Differences

This shows you the differences between two versions of the page.

--- анализ_трафика [2010/11/23 07:24]
val
+++ анализ_трафика [2013/10/07 13:43] (current)
val [Cisco Switch]
@@ Line 4: / Line 4: @@
 ==== Cisco Switch ====
-<code>
-monitor session 1 source interface f0/1 both
-monitor session 1 destination interface f0/2
-</code>
+  * Настройка [[Оборудование уровня 2 Cisco Catalyst#SPAN]] на switch
 ==== Unix ====
 <code>
-server# ifconfig eth1|le1 up
+server# ifconfig eth2|em2 up
-server# tcpdump -ni eth1|le1 -A -s 0 "port 80"
+server# tcpdump -ni eth2|em2 -A -s 0 "port 80"
 </code>
@@ Line 22: / Line 19: @@
 [[http://www.circlemud.org/~jelson/software/tcpflow/]]
-===== Анализ трафика для предотвращения атак - пакет Snort =====
+===== Анализ трафика для детектирования атак - пакет Snort =====
 [[Сервис SNORT]]
-===== Использование пакета Snortsam для блокировки хостов =====
+===== Анализ трафика для предотвращения атак - пакет Snortsam =====
-==== Установка пакета ====
+[[Сервис SNORTSAM]]
-=== FreeBSD ===
-<code>
-[server:~] # pkg_add -r snortsam
-[server:~] # more /usr/local/share/doc/snortsam/README.conf
-[server:~] # cd /usr/local/etc/snortsam/
-</code>
-=== Ubuntu ===
-<code>
-root@server:~# cd /usr/src
-root@server:/usr/src# wget http://www.snortsam.net/files/snortsam/snortsam-src-2.69.tar.gz
-root@server:/usr/src# tar -xvf snortsam-src-2.69.tar.gz
-root@server:/usr/src# cd snortsam/
-root@server:/usr/src/snortsam# sh makesnortsam.sh
-root@server:/usr/src/snortsam# cp snortsam /usr/sbin/
-root@server:/usr/src/snortsam# mkdir /etc/snortsam
-root@server:/usr/src/snortsam# cd /etc/snortsam
-</code>
-==== Варианты блокировки хостов на cisco router ====
-В случае использования aaa new-model требуется пользователь c priv-lvl = 1
-=== 1. Использование списков доступа и протокола telnet ===
-<code>
-server# cat snortsam.acl
-</code><code>
-conf terminal
-no ip access-list extended ACL_FIREWALL
-ip access-list extended ACL_FIREWALL
- snortsam-ciscoacl-begin
- snortsam-ciscoacl-end
- permit tcp any host 192.168.X.3 eq www
- permit icmp any any
- permit udp any any
- permit tcp any any established
- deny   ip any any log
-end
-</code><code>
-server# cat snortsam.conf
-</code><code>
-daemon
-nothreads
-accept 127.0.0.1
-defaultkey secret
-# ciscoacl 192.168.X.1 student/tacacs cisco /usr/local/etc/snortsam/snortsam.acl
-# ciscoacl 192.168.X.1 cisco cisco /etc/snortsam/snortsam.acl
-logfile /var/log/snortsam.log
-</code>
-FreeBSD:
-<code>
-[server:~] # /usr/local/etc/rc.d/snortsam rcvar
-[server:~] # /usr/local/etc/rc.d/snortsam start
-</code>
-Ubuntu:
-<code>
-root@server:~# /usr/sbin/snortsam /etc/snortsam/snortsam.conf
-</code>
-=== 2. Использование списков доступа и протокола tftp ===
-<code>
-server# cat /tftpboot/snortsam.acl
-</code><code>
-no ip access-list extended ACL_FIREWALL
-ip access-list extended ACL_FIREWALL
- snortsam-ciscoacl-begin
- snortsam-ciscoacl-end
- permit tcp any host 192.168.X.3 eq www
- permit icmp any any
- permit udp any any
- permit tcp any any established
- deny   ip any any log
-end
-</code><code>
-server# cat snortsam.tftp
-copy tftp://192.168.X.1/ running-config
-server# cat snortsam.conf
-...
-# ciscoacl 192.168.X.2 student/tacacs cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp
-# ciscoacl 192.168.X.2 student/tacacs cisco snortsam.acl|/etc/snortsam/snortsam.tftp
-...
-server# cd /tftpboot/
-</code>
-FreeBSD:
-<code>
-[server:/tftpboot] # snortsam /usr/local/etc/snortsam/snortsam.conf
-</code>
-Ubuntu:
-<code>
-root@server:/tftpboot# snortsam /etc/snortsam/snortsam.conf
-</code>
-=== 3. Использование null маршрутов ===
-<code>
-server# cat snortsam.conf
-...
-cisconullroute 192.168.X.1 student/tacacs cisco
-...
-</code>
-==== Подключение Snort к Snortsam ====
-=== FreeBSD ===
-<code>
-[server:~] # cd /usr/ports/security/snort
-[server:ports/security/snort] # make config
-[server:ports/security/snort] # cat /var/db/ports/snort/options
-...
-WITH_SNORTSAM=true
-...
-[server:ports/security/snort] # make install clean
-[server:ports/security/snort] # cd /usr/local/etc/snort/
-</code>
-=== Ubuntu ===
-[[http://www.snortsam.net/files/snort-plugin/readme.txt]]
-<code>
-root@server:~# apt-get install libpcap-dev libpcre3-dev libtool automake autoconf
-root@server:~# cd /usr/src
-root@server:/usr/src# wget http://www.snortsam.net/files/snort-plugin/snortsam-2.8.6.diff.gz
-root@server:/usr/src# gunzip snortsam-2.8.6.diff.gz
-root@server:/usr/src# wget http://dl.snort.org/downloads/116
-root@server:/usr/src# mv snort-2.8.6.1.tar.gz\?AWSA...  snort-2.8.6.1.tar.gz
-root@server:/usr/src# tar -xvf snort-2.8.6.tar.gz
-root@server:/usr/src# cd snort-2.8.6
-root@server:/usr/src/snort-2.8.6# patch -p1 < ../snortsam-2.8.6.diff
-root@server:/usr/src/snort-2.8.6# sh autojunk.sh
-root@server:/usr/src/snort-2.8.6# ./configure --prefix /usr/local/snort
-root@server:/usr/src/snort-2.8.6# make
-root@server:/usr/src/snort-2.8.6# make install
-root@server:/usr/src/snort-2.8.6# cp -r etc/ /usr/local/snort/
-root@server:~# ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine
-root@server:~# ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor
-root@server:~# cd /usr/local/snort/
-root@server:/usr/local/snort# wget http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz
-root@server:/usr/local/snort# tar -xvf snortrules-snapshot-2.8.tar.gz rules/
-root@server:/usr/local/snort# cd /usr/local/snort/etc
-</code>
-=== Настройка FreeBSD/Ubuntu ===
-<code>
-server# cat snort.conf
-</code><code>
-...
-output alert_fwsam: 127.0.0.1:898/secret
-...
-</code><code>
-server# cat sid-block.map
-</code><code>
-: src, 2 min
-</code><code>
-!!! Раскомментировать правило !!!
-server# grep 1256 web-iis.rules
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256;  rev:7;)
-server# grep web-application-attack classification.config
-config classification: web-application-attack,Web Application Attack,1
-</code>
-=== Запуск в Ubuntu ===
-<code>
-root@server:~# /usr/local/snort/bin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1
-</code>

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools