User Tools

Site Tools


анализ_трафика

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
анализ_трафика [2010/11/19 15:09]
val
анализ_трафика [2013/10/07 13:43] (current)
val [Cisco Switch]
Line 4: Line 4:
  
 ==== Cisco Switch ==== ==== Cisco Switch ====
-<​code>​ 
-monitor session 1 source interface f0/1 both 
-monitor session 1 destination interface f0/2 
-</​code>​ 
  
 +  * Настройка [[Оборудование уровня 2 Cisco Catalyst#​SPAN]] на switch
 ==== Unix ==== ==== Unix ====
 <​code>​ <​code>​
-server# ifconfig ​eth1|le1 up+server# ifconfig ​eth2|em2 up
  
-server# tcpdump -ni eth1|le1 -A -s 0 "port 80"+server# tcpdump -ni eth2|em2 -A -s 0 "port 80"
 </​code>​ </​code>​
  
Line 22: Line 19:
 [[http://​www.circlemud.org/​~jelson/​software/​tcpflow/​]] [[http://​www.circlemud.org/​~jelson/​software/​tcpflow/​]]
  
-===== Анализ трафика для ​предотвращения атак - пакет Snort =====+===== Анализ трафика для детектирования атак - пакет Snort =====
  
-==== FreeBSD ====+[[Сервис SNORT]]
  
-Периодически ​надо устанавливать новую версию из портов ​для поддержки новых правил+===== Анализ трафика для предотвращения атак - пакет Snortsam =====
  
-<​code>​ +[[Сервис SNORTSAM]]
-[server:~# pkg_add -r snort+
  
-[server:~] # cat /​usr/​local/​etc/​snort/​snort.conf 
-... 
-output alert_syslog:​ LOG_AUTH LOG_ALERT 
-output alert_fast: alert 
-... 
- 
-[server:~] # cd /​usr/​local/​etc/​snort 
- 
-[server:​local/​etc/​snort] # fetch http://​www.snort.org/​pub-bin/​oinkmaster.cgi/​xxxxxxxxxxxxxxxxx/​snortrules-snapshot-2.8.tar.gz 
- 
-[server:​local/​etc/​snort] # tar -xvf snortrules-snapshot-2.8.tar.gz rules/ 
- 
-!!! Раскомментировать правило 
-[server:​local/​etc/​snort] # cat rules/​web-iis.rules 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"​WEB-IIS CodeRed v2 root.exe access";​ flow:​to_server,​established;​ uricontent:"/​root.exe";​ nocase; metadata:​service http; reference:​url,​www.cert.org/​advisories/​CA-2001-19.html;​ classtype:​web-application-attack;​ sid:1256; rev:11;) 
- 
-[server:~] # /​usr/​local/​etc/​rc.d/​snort rcvar 
- 
-[server:~] # cat /​etc/​rc.conf 
-... 
-snort_enable=YES 
-snort_interface=le1 
- 
-[server:~] # /​usr/​local/​etc/​rc.d/​snort start 
-Starting snort. 
-</​code>​ 
- 
-==== Ubuntu ==== 
-<​code>​ 
-root@server:​~#​ apt-get install snort 
- 
-root@server:​~#​ cat /​etc/​snort/​snort.debian.conf 
-... 
-DEBIAN_SNORT_INTERFACE="​eth1"​ 
-DEBIAN_SNORT_HOME_NET="​0.0.0.0/​0"​ 
-... 
- 
-[server:~] # cat /​etc/​snort/​snort.conf 
-... 
-output alert_syslog:​ LOG_AUTH LOG_ALERT 
-output alert_fast: alert 
-... 
- 
-</​code>​ 
- 
-==== Проверки ==== 
- 
-=== UNIX === 
-<​code>​ 
-# tail -f /​var/​log/​snort/​alert 
-</​code>​ 
- 
-=== FreeBSD === 
-<​code>​ 
-# tail -f /​var/​log/​messages 
-</​code>​ 
- 
-=== Ubuntu === 
-<​code>​ 
-# tail -f /​var/​log/​auth.log 
-</​code>​ 
- 
-=== Windows MSIE === 
-<​code>​ 
-http://​192.168.X.3/​root.exe 
-</​code>​ 
- 
-==== Обновление правил snort - пакет oinkmaster ==== 
- 
-=== FreeBSD === 
-<​code>​ 
-[server:~] # pkg_add -r oinkmaster 
- 
-[server:~] # rehash 
- 
-[server:~] # cd /​usr/​local/​etc/​ 
-</​code>​ 
- 
-=== Ubuntu ===  
-<​code>​ 
-root@server:​~#​ apt-get install oinkmaster 
- 
-root@server:​~#​ cd /etc/ 
-</​code>​ 
- 
-=== FreeBSD/​Ubuntu === 
-<​code>​ 
-server# cat oinkmaster.conf 
-... 
-url = http://​www.snort.org/​pub-bin/​oinkmaster.cgi/​xxxxxxxxxxxxxxxxx/​snortrules-snapshot-2.8.tar.gz 
-... 
-tmpdir = /var/tmp/ 
-... 
- 
-server# oinkmaster -o /​CHANGE/​DIR/​snort/​rules/​ 
-</​code>​ 
- 
-==== Построение отчета о работе snort - пакет snortsnarf (только FreeBSD) ==== 
-<​code>​ 
-[server:~] # pkg_add -r snortsnarf 
-</​code><​code>​ 
-[server:~] # cat /​usr/​local/​etc/​scripts/​snortsnarf.sh 
-</​code><​code>​ 
-#!/bin/sh 
- 
-D=`date -v-1d '​+%Y.%m.%d'​` 
- 
-/​usr/​local/​etc/​rc.d/​snort stop 
-/bin/mv /​var/​log/​snort/​alert /​var/​log/​snort/​alert. 
-/​usr/​local/​etc/​rc.d/​snort start 
- 
-for i in /​var/​log/​snort/​alert.* 
-do 
-  cat ${i} >> /​var/​log/​snort/​alert${D} 
-  rm ${i} 
-done 
-/​usr/​local/​bin/​snortsnarf -d /​usr/​local/​www/​apache22/​data/​snortsnarf/​${D}/​ -minprio=1 /​var/​log/​snort/​alert${D} ​ 
- 
-rm /​var/​log/​snort/​alert${D} 
- 
-/​usr/​bin/​find /​usr/​local/​www/​apache22/​data/​snortsnarf/​ -mtime +60 -type d -exec rm -r {} \; 
-</​code>​ 
- 
-==== Блокировка хостов - пакет Snortsam ==== 
- 
-=== FreeBSD === 
-<​code>​ 
-[server:~] # pkg_add -r snortsam 
- 
-[server:~] # more /​usr/​local/​share/​doc/​snortsam/​README.conf 
- 
-[server:~] # cd /​usr/​local/​etc/​snortsam/​ 
-</​code>​ 
- 
-=== Ubuntu === 
-<​code>​ 
-root@server:​~#​ cd /usr/src 
- 
-root@server:/​usr/​src#​ wget http://​www.snortsam.net/​files/​snortsam/​snortsam-src-2.69.tar.gz 
-root@server:/​usr/​src#​ tar -xvf snortsam-src-2.69.tar.gz 
-root@server:/​usr/​src#​ cd snortsam/ 
- 
-root@server:/​usr/​src/​snortsam#​ sh makesnortsam.sh ​ 
-root@server:/​usr/​src/​snortsam#​ cp snortsam /usr/sbin/ 
- 
-root@server:/​usr/​src/​snortsam#​ mkdir /​etc/​snortsam 
-root@server:/​usr/​src/​snortsam#​ cd /​etc/​snortsam 
-</​code>​ 
- 
-=== Варианты взаимодействия snortsam и cisco === 
- 
-В случае использования aaa new-model требуется пользователь c priv-lvl = 1 
- 
-== Использование списков доступа и протокола telnet == 
- 
-(nat подменяет обратный адрес) 
- 
-<​code>​ 
-server# cat snortsam.acl 
-</​code><​code>​ 
-conf terminal 
-no ip access-list extended ACL_FIREWALL 
-ip access-list extended ACL_FIREWALL 
- ​snortsam-ciscoacl-begin 
- ​snortsam-ciscoacl-end 
- ​permit tcp any host 192.168.X.3 eq www 
- ​permit icmp any any 
- ​permit udp any any 
- ​permit tcp any any established 
- ​deny ​  ip any any log 
-end 
-</​code><​code>​ 
-server# cat snortsam.conf 
-</​code><​code>​ 
-daemon 
-nothreads 
-accept 127.0.0.1 
-defaultkey secret 
-# ciscoacl 192.168.X.2 student/​tacacs cisco /​usr/​local/​etc/​snortsam/​snortsam.acl 
-# ciscoacl 192.168.X.2 cisco cisco /​etc/​snortsam/​snortsam.acl 
-logfile /​var/​log/​snortsam.log 
-</​code>​ 
- 
-FreeBSD: 
-<​code>​ 
-[server:~] # /​usr/​local/​etc/​rc.d/​snortsam rcvar 
- 
-[server:~] # /​usr/​local/​etc/​rc.d/​snortsam start 
-</​code>​ 
- 
-Ubuntu: 
-<​code>​ 
-root@server:​~#​ /​usr/​sbin/​snortsam /​etc/​snortsam/​snortsam.conf 
-</​code>​ 
- 
-== Использование списков доступа и протокола tftp == 
-<​code>​ 
-server# cat /​tftpboot/​snortsam.acl 
-</​code><​code>​ 
-no ip access-list extended ACL_FIREWALL 
-ip access-list extended ACL_FIREWALL 
- ​snortsam-ciscoacl-begin 
- ​snortsam-ciscoacl-end 
- ​permit tcp any host 192.168.X.3 eq www 
- ​permit icmp any any 
- ​permit udp any any 
- ​permit tcp any any established 
- ​deny ​  ip any any log 
-end 
-</​code><​code>​ 
-server# cat snortsam.tftp ​ 
-copy tftp://​192.168.X.1/​ running-config 
- 
-server# cat snortsam.conf 
-... 
-# ciscoacl 192.168.X.2 student/​tacacs cisco snortsam.acl|/​usr/​local/​etc/​snortsam/​snortsam.tftp 
-# ciscoacl 192.168.X.2 student/​tacacs cisco snortsam.acl|/​etc/​snortsam/​snortsam.tftp 
-... 
-server# cd /tftpboot/ 
-</​code>​ 
- 
-FreeBSD: 
-<​code>​ 
-[server:/​tftpboot] # snortsam /​usr/​local/​etc/​snortsam/​snortsam.conf 
-</​code>​ 
- 
-Ubuntu: 
-<​code>​ 
-root@server:/​tftpboot#​ snortsam /​etc/​snortsam/​snortsam.conf 
-</​code>​ 
- 
-== Использование null маршрутов == 
-<​code>​ 
-server# cat snortsam.conf 
-... 
-cisconullroute 192.168.X.2 student/​tacacs cisco 
-... 
-</​code>​ 
- 
-==== Подключение Snort к Snortsam ==== 
- 
-=== FreeBSD === 
-<​code>​ 
-[server:~] # cd /​usr/​ports/​security/​snort 
- 
-[server:​ports/​security/​snort] # make config 
- 
-[server:​ports/​security/​snort] # cat /​var/​db/​ports/​snort/​options ​ 
-... 
-WITH_SNORTSAM=true 
-... 
- 
-[server:​ports/​security/​snort] # make install clean 
- 
-[server:​ports/​security/​snort] # cd /​usr/​local/​etc/​snort/​ 
-</​code>​ 
- 
-=== Ubuntu === 
-[[http://​www.snortsam.net/​files/​snort-plugin/​readme.txt]] 
-<​code>​ 
-root@server:​~#​ apt-get install libpcap-dev libpcre3-dev libtool automake autoconf 
- 
-root@server:​~#​ cd /usr/src 
-root@server:/​usr/​src#​ wget http://​www.snortsam.net/​files/​snort-plugin/​snortsam-2.8.6.diff.gz 
-root@server:/​usr/​src#​ gunzip snortsam-2.8.6.diff.gz 
- 
-root@server:/​usr/​src#​ wget http://​dl.snort.org/​downloads/​116 
-root@server:/​usr/​src#​ mv snort-2.8.6.1.tar.gz\?​AWSA... ​ snort-2.8.6.1.tar.gz 
- 
-root@server:/​usr/​src#​ tar -xvf snort-2.8.6.tar.gz 
-root@server:/​usr/​src#​ cd snort-2.8.6 
- 
-root@server:/​usr/​src/​snort-2.8.6#​ patch -p1 < ../​snortsam-2.8.6.diff ​ 
-root@server:/​usr/​src/​snort-2.8.6#​ sh autojunk.sh ​ 
-root@server:/​usr/​src/​snort-2.8.6#​ ./configure --prefix /​usr/​local/​snort 
-root@server:/​usr/​src/​snort-2.8.6#​ make 
- 
-root@server:/​usr/​src/​snort-2.8.6#​ make install 
-root@server:/​usr/​src/​snort-2.8.6#​ cp -r etc/ /​usr/​local/​snort/​ 
- 
-root@server:​~#​ ln -s /​usr/​local/​snort/​lib/​snort_dynamicengine /​usr/​local/​lib/​snort_dynamicengine 
-root@server:​~#​ ln -s /​usr/​local/​snort/​lib/​snort_dynamicpreprocessor /​usr/​local/​lib/​snort_dynamicpreprocessor 
- 
-root@server:​~#​ cd /​usr/​local/​snort/​ 
- 
-root@server:/​usr/​local/​snort#​ wget http://​www.snort.org/​pub-bin/​oinkmaster.cgi/​xxxxxxxxxxxxxx/​snortrules-snapshot-2.8.tar.gz 
-root@server:/​usr/​local/​snort#​ tar -xvf snortrules-snapshot-2.8.tar.gz rules/ 
-root@server:/​usr/​local/​snort#​ cd /​usr/​local/​snort/​etc 
-</​code>​ 
- 
-=== Настройка FreeBSD/​Ubuntu === 
-<​code>​ 
-server# cat snort.conf 
-</​code><​code>​ 
-... 
-output alert_fwsam:​ 127.0.0.1:​898/​secret 
-... 
-</​code><​code>​ 
-server# cat sid-block.map 
-</​code><​code>​ 
-1256: src, 2 min 
-</​code><​code>​ 
-!!! Раскомментировать правило !!! 
- 
-server# grep 1256 web-iis.rules 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"​WEB-IIS CodeRed v2 root.exe access";​ flow:​to_server,​established;​ uricontent:"/​root.exe";​ nocase; classtype:​web-application-attack;​ reference:​url,​www.cert.org/​advisories/​CA-2001-19.html;​ sid:​1256; ​ rev:7;) 
- 
-server# grep web-application-attack classification.config ​ 
-config classification:​ web-application-attack,​Web Application Attack,1 
-</​code>​ 
- 
-=== Запуск в Ubuntu === 
-<​code>​ 
-root@server:​~#​ /​usr/​local/​snort/​bin/​snort -m 027 -D -d -l /​var/​log/​snort -u snort -g snort -c /​usr/​local/​snort/​etc/​snort.conf -i eth1 
-</​code>​ 
  
анализ_трафика.1290168594.txt.gz · Last modified: 2013/05/22 13:50 (external edit)