This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
анализ_трафика [2010/11/19 14:36] val |
анализ_трафика [2012/08/22 11:34] val |
||
---|---|---|---|
Line 5: | Line 5: | ||
==== Cisco Switch ==== | ==== Cisco Switch ==== | ||
<code> | <code> | ||
- | monitor session 1 source interface f0/1 both | + | monitor session 1 source interface f0/0 both |
- | monitor session 1 destination interface f0/2 | + | monitor session 1 destination interface f0/15 |
</code> | </code> | ||
==== Unix ==== | ==== Unix ==== | ||
<code> | <code> | ||
- | server# ifconfig eth1|le1 up | + | server# ifconfig eth2|em2 up |
- | server# tcpdump -ni eth1|le1 -A -s 0 "port 80" | + | server# tcpdump -ni eth2|em2 -A -s 0 "port 80" |
</code> | </code> | ||
Line 22: | Line 22: | ||
[[http://www.circlemud.org/~jelson/software/tcpflow/]] | [[http://www.circlemud.org/~jelson/software/tcpflow/]] | ||
- | ===== Анализ трафика для предотвращения атак - пакет Snort ===== | + | ===== Анализ трафика для детектирования атак - пакет Snort ===== |
- | ==== FreeBSD ==== | + | [[Сервис SNORT]] |
- | Периодически надо устанавливать новую версию из портов для поддержки новых правил | + | ===== Анализ трафика для предотвращения атак - пакет Snortsam ===== |
- | <code> | + | [[Сервис SNORTSAM]] |
- | [server:~] # pkg_add -r snort | + | |
- | [server:~] # cd /usr/local/etc/snort | ||
- | |||
- | [server:~] # cat /usr/local/etc/snort/snort.conf | ||
- | ... | ||
- | output alert_syslog: LOG_AUTH LOG_ALERT | ||
- | output alert_fast: alert | ||
- | ... | ||
- | |||
- | [server:local/etc/snort] # fetch http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz | ||
- | |||
- | [server:local/etc/snort] # tar -xvf snortrules-snapshot-2.8.tar.gz rules/ | ||
- | |||
- | !!! Раскомментировать правило | ||
- | [server:local/etc/snort] # cat rules/web-iis.rules | ||
- | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;) | ||
- | |||
- | [server:~] # /usr/local/etc/rc.d/snort rcvar | ||
- | |||
- | [server:~] # cat /etc/rc.conf | ||
- | ... | ||
- | snort_enable=YES | ||
- | snort_interface=le1 | ||
- | |||
- | [server:~] # /usr/local/etc/rc.d/snort start | ||
- | Starting snort. | ||
- | </code> | ||
- | |||
- | ==== Ubuntu ==== | ||
- | <code> | ||
- | root@server:~# apt-get install snort | ||
- | |||
- | root@server:~# cat /etc/snort/snort.debian.conf | ||
- | ... | ||
- | DEBIAN_SNORT_INTERFACE="eth1" | ||
- | DEBIAN_SNORT_HOME_NET="0.0.0.0/0" | ||
- | ... | ||
- | |||
- | [server:~] # cat /etc/snort/snort.conf | ||
- | ... | ||
- | output alert_syslog: LOG_AUTH LOG_ALERT | ||
- | output alert_fast: alert | ||
- | ... | ||
- | |||
- | </code> | ||
- | |||
- | ==== Проверки ==== | ||
- | |||
- | === UNIX === | ||
- | <code> | ||
- | # tail -f /var/log/snort/alert | ||
- | </code> | ||
- | |||
- | === FreeBSD === | ||
- | <code> | ||
- | # tail -f /var/log/messages | ||
- | </code> | ||
- | |||
- | === Ubuntu === | ||
- | <code> | ||
- | # tail -f /var/log/auth.log | ||
- | </code> | ||
- | |||
- | === Windows MSIE === | ||
- | <code> | ||
- | http://192.168.X.3/root.exe | ||
- | </code> | ||
- | |||
- | ==== Обновление правил snort - пакет oinkmaster ==== | ||
- | |||
- | === FreeBSD === | ||
- | <code> | ||
- | [server:~] # pkg_add -r oinkmaster | ||
- | |||
- | [server:~] # rehash | ||
- | |||
- | [server:~] # cd /usr/local/etc/ | ||
- | </code> | ||
- | |||
- | === Ubuntu === | ||
- | <code> | ||
- | root@server:~# apt-get install oinkmaster | ||
- | |||
- | root@server:~# cd /etc/ | ||
- | </code> | ||
- | |||
- | === FreeBSD/Ubuntu === | ||
- | <code> | ||
- | server# cat oinkmaster.conf | ||
- | ... | ||
- | url = http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz | ||
- | ... | ||
- | tmpdir = /var/tmp/ | ||
- | ... | ||
- | |||
- | server# oinkmaster -o /CHANGE/DIR/snort/rules/ | ||
- | </code> | ||
- | |||
- | ==== Построение отчета о работе snort - пакет snortsnarf (только FreeBSD) ==== | ||
- | <code> | ||
- | [server:~] # pkg_add -r snortsnarf | ||
- | </code><code> | ||
- | [server:~] # cat /usr/local/etc/scripts/snortsnarf.sh | ||
- | </code><code> | ||
- | #!/bin/sh | ||
- | |||
- | D=`date -v-1d '+%Y.%m.%d'` | ||
- | |||
- | /usr/local/etc/rc.d/snort stop | ||
- | /bin/mv /var/log/snort/alert /var/log/snort/alert. | ||
- | /usr/local/etc/rc.d/snort start | ||
- | |||
- | for i in /var/log/snort/alert.* | ||
- | do | ||
- | cat ${i} >> /var/log/snort/alert${D} | ||
- | rm ${i} | ||
- | done | ||
- | /usr/local/bin/snortsnarf -d /usr/local/www/apache22/data/snortsnarf/${D}/ -minprio=1 /var/log/snort/alert${D} | ||
- | |||
- | rm /var/log/snort/alert${D} | ||
- | |||
- | /usr/bin/find /usr/local/www/apache22/data/snortsnarf/ -mtime +60 -type d -exec rm -r {} \; | ||
- | </code> | ||
- | |||
- | ==== Блокировка хостов - пакет Snortsam ==== | ||
- | |||
- | === FreeBSD === | ||
- | <code> | ||
- | [server:~] # pkg_add -r snortsam | ||
- | |||
- | [server:~] # more /usr/local/share/doc/snortsam/README.conf | ||
- | |||
- | [server:~] # cd /usr/local/etc/snortsam/ | ||
- | </code> | ||
- | |||
- | === Ubuntu === | ||
- | <code> | ||
- | root@server:~# cd /usr/src | ||
- | |||
- | root@server:/usr/src# wget http://www.snortsam.net/files/snortsam/snortsam-src-2.69.tar.gz | ||
- | root@server:/usr/src# tar -xvf snortsam-src-2.69.tar.gz | ||
- | root@server:/usr/src# cd snortsam/ | ||
- | |||
- | root@server:/usr/src/snortsam# sh makesnortsam.sh | ||
- | root@server:/usr/src/snortsam# cp snortsam /usr/sbin/ | ||
- | |||
- | root@server:/usr/src/snortsam# mkdir /etc/snortsam | ||
- | root@server:/usr/src/snortsam# cd /etc/snortsam | ||
- | </code> | ||
- | |||
- | === Варианты взаимодействия snortsam и cisco === | ||
- | |||
- | В случае использования aaa new-model требуется пользователь c priv-lvl = 1 | ||
- | |||
- | == Использование списков доступа и протокола telnet == | ||
- | |||
- | (nat подменяет обратный адрес) | ||
- | |||
- | <code> | ||
- | server# cat snortsam.acl | ||
- | </code><code> | ||
- | conf terminal | ||
- | no ip access-list extended ACL_FIREWALL | ||
- | ip access-list extended ACL_FIREWALL | ||
- | snortsam-ciscoacl-begin | ||
- | snortsam-ciscoacl-end | ||
- | permit tcp any host 192.168.X.3 eq www | ||
- | permit icmp any any | ||
- | permit udp any any | ||
- | permit tcp any any established | ||
- | deny ip any any log | ||
- | end | ||
- | </code><code> | ||
- | server# cat snortsam.conf | ||
- | </code><code> | ||
- | daemon | ||
- | nothreads | ||
- | accept 127.0.0.1 | ||
- | defaultkey secret | ||
- | # ciscoacl 192.168.X.2 student/tacacs cisco /usr/local/etc/snortsam/snortsam.acl | ||
- | # ciscoacl 192.168.X.2 cisco cisco /etc/snortsam/snortsam.acl | ||
- | logfile /var/log/snortsam.log | ||
- | </code> | ||
- | |||
- | FreeBSD: | ||
- | <code> | ||
- | [server:~] # /usr/local/etc/rc.d/snortsam rcvar | ||
- | |||
- | [server:~] # /usr/local/etc/rc.d/snortsam start | ||
- | </code> | ||
- | |||
- | Ubuntu: | ||
- | <code> | ||
- | root@server:~# /usr/sbin/snortsam /etc/snortsam/snortsam.conf | ||
- | </code> | ||
- | |||
- | == Использование списков доступа и протокола tftp == | ||
- | <code> | ||
- | server# cat /tftpboot/snortsam.acl | ||
- | </code><code> | ||
- | no ip access-list extended ACL_FIREWALL | ||
- | ip access-list extended ACL_FIREWALL | ||
- | snortsam-ciscoacl-begin | ||
- | snortsam-ciscoacl-end | ||
- | permit tcp any host 192.168.X.3 eq www | ||
- | permit icmp any any | ||
- | permit udp any any | ||
- | permit tcp any any established | ||
- | deny ip any any log | ||
- | end | ||
- | </code><code> | ||
- | server# cat snortsam.tftp | ||
- | copy tftp://192.168.X.1/ running-config | ||
- | |||
- | server# cat snortsam.conf | ||
- | ... | ||
- | # ciscoacl 192.168.X.2 student/tacacs cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp | ||
- | # ciscoacl 192.168.X.2 student/tacacs cisco snortsam.acl|/etc/snortsam/snortsam.tftp | ||
- | ... | ||
- | server# cd /tftpboot/ | ||
- | </code> | ||
- | |||
- | FreeBSD: | ||
- | <code> | ||
- | [server:/tftpboot] # snortsam /usr/local/etc/snortsam/snortsam.conf | ||
- | </code> | ||
- | |||
- | Ubuntu: | ||
- | <code> | ||
- | root@server:/tftpboot# snortsam /etc/snortsam/snortsam.conf | ||
- | </code> | ||
- | |||
- | == Использование null маршрутов == | ||
- | <code> | ||
- | server# cat snortsam.conf | ||
- | ... | ||
- | cisconullroute 192.168.X.2 student/tacacs cisco | ||
- | ... | ||
- | </code> | ||
- | |||
- | ==== Подключение Snort к Snortsam ==== | ||
- | |||
- | === FreeBSD === | ||
- | <code> | ||
- | [server:~] # cd /usr/ports/security/snort | ||
- | |||
- | [server:ports/security/snort] # make config | ||
- | |||
- | [server:ports/security/snort] # cat /var/db/ports/snort/options | ||
- | ... | ||
- | WITH_SNORTSAM=true | ||
- | ... | ||
- | |||
- | [server:ports/security/snort] # make install clean | ||
- | |||
- | [server:ports/security/snort] # cd /usr/local/etc/snort/ | ||
- | </code> | ||
- | |||
- | === Ubuntu === | ||
- | [[http://www.snortsam.net/files/snort-plugin/readme.txt]] | ||
- | <code> | ||
- | root@server:~# apt-get install libpcap-dev libpcre3-dev libtool automake autoconf | ||
- | |||
- | root@server:~# cd /usr/src | ||
- | root@server:/usr/src# wget http://www.snortsam.net/files/snort-plugin/snortsam-2.8.6.diff.gz | ||
- | root@server:/usr/src# gunzip snortsam-2.8.6.diff.gz | ||
- | |||
- | root@server:/usr/src# wget http://dl.snort.org/downloads/116 | ||
- | root@server:/usr/src# mv snort-2.8.6.1.tar.gz\?AWSA... snort-2.8.6.1.tar.gz | ||
- | |||
- | root@server:/usr/src# tar -xvf snort-2.8.6.tar.gz | ||
- | root@server:/usr/src# cd snort-2.8.6 | ||
- | |||
- | root@server:/usr/src/snort-2.8.6# patch -p1 < ../snortsam-2.8.6.diff | ||
- | root@server:/usr/src/snort-2.8.6# sh autojunk.sh | ||
- | root@server:/usr/src/snort-2.8.6# ./configure --prefix /usr/local/snort | ||
- | root@server:/usr/src/snort-2.8.6# make | ||
- | |||
- | root@server:/usr/src/snort-2.8.6# make install | ||
- | root@server:/usr/src/snort-2.8.6# cp -r etc/ /usr/local/snort/ | ||
- | |||
- | root@server:~# ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine | ||
- | root@server:~# ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor | ||
- | |||
- | root@server:~# cd /usr/local/snort/ | ||
- | |||
- | root@server:/usr/local/snort# wget http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz | ||
- | root@server:/usr/local/snort# tar -xvf snortrules-snapshot-2.8.tar.gz rules/ | ||
- | root@server:/usr/local/snort# cd /usr/local/snort/etc | ||
- | </code> | ||
- | |||
- | === Настройка FreeBSD/Ubuntu === | ||
- | <code> | ||
- | server# cat snort.conf | ||
- | </code><code> | ||
- | ... | ||
- | output alert_fwsam: 127.0.0.1:898/secret | ||
- | ... | ||
- | </code><code> | ||
- | server# cat sid-block.map | ||
- | </code><code> | ||
- | 1256: src, 2 min | ||
- | </code><code> | ||
- | !!! Раскомментировать правило !!! | ||
- | |||
- | server# grep 1256 web-iis.rules | ||
- | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:7;) | ||
- | |||
- | server# grep web-application-attack classification.config | ||
- | config classification: web-application-attack,Web Application Attack,1 | ||
- | </code> | ||
- | |||
- | === Запуск в Ubuntu === | ||
- | <code> | ||
- | root@server:~# /usr/local/snort/bin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 | ||
- | </code> | ||