This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
анализ_трафика [2010/11/23 07:27] val |
анализ_трафика [2011/11/30 10:52] 127.0.0.1 внешнее изменение |
||
---|---|---|---|
Line 5: | Line 5: | ||
==== Cisco Switch ==== | ==== Cisco Switch ==== | ||
<code> | <code> | ||
- | monitor session 1 source interface f0/1 both | + | monitor session 1 source interface f0/0 both |
- | monitor session 1 destination interface f0/2 | + | monitor session 1 destination interface f0/15 |
</code> | </code> | ||
==== Unix ==== | ==== Unix ==== | ||
<code> | <code> | ||
- | server# ifconfig eth1|le1 up | + | server# ifconfig eth2|em2 up |
- | server# tcpdump -ni eth1|le1 -A -s 0 "port 80" | + | server# tcpdump -ni eth2|em2 -A -s 0 "port 80" |
</code> | </code> | ||
Line 26: | Line 26: | ||
[[Сервис SNORT]] | [[Сервис SNORT]] | ||
- | ===== Использование пакета Snortsam для блокировки хостов ===== | ||
- | |||
- | ==== Установка пакета ==== | ||
- | |||
- | === FreeBSD === | ||
<code> | <code> | ||
- | [server:~] # pkg_add -r snortsam | + | [server:~] # /usr/local/etc/rc.d/snort stop |
+ | [server:~] # pkg_delete -x snort | ||
+ | [server:~] # rm -r /usr/local/etc/snort/ | ||
- | [server:~] # more /usr/local/share/doc/snortsam/README.conf | + | root@server:~# /etc/init.d/snort stop |
- | + | root@server:~# apt-get purge snort | |
- | [server:~] # cd /usr/local/etc/snortsam/ | + | |
</code> | </code> | ||
- | === Ubuntu === | + | ===== Использование пакета Snortsam для блокировки хостов ===== |
- | <code> | + | |
- | root@server:~# cd /usr/src | + | |
- | root@server:/usr/src# wget http://www.snortsam.net/files/snortsam/snortsam-src-2.69.tar.gz | + | [[Сервис SNORTSAM]] |
- | root@server:/usr/src# tar -xvf snortsam-src-2.69.tar.gz | + | |
- | root@server:/usr/src# cd snortsam/ | + | |
- | root@server:/usr/src/snortsam# sh makesnortsam.sh | ||
- | root@server:/usr/src/snortsam# cp snortsam /usr/sbin/ | ||
- | root@server:/usr/src/snortsam# mkdir /etc/snortsam | ||
- | root@server:/usr/src/snortsam# cd /etc/snortsam | ||
- | </code> | ||
- | |||
- | ==== Варианты блокировки хостов на cisco router ==== | ||
- | |||
- | В случае использования aaa new-model требуется пользователь c priv-lvl = 1 | ||
- | |||
- | === 1. Использование списков доступа и протокола telnet === | ||
- | |||
- | <code> | ||
- | server# cat snortsam.acl | ||
- | </code><code> | ||
- | conf terminal | ||
- | no ip access-list extended ACL_FIREWALL | ||
- | ip access-list extended ACL_FIREWALL | ||
- | snortsam-ciscoacl-begin | ||
- | snortsam-ciscoacl-end | ||
- | permit tcp any host 192.168.X.3 eq www | ||
- | permit icmp any any | ||
- | permit udp any any | ||
- | permit tcp any any established | ||
- | deny ip any any log | ||
- | end | ||
- | </code><code> | ||
- | server# cat snortsam.conf | ||
- | </code><code> | ||
- | daemon | ||
- | nothreads | ||
- | accept 127.0.0.1 | ||
- | defaultkey secret | ||
- | # ciscoacl 192.168.X.1 student/tacacs cisco /usr/local/etc/snortsam/snortsam.acl | ||
- | # ciscoacl 192.168.X.1 cisco cisco /etc/snortsam/snortsam.acl | ||
- | logfile /var/log/snortsam.log | ||
- | </code> | ||
- | |||
- | FreeBSD: | ||
- | <code> | ||
- | [server:~] # /usr/local/etc/rc.d/snortsam rcvar | ||
- | |||
- | [server:~] # /usr/local/etc/rc.d/snortsam start | ||
- | </code> | ||
- | |||
- | Ubuntu: | ||
- | <code> | ||
- | root@server:~# /usr/sbin/snortsam /etc/snortsam/snortsam.conf | ||
- | </code> | ||
- | |||
- | === 2. Использование списков доступа и протокола tftp === | ||
- | <code> | ||
- | server# cat /tftpboot/snortsam.acl | ||
- | </code><code> | ||
- | no ip access-list extended ACL_FIREWALL | ||
- | ip access-list extended ACL_FIREWALL | ||
- | snortsam-ciscoacl-begin | ||
- | snortsam-ciscoacl-end | ||
- | permit tcp any host 192.168.X.3 eq www | ||
- | permit icmp any any | ||
- | permit udp any any | ||
- | permit tcp any any established | ||
- | deny ip any any log | ||
- | end | ||
- | </code><code> | ||
- | server# cat snortsam.tftp | ||
- | copy tftp://192.168.X.1/ running-config | ||
- | |||
- | server# cat snortsam.conf | ||
- | ... | ||
- | # ciscoacl 192.168.X.1 student/tacacs cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp | ||
- | # ciscoacl 192.168.X.1 student/tacacs cisco snortsam.acl|/etc/snortsam/snortsam.tftp | ||
- | ... | ||
- | server# cd /tftpboot/ | ||
- | </code> | ||
- | |||
- | FreeBSD: | ||
- | <code> | ||
- | [server:/tftpboot] # snortsam /usr/local/etc/snortsam/snortsam.conf | ||
- | </code> | ||
- | |||
- | Ubuntu: | ||
- | <code> | ||
- | root@server:/tftpboot# snortsam /etc/snortsam/snortsam.conf | ||
- | </code> | ||
- | |||
- | === 3. Использование null маршрутов === | ||
- | <code> | ||
- | server# cat snortsam.conf | ||
- | ... | ||
- | cisconullroute 192.168.X.1 student/tacacs cisco | ||
- | ... | ||
- | </code> | ||
- | |||
- | ==== Подключение Snort к Snortsam ==== | ||
- | |||
- | === FreeBSD === | ||
- | <code> | ||
- | [server:~] # cd /usr/ports/security/snort | ||
- | |||
- | [server:ports/security/snort] # make config | ||
- | |||
- | [server:ports/security/snort] # cat /var/db/ports/snort/options | ||
- | ... | ||
- | WITH_SNORTSAM=true | ||
- | ... | ||
- | |||
- | [server:ports/security/snort] # make install clean | ||
- | |||
- | [server:ports/security/snort] # cd /usr/local/etc/snort/ | ||
- | </code> | ||
- | |||
- | === Ubuntu === | ||
- | [[http://www.snortsam.net/files/snort-plugin/readme.txt]] | ||
- | <code> | ||
- | root@server:~# apt-get install libpcap-dev libpcre3-dev libtool automake autoconf | ||
- | |||
- | root@server:~# cd /usr/src | ||
- | root@server:/usr/src# wget http://www.snortsam.net/files/snort-plugin/snortsam-2.8.6.diff.gz | ||
- | root@server:/usr/src# gunzip snortsam-2.8.6.diff.gz | ||
- | |||
- | root@server:/usr/src# wget http://dl.snort.org/downloads/116 | ||
- | root@server:/usr/src# mv snort-2.8.6.1.tar.gz\?AWSA... snort-2.8.6.1.tar.gz | ||
- | |||
- | root@server:/usr/src# tar -xvf snort-2.8.6.tar.gz | ||
- | root@server:/usr/src# cd snort-2.8.6 | ||
- | |||
- | root@server:/usr/src/snort-2.8.6# patch -p1 < ../snortsam-2.8.6.diff | ||
- | root@server:/usr/src/snort-2.8.6# sh autojunk.sh | ||
- | root@server:/usr/src/snort-2.8.6# ./configure --prefix /usr/local/snort | ||
- | root@server:/usr/src/snort-2.8.6# make | ||
- | |||
- | root@server:/usr/src/snort-2.8.6# make install | ||
- | root@server:/usr/src/snort-2.8.6# cp -r etc/ /usr/local/snort/ | ||
- | |||
- | root@server:~# ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine | ||
- | root@server:~# ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor | ||
- | |||
- | root@server:~# cd /usr/local/snort/ | ||
- | |||
- | root@server:/usr/local/snort# wget http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz | ||
- | root@server:/usr/local/snort# tar -xvf snortrules-snapshot-2.8.tar.gz rules/ | ||
- | root@server:/usr/local/snort# cd /usr/local/snort/etc | ||
- | </code> | ||
- | |||
- | === Настройка FreeBSD/Ubuntu === | ||
- | <code> | ||
- | server# cat snort.conf | ||
- | </code><code> | ||
- | ... | ||
- | output alert_fwsam: 127.0.0.1:898/secret | ||
- | ... | ||
- | </code><code> | ||
- | server# cat sid-block.map | ||
- | </code><code> | ||
- | 1256: src, 2 min | ||
- | </code><code> | ||
- | !!! Раскомментировать правило !!! | ||
- | |||
- | server# grep 1256 web-iis.rules | ||
- | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:7;) | ||
- | |||
- | server# grep web-application-attack classification.config | ||
- | config classification: web-application-attack,Web Application Attack,1 | ||
- | </code> | ||
- | |||
- | === Запуск в Ubuntu === | ||
- | <code> | ||
- | root@server:~# /usr/local/snort/bin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 | ||
- | </code> | ||