User Tools

Site Tools


анализ_трафика

This is an old revision of the document!


Анализ трафика

SPAN

Cisco Switch

monitor session 1 source interface f0/1 both
monitor session 1 destination interface f0/2

Unix

server# ifconfig eth1|le1 up

server# tcpdump -ni eth1|le1 -A -s 0 "port 80"

tcpdump, trafshow

Выделение tcp сессий

Анализ трафика для предотвращения атак - пакет Snort

Использование пакета Snortsam для блокировки хостов

Установка пакета

FreeBSD

[server:~] # pkg_add -r snortsam

[server:~] # more /usr/local/share/doc/snortsam/README.conf

[server:~] # cd /usr/local/etc/snortsam/

Ubuntu

root@server:~# cd /usr/src

root@server:/usr/src# wget http://www.snortsam.net/files/snortsam/snortsam-src-2.69.tar.gz
root@server:/usr/src# tar -xvf snortsam-src-2.69.tar.gz
root@server:/usr/src# cd snortsam/

root@server:/usr/src/snortsam# sh makesnortsam.sh 
root@server:/usr/src/snortsam# cp snortsam /usr/sbin/

root@server:/usr/src/snortsam# mkdir /etc/snortsam
root@server:/usr/src/snortsam# cd /etc/snortsam

Варианты блокировки хостов на cisco router

В случае использования aaa new-model требуется пользователь c priv-lvl = 1

1. Использование списков доступа и протокола telnet

server# cat snortsam.acl
conf terminal
no ip access-list extended ACL_FIREWALL
ip access-list extended ACL_FIREWALL
 snortsam-ciscoacl-begin
 snortsam-ciscoacl-end
 permit tcp any host 192.168.X.3 eq www
 permit icmp any any
 permit udp any any
 permit tcp any any established
 deny   ip any any log
end
server# cat snortsam.conf
daemon
nothreads
accept 127.0.0.1
defaultkey secret
# ciscoacl 192.168.X.1 student/tacacs cisco /usr/local/etc/snortsam/snortsam.acl
# ciscoacl 192.168.X.1 cisco cisco /etc/snortsam/snortsam.acl
logfile /var/log/snortsam.log

FreeBSD:

[server:~] # /usr/local/etc/rc.d/snortsam rcvar

[server:~] # /usr/local/etc/rc.d/snortsam start

Ubuntu:

root@server:~# /usr/sbin/snortsam /etc/snortsam/snortsam.conf

2. Использование списков доступа и протокола tftp

server# cat /tftpboot/snortsam.acl
no ip access-list extended ACL_FIREWALL
ip access-list extended ACL_FIREWALL
 snortsam-ciscoacl-begin
 snortsam-ciscoacl-end
 permit tcp any host 192.168.X.3 eq www
 permit icmp any any
 permit udp any any
 permit tcp any any established
 deny   ip any any log
end
server# cat snortsam.tftp 
copy tftp://192.168.X.1/ running-config

server# cat snortsam.conf
...
# ciscoacl 192.168.X.2 student/tacacs cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp
# ciscoacl 192.168.X.2 student/tacacs cisco snortsam.acl|/etc/snortsam/snortsam.tftp
...
server# cd /tftpboot/

FreeBSD:

[server:/tftpboot] # snortsam /usr/local/etc/snortsam/snortsam.conf

Ubuntu:

root@server:/tftpboot# snortsam /etc/snortsam/snortsam.conf

3. Использование null маршрутов

server# cat snortsam.conf
...
cisconullroute 192.168.X.1 student/tacacs cisco
...

Подключение Snort к Snortsam

FreeBSD

[server:~] # cd /usr/ports/security/snort

[server:ports/security/snort] # make config

[server:ports/security/snort] # cat /var/db/ports/snort/options 
...
WITH_SNORTSAM=true
...

[server:ports/security/snort] # make install clean

[server:ports/security/snort] # cd /usr/local/etc/snort/

Ubuntu

http://www.snortsam.net/files/snort-plugin/readme.txt

root@server:~# apt-get install libpcap-dev libpcre3-dev libtool automake autoconf

root@server:~# cd /usr/src
root@server:/usr/src# wget http://www.snortsam.net/files/snort-plugin/snortsam-2.8.6.diff.gz
root@server:/usr/src# gunzip snortsam-2.8.6.diff.gz

root@server:/usr/src# wget http://dl.snort.org/downloads/116
root@server:/usr/src# mv snort-2.8.6.1.tar.gz\?AWSA...  snort-2.8.6.1.tar.gz

root@server:/usr/src# tar -xvf snort-2.8.6.tar.gz
root@server:/usr/src# cd snort-2.8.6

root@server:/usr/src/snort-2.8.6# patch -p1 < ../snortsam-2.8.6.diff 
root@server:/usr/src/snort-2.8.6# sh autojunk.sh 
root@server:/usr/src/snort-2.8.6# ./configure --prefix /usr/local/snort
root@server:/usr/src/snort-2.8.6# make

root@server:/usr/src/snort-2.8.6# make install
root@server:/usr/src/snort-2.8.6# cp -r etc/ /usr/local/snort/

root@server:~# ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine
root@server:~# ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor

root@server:~# cd /usr/local/snort/

root@server:/usr/local/snort# wget http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz
root@server:/usr/local/snort# tar -xvf snortrules-snapshot-2.8.tar.gz rules/
root@server:/usr/local/snort# cd /usr/local/snort/etc

Настройка FreeBSD/Ubuntu

server# cat snort.conf
...
output alert_fwsam: 127.0.0.1:898/secret
...
server# cat sid-block.map
1256: src, 2 min
!!! Раскомментировать правило !!!

server# grep 1256 web-iis.rules
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256;  rev:7;)

server# grep web-application-attack classification.config 
config classification: web-application-attack,Web Application Attack,1

Запуск в Ubuntu

root@server:~# /usr/local/snort/bin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1
анализ_трафика.1290486298.txt.gz · Last modified: 2013/05/22 13:50 (external edit)