i s truyn vo t la chn t kha bng mt
du :. Chng hn nh:msg: "Detected confidential
La chn msg l t kha v Detected confidential l i s cho t kha ny.Sau y
l nhng t kha thng dng . N hot ng trn nhng giao thc ring, cho nn c
ngha khc nhau i theo giao thc.
CHNG IV. HONYPORT TRONG H THNG IDS/IPS
1. Gii thiu
- Honeypot l mt h thng ti nguyn thng tin c xy dng vi mc ch gi dng
nh la nhng k s dng v xm nhp khng hp php, thu ht s ch ca chng,
ngn khng cho chng tip xc vi h thng tht.
- H thng ti nguyn thng tin c ngha l Honeypot c th gi dng bt c loi my ch
ti nguyn no nh l Mail Server, Domain Name Server, Web Server Honeypot s
trc tip tng tc vi tin tc v tm cch khai thc thng tin v tin tc nh hnh thc tn
cng, cng c tn cng hay cch thc tin hnh thay v b tn cng.
2. Cc loi hnh ca Honeypot
Gm hai loi chnh: Tng tc thp v tng tc cao
+ Tng tc thp: M phng gi cc dch v, ng dng, v h iu hnh. Mc ri ro
thp, d trin khai v bo dng nhng b gii hn v dch v.
+ Tng tc cao: L cc dch v, ng dng v h iu hnh thc. Mc thng tin thu
thp c cao. Nhng ri ro cao v tn thi gian vn hnh v bo dng.

- BackOfficer Friendly (BOF): Mt loi hnh Honeypot rt d vn hnh v cu hnh v

c th hot ng trn bt k phin bn no ca Windows v Unix nhng ch tng tc
c vi mt s dch v n gin nh FTP, Telnet, SMTP
- Specter: Cng l loi hnh Honeypot tng tc thp nhng kh nng tng tc tt hn
BOF, gi lp trn 14 cng, c th cnh bo v qun l t xa. Tuy nhin ging BOF th
specter b gii hn s dch v v cng khng linh hot.
-Honeyd:
+ Honeyd lng nghe trn tt c cc cng TCP v UDP, nhng dch v m phng c
thit k vi mc ch ngn chn v ghi li nhng cuc tn cng, tng tc vi k tn
cng vi vai tr mt h thng nn nhn.
+ Honeyd c th m phng cng mt lc nhiu h iu hnh khc nhau.
+ Hin nay, Honeyd c nhiu phin bn v c th m phng c khong 473 h iu
hnh.
+ Honeyd l loi hnh Honeypot tng tc thp c nhiu u im tuy nhin Honeyd c
nhc im l khng th cung cp mt h iu hnh tht tng tc vi tin tc v
khng c c ch cnh bo khi pht hin h thng b xm nhp hay gp nguy him.

3. C ch hot ng
3.1.C ch kim sot d liu.
Vic kim sot d liu c thc hin ngay ti Gateway(Honeywall), v da trn
c ch l:
- Mt l gii hn s lng k ni ra bn ngoi.
- Hai l lc gi tinc hi Packer Scrubbed.
A. GII HN S LNG K NI RA BN NGOI
C ch ny cho php bt k kt ni no i vo nhng li gii hn kim sot s
lng kt ni ra bn ngoi v khi t ti gii hn th tt c cc kt ni ra bn ngoi
v sau s b chn li. Vic gii hn c thit lp bi ngi qun tr. Nu tng s
lng kt ni ra bn ngoi s cho php hot ng tn cng ca hacker din ra
nhiu hn t chng ta thu thp c nhiu thng tin song cng gy ra nhiu
nguy him hn. Cn nu cho php t hoc khng cho php kt ni ra bn ngoi th
s gim c nguy c nhng s gy ra nghi ng cho k tn cng v c th pht
hin ra chng ang tng tc vi h thng Honeynet.
B. LC GI TIN C HI(PACKER SCRUBBED)
C ch ny c nhim v pht hin ra nhng lung d liu gy nguy him cho h
thng. C ch lc gi tin c hi thng c thc hin bi h thng ngn chn
xmnhp mc mng NIPS (Network Intrustion Prevention Systems), c th y
l h thngIDS-Snort

Mc ch ca NIPS l pht hin v ngn chn nhng tn cng bit c inh

ngha trong tp cc lut (Rule) ca NIPS. NIPS thc hin cng vic ny bng
phng php thanh tra mi gi tin khi n i qua gateway, n thc hin so snh ni
dunggi tin vi c s d liu mu tn cng c sn (Cc Rule) nhm pht hin ra
du hiu tn cng. NIPS thc hin ngn chn bng vic thc hin hai bin php
sau :
Th 1 l loi b gi tin : thc hin hy b gi tin cha ni dung c hi khngcho
i ra bn ngoi (chn cuc tn cng). Bin php ny thc hin n gin song
kmlinh hot d gy nghi ng cho hacker
Th 2 l thay th, sa cha gi tin : thay v loi b gi tin th NIPS s thc
hinthay th ni dung bn trong gi tin khin n v hi i vi h thng bn ngoi
(v hiu ha cuc tn cng). NIPS s thay i mt vi byte bn trong on m
khai thc, lm mt hiu lc chc nng ca n v cho php n tip tc i ra ngoi.
Hacker s thy cuc tn cng c pht ng nh mun. Bin php ny cho
php chng ta ginh c quyn kim sot hnh vi ca k tin tc tt hn ng thi
n cng ht sc linh hot khin hacker kh pht hin hn

C. C CH THU NHN D LIU

Thu nhn d liu t Firewall
a ch IP ngun ca gi tin (c th a ch IP ca my tnh Hacker).
a ch IP ch ca gi tin (thng l a ch ca cc Honeypot)
Giao thc truyn thng c s dng (thng l cc giao thc truyn thng ca
ccdich v mng m Honeypot c xy dng Hacker tn cng)
Cng ngun ca gi tin
Cng ch ca gi tin ( thng l s cng ca cc giao thc mng m Honeynet
m cho php Hacker tn cng)
Thi im din ra cuc tn cng

D. THU NHN D LIU T LUNG D LIU MNG

Thu nhn d liu t lung d liu mng thc hin thu nhn mi gi tin vi y
ni dung payload ca gi tin i vo hay i ra h thng Honeynet.
Thu nhn d liu t hot ng trn cc Honeypot

Hot ng mc mng

Hot ng mc h thng

Hot ng mc ng dng

Hot ng mc ngi dng

E. C CH PHN TCH D LIU
Honeynet h tr hai cng c sau thc hin qu trnh phn tch d liu :
* Mt l Hflow: c kh nng t ng kt hp d liu
Hai l Walleye: c kh nng bo co, thng k thng qua giao din web thnthin
vi ngi dng
Hflow c nhim v kt hp d liu t module thu nhn d liu gi v, chun ha
dliu sau lu vo c s d liu ( y l My SQL).Hflow t ng xc nh :H iu hnh khi to kt ni mng.- S kin IDS lin quan n kt ni mng.- S
kin IDS lin quan n tin trnh v ngi dng trn Honetpot.- Danh sch cc tp
lin quan n cuc tn cng.
Walleye :
Walleye c nhim v ly d liu thu thp c c Hflow chun ha trong C
s d liu cung cp cho ngi phn tch thng qua giao din web.Nh vy, m
ngi phn tch c th nm c khung cnh chung cc hot ng h thng, nm
c chi titcc hot ng trong mng

4. i cht v Honetnet
4.1 Gii thiu
- Honeynet l hnh thc honeypot tng tc cao. hc vi cc honeypots, Honeynet l
mt h thng tht, hon ton ging mt mng lm vic bnh thng. Honeynet cung
cp cc h thng, ng dng, cc dch v tht.
- Quan trng nht khi xy dng mt honeynet chnh l honeywall. Honeywall l
gateway gia honeypots v mng bn ngoi. N hot ng tng 2 nh l Bridged.
Cc lung d liu khi vo v ra t honeypots u phi i qua honeywall.

4.2. M hnh kin trc honeynet (GenII)

a. iu khin d liu:
- Khi cc m him c thm nhp vo honeynet, s b kim sot cc hot ng.
- Cc lung d liu khi i vo khng b hn ch, nhng khi i ra ngoi th s b
hn ch.
b. Thu nhn d liu:
Khi d liu i vo th honeynet s xem xt v ghi li tt c cc hot ng c tnh
ph hoi v sau s phn tch cc ng c hot ng ca tin tc.
.

c. Phn tch d liu: Mc ch chnh ca honey net chnh l thu thp thng tin. hi c
thng tin th ngi dng cn phi c kh nng phn tch cc thng tin ny.
d. Thu thp d liu: Thu thp d liu t cc honeynets v mt ngun tp trung. Ch p
dng cho cc t chc c nhiu honeynets. a s cc t chc ch c mt honeynet

CHNG V. DEMO SNORT GIM ST THEO DI H THNG MNG

1.M Hnh

2. Cc bc thc hin v kt qu t c
Ci t cc gi cnthit
#yum install -y mysql-bench
mysql-server
mysql-devel
yum-utils
php-mysql
httpdgcc
pcre-devel
php-gd
gd
distcache-devel
mod_ssl
glib2-devel
gcc-c++

php
php-pear
#yum --disablerepo=\*--enablerepo=c5-media groupinstall "Development Tools"
#yum --disablerepo=\*--enablerepo=c5-media groupinstall "Development Libraries"
#yum --disablerepo=\*--enablerepo=c5-media groupinstall "MySQL Database"
Ci t cc gi Pear
#pear install Numbers_Roman-1.0.2 Numbers_Words-0.16.1 Image_Color-1.3
Image_Canvas-0.3.2 Image_GraphViz-1.3.0RC3 Image_Graph-0.7.2 Log-1.12.0
Tt cc dch v khng cn thit v bt dch v httpd v mysql
#service iptables stop

Sau khi ng li dch v httpd v mysql

#chkconfig httpd on ( khi ng khi khi ng my)
#chkconfig mysqld on ( khi ng khi khi ng my)
#service httpd start

#service mysqld start

Download ccgikhctrnmngchovo /root/snort/

adodb480.gz
base-1.4.4.tar.gz
daq-1.1.1.tar.gz
libdnet-1.12.tgz
libpcap-1.0.0.tar.gz
snort-1.1.wbm
snort-2.8.4.1.tar.gz
snortrules-snapshot-2.8.tar.gz
webmin-1.400-1.noarch.rpm
-Cit daq-1.1.1.tar.gz , libdnet-1.12.tgz , libpcap-1.0.0.tar.gz , snort-2.8.4.1.tar.gz
Giinncc filedaq-1.1.1.tar.gz , libdnet-1.12.tgz , libpcap-1.0.0.tar.gz , snort2.8.4.1.tar.gz
-Vothmc libdnet-1.12
#cd snort/libdnet-1.12
#./configure && make && make install

Tngtvi libpcap-1.0.0 , daq-1.1.1

Cit Snort
Vothmcsnort-2.8.4.1
#cd snort/snort-2.8.4.1
# ./configure --with-mysql-libraries=/usr/lib64/mysql --enable-dynamicplugin

#make && make install

-To th mc lm vic snort,rules, so_rules, log.

#mkdir /etc/snort
#mkdir /etc/snort/rules
#mkdir /var/log/snort
#mkdir /etc/snort/so_rules
-Coppy tt c file cu hnh trong /root/snort/snort-2.8.4.1/etc ti /etc/snort
#cp /root/snort/snort-2.8.4.1/etc/* /etc/snort/
-Giinn snortrules-snapshot-2.8.tar.gz v copy filetrongso_rulesn /etc/snort/so_rules
#cp /root/snort/snortrules-snapshot-2.8.tar.gz_FILES/so_rules/precompiled/CentOS5.0/x86-64/2.8.5.1/* /etc/snort/so_rules/
-Copy file trong rules n /etc/snort/rules
#cp /root/snort/snortrules-snapshot-2.8.tar.gz_FILES/rules/* /etc/snort/rules
-Sa file snort.conftrong /etc/snort/snort.conf
110 varRULE_PATH /etc/snort/rules
688 Output database: alert, mysql, user=snort password=123456 dbname=snort
host=localhost
ThitLp Snort khingcnghthng:
Tomtlinktmm (symbolic link) ca file snort binary n /usr/sbin/snort
#ln -s /usr/local/bin/snort /usr/sbin/snort
Snort cungcpcc scrip khingtrongthmc rpm/ ; (thmcgiinn snort)
#cp snort/snort-2.8.4.1/rpm/snortd /etc/init.d/
#cp snort/snort-2.8.4.1/rpm/snort.sysconfig /etc/sysconfig/snort
Tonhm&ngidngcho snort
#groupadd snort
#useradd -g snort snort -s /sbin/nologin
Set quynshuvchophp Snort ghi log vothmccha log
#chownsnort:snort /var/log/snort/
-tquynlichofile snortd :
#chmod 755 /etc/init.d/snortd
#chkconfig snortd on
#service snortd start
khing snort ch debug nubnmunkimtrali:
#snort/snort-2.8.4.1/src/snort -u snort -g snort -d -c /etc/snort/snort.conf

-Qunl snort bngwebmin:

Ci webmin

Vo localhost:10000 ng nhp vi ti khon root voweb min

- Tch hp snort voweb min:chnWebmin Config>

Webmin modules >

From uploaded file ch ng dn n snort-1.1.wbm > Install Module

To CSDL snort vi MySQL:

#chkconfigmysqld on
#service mysqld start
Trctin ta cn set password cho root trong MySQL.

#mysqladmin -u root password 123456

#mysql -p
To password cho ti khon snort.
mysql> use mysql;
mysql> CREATE USER 'snort'@'localhost' IDENTIFIED BY '123456';
To CSDL cho snort.

mysql> create database snort;

mysql> GRANT CREATE, INSERT, SELECT, DELETE, UPDATE ON snort.* to
snort@localhost;
mysql> flush privileges;
mysql> exit
Tocc table tsnort/snort-2.8.4.1/schemas/create_mysqlcho database snort (thmcginn
snort)
#mysql -u root -p <snort/snort-2.8.4.1/schemas/create_mysql snort
#mysql -p
mysql>show databases;

mysql>use snort;
mysql>show tables

;
Ci t BASE v ADODB
-Chp base-1.4.4.gz v adodb.gz vo /var/www/html
-Giinn 2 file trn
-ithmc base-1.4.4 thnh base
#cd /var/www/html
#mv base-1.4.4 /base
-Coppy gi base_conf.php.disttrongthmc basevitnthnh base_conf.php
#cd /var/www/html/base
#cp base_conf.php.dist base_conf.php
-Cu hnh base sa file base_conf.php
Sa cc thng tin trong file base nh sau:
57 $BASE_urlpath =/base;
79 $DBlib_path = /var/www/html/adodb;
101 $alert_dbname=snort;

104 $alert_user =snort;

105 $alert_passwords=123456;
108 $archive_exists =1; #set this to 1 if you have an archive DB
109 $archive_dbname =snort;
112 $archive_user=snort;
113 $archive_password=123456;
-Set quyncho base
#chownapache:apache /var/www/html/base
-To rules
Toping.rulestrong /etc/snort/rules vini dung
Alert icmp any any <> any any (msg:Co nguoi Ping may minh; sid:1000000001;)
Sau save li v vi n file snort_conf
#vi /etc/snort/snort.conf
Tr xung ch mc #site specific rules
809 include $RULE_PATH/ping.rules
Khingli Http v snort
#service snortd restart
#service httpd restart
khing snort ch debug
#snort/snort-2.8.4.1/src/snort -u snort -g snort -d -c /etc/snort/snort.conf
Kimtra:
Ti my Client chy Nmap, nhp a ch my Linux tin hnh do thm

Dng trnh duyt web trn centos volocalhost/base chn Setup page

Create BASE AG

Vo li localhost base xem lu lng chy qua( ch cn phi chy snort ch debug)

Chn Most recent 15 unique alerts xem 15 cnh bo gnnht