Differences

This shows you the differences between two versions of the page.

--- анализ_трафика [2010/11/19 14:35]
val
+++ анализ_трафика [2013/05/22 13:50]
127.0.0.1 внешнее изменение
@@ Line 5: / Line 5: @@
 ==== Cisco Switch ====
 <code>
-monitor session 1 source interface f0/1 both
+monitor session 1 source interface f0/0 both
-monitor session 1 destination interface f0/2
+monitor session 1 destination interface f0/15
 </code>
 ==== Unix ====
 <code>
-[server:~] # ifconfig eth1|le1 up
+server# ifconfig eth2|em2 up
-[server:~] # tcpdump -ni eth1|le1 -A -s 0 "port 80"
+server# tcpdump -ni eth2|em2 -A -s 0 "port 80"
 </code>
@@ Line 22: / Line 23: @@
 [[http://www.circlemud.org/~jelson/software/tcpflow/]]
-===== Анализ трафика для предотвращения атак - пакет Snort =====
+===== Анализ трафика для детектирования атак - пакет Snort =====
-==== FreeBSD ====
+[[Сервис SNORT]]
-Периодически надо устанавливать новую версию из портов для поддержки новых правил
+===== Анализ трафика для предотвращения атак - пакет Snortsam =====
-<code>
+[[Сервис SNORTSAM]]
-[server:~] # pkg_add -r snort
-[server:~] # cd /usr/local/etc/snort
-[server:~] # cat /usr/local/etc/snort/snort.conf
-...
-output alert_syslog: LOG_AUTH LOG_ALERT
-output alert_fast: alert
-...
-[server:local/etc/snort] # fetch http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz
-[server:local/etc/snort] # tar -xvf snortrules-snapshot-2.8.tar.gz rules/
-!!! Раскомментировать правило
-[server:local/etc/snort] # cat rules/web-iis.rules
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;)
-[server:~] # /usr/local/etc/rc.d/snort rcvar
-[server:~] # cat /etc/rc.conf
-...
-snort_enable=YES
-snort_interface=le1
-[server:~] # /usr/local/etc/rc.d/snort start
-Starting snort.
-</code>
-==== Ubuntu ====
-<code>
-root@server:~# apt-get install snort
-root@server:~# cat /etc/snort/snort.debian.conf
-...
-DEBIAN_SNORT_INTERFACE="eth1"
-DEBIAN_SNORT_HOME_NET="0.0.0.0/0"
-...
-[server:~] # cat /etc/snort/snort.conf
-...
-output alert_syslog: LOG_AUTH LOG_ALERT
-output alert_fast: alert
-...
-</code>
-==== Проверки ====
-=== UNIX ===
-<code>
-# tail -f /var/log/snort/alert
-</code>
-=== FreeBSD ===
-<code>
-# tail -f /var/log/messages
-</code>
-=== Ubuntu ===
-<code>
-# tail -f /var/log/auth.log
-</code>
-=== Windows MSIE ===
-<code>
-http://val.bmstu.ru/root.exe
-</code>
-==== Обновление правил snort - пакет oinkmaster ====
-=== FreeBSD ===
-<code>
-[server:~] # pkg_add -r oinkmaster
-[server:~] # rehash
-[server:~] # cd /usr/local/etc/
-</code>
-=== Ubuntu ===
-<code>
-root@server:~# apt-get install oinkmaster
-root@server:~# cd /etc/
-</code>
-=== FreeBSD/Ubuntu ===
-<code>
-server# cat oinkmaster.conf
-...
-url = http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz
-...
-tmpdir = /var/tmp/
-...
-server# oinkmaster -o /CHANGE/DIR/snort/rules/
-</code>
-==== Построение отчета о работе snort - пакет snortsnarf (только FreeBSD) ====
-<code>
-[server:~] # pkg_add -r snortsnarf
-</code><code>
-[server:~] # cat /usr/local/etc/scripts/snortsnarf.sh
-</code><code>
-#!/bin/sh
-D=`date -v-1d '+%Y.%m.%d'`
-/usr/local/etc/rc.d/snort stop
-/bin/mv /var/log/snort/alert /var/log/snort/alert.
-/usr/local/etc/rc.d/snort start
-for i in /var/log/snort/alert.*
-do
-  cat ${i} >> /var/log/snort/alert${D}
-  rm ${i}
-done
-/usr/local/bin/snortsnarf -d /usr/local/www/apache22/data/snortsnarf/${D}/ -minprio=1 /var/log/snort/alert${D}
-rm /var/log/snort/alert${D}
-/usr/bin/find /usr/local/www/apache22/data/snortsnarf/ -mtime +60 -type d -exec rm -r {} \;
-</code>
-==== Блокировка хостов - пакет Snortsam ====
-=== FreeBSD ===
-<code>
-[server:~] # pkg_add -r snortsam
-[server:~] # more /usr/local/share/doc/snortsam/README.conf
-[server:~] # cd /usr/local/etc/snortsam/
-</code>
-=== Ubuntu ===
-<code>
-root@server:~# cd /usr/src
-root@server:/usr/src# wget http://www.snortsam.net/files/snortsam/snortsam-src-2.69.tar.gz
-root@server:/usr/src# tar -xvf snortsam-src-2.69.tar.gz
-root@server:/usr/src# cd snortsam/
-root@server:/usr/src/snortsam# sh makesnortsam.sh
-root@server:/usr/src/snortsam# cp snortsam /usr/sbin/
-root@server:/usr/src/snortsam# mkdir /etc/snortsam
-root@server:/usr/src/snortsam# cd /etc/snortsam
-</code>
-=== Варианты взаимодействия snortsam и cisco ===
-В случае использования aaa new-model требуется пользователь c priv-lvl = 1
-== Использование списков доступа и протокола telnet ==
-(nat подменяет обратный адрес)
-<code>
-server# cat snortsam.acl
-</code><code>
-conf terminal
-no ip access-list extended ACL_FIREWALL
-ip access-list extended ACL_FIREWALL
- snortsam-ciscoacl-begin
- snortsam-ciscoacl-end
- permit tcp any host 192.168.X.3 eq www
- permit icmp any any
- permit udp any any
- permit tcp any any established
- deny   ip any any log
-end
-</code><code>
-server# cat snortsam.conf
-</code><code>
-daemon
-nothreads
-accept 127.0.0.1
-defaultkey secret
-# ciscoacl 192.168.X.2 student/tacacs cisco /usr/local/etc/snortsam/snortsam.acl
-# ciscoacl 192.168.X.2 cisco cisco /etc/snortsam/snortsam.acl
-logfile /var/log/snortsam.log
-</code>
-FreeBSD:
-<code>
-[server:~] # /usr/local/etc/rc.d/snortsam rcvar
-[server:~] # /usr/local/etc/rc.d/snortsam start
-</code>
-Ubuntu:
-<code>
-root@server:~# /usr/sbin/snortsam /etc/snortsam/snortsam.conf
-</code>
-== Использование списков доступа и протокола tftp ==
-<code>
-server# cat /tftpboot/snortsam.acl
-</code><code>
-no ip access-list extended ACL_FIREWALL
-ip access-list extended ACL_FIREWALL
- snortsam-ciscoacl-begin
- snortsam-ciscoacl-end
- permit tcp any host 192.168.X.3 eq www
- permit icmp any any
- permit udp any any
- permit tcp any any established
- deny   ip any any log
-end
-</code><code>
-server# cat snortsam.tftp
-copy tftp://192.168.X.1/ running-config
-server# cat snortsam.conf
-...
-# ciscoacl 192.168.X.2 student/tacacs cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp
-# ciscoacl 192.168.X.2 student/tacacs cisco snortsam.acl|/etc/snortsam/snortsam.tftp
-...
-server# cd /tftpboot/
-</code>
-FreeBSD:
-<code>
-[server:/tftpboot] # snortsam /usr/local/etc/snortsam/snortsam.conf
-</code>
-Ubuntu:
-<code>
-root@server:/tftpboot# snortsam /etc/snortsam/snortsam.conf
-</code>
-== Использование null маршрутов ==
-<code>
-server# cat snortsam.conf
-...
-cisconullroute 192.168.X.2 student/tacacs cisco
-...
-</code>
-==== Подключение Snort к Snortsam ====
-=== FreeBSD ===
-<code>
-[server:~] # cd /usr/ports/security/snort
-[server:ports/security/snort] # make config
-[server:ports/security/snort] # cat /var/db/ports/snort/options
-...
-WITH_SNORTSAM=true
-...
-[server:ports/security/snort] # make install clean
-[server:ports/security/snort] # cd /usr/local/etc/snort/
-</code>
-=== Ubuntu ===
-[[http://www.snortsam.net/files/snort-plugin/readme.txt]]
-<code>
-root@server:~# apt-get install libpcap-dev libpcre3-dev libtool automake autoconf
-root@server:~# cd /usr/src
-root@server:/usr/src# wget http://www.snortsam.net/files/snort-plugin/snortsam-2.8.6.diff.gz
-root@server:/usr/src# gunzip snortsam-2.8.6.diff.gz
-root@server:/usr/src# wget http://dl.snort.org/downloads/116
-root@server:/usr/src# mv snort-2.8.6.1.tar.gz\?AWSA...  snort-2.8.6.1.tar.gz
-root@server:/usr/src# tar -xvf snort-2.8.6.tar.gz
-root@server:/usr/src# cd snort-2.8.6
-root@server:/usr/src/snort-2.8.6# patch -p1 < ../snortsam-2.8.6.diff
-root@server:/usr/src/snort-2.8.6# sh autojunk.sh
-root@server:/usr/src/snort-2.8.6# ./configure --prefix /usr/local/snort
-root@server:/usr/src/snort-2.8.6# make
-root@server:/usr/src/snort-2.8.6# make install
-root@server:/usr/src/snort-2.8.6# cp -r etc/ /usr/local/snort/
-root@server:~# ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine
-root@server:~# ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
-root@server:~# cd /usr/local/snort/
-root@server:/usr/local/snort# wget http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz
-root@server:/usr/local/snort# tar -xvf snortrules-snapshot-2.8.tar.gz rules/
-root@server:/usr/local/snort# cd /usr/local/snort/etc
-</code>
-=== Настройка FreeBSD/Ubuntu ===
-<code>
-server# cat snort.conf
-</code><code>
-...
-output alert_fwsam: 127.0.0.1:898/secret
-...
-</code><code>
-server# cat sid-block.map
-</code><code>
-: src, 2 min
-</code><code>
-!!! Раскомментировать правило !!!
-server# grep 1256 web-iis.rules
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256;  rev:7;)
-server# grep web-application-attack classification.config
-config classification: web-application-attack,Web Application Attack,1
-</code>
-=== Запуск в Ubuntu ===
-<code>
-root@server:~# /usr/local/snort/bin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1
-</code>

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools