User Tools
анализ_трафика
This is an old revision of the document!
Table of Contents
Анализ трафика
IP Accounting
Описание
Чтобы включить IP accounting необходимо в режиме конфигурации интерфейса ввести команду: ip accounting output-packets
Чтобы вести точный учет траффика, программное обеспечение поддерживает две базы данных: active и checkpoint базы. После выполнения команды clear ip accounting (выполняется в EXEC режиме) данные из базы данных active переносятся в checkpoint и база данных active очищается. Для чего это сделано? Если бы вы сразу снимали статистику с активной DB, то за само время снятия статистики эта DB постоянно пополняется и часть информации просто теряется. Или даже может не соответсвовать действительности (?). Когда же вы сбрасываете active DB в checkpoint DB - активная база обнуляется полностью и вы снимаете статистику с checkpoint DB, которая есть “статическая”. А active DB сразу после сброса в checkpoint DB начинает пополняться. Т.е. вам надо зафиксировать данные в определенный момент времени. Это и решается с помощью checkpoint DB.
Итак, чтобы отобразить активную базу данных аккоутинга используйте команду show ip accounting (это команда EXEC режима). Чтобы отображать checkpointed базу данных, используйте команду show ip accounting checkpoint (это команда EXEC режима).Команда clear ip accounting (она также работает в EXEC режиме) очищает активную базу данных и создает checkpointed базу данных.
Cisco
interface FastEthernet1/0 ip accounting output-packets interface FastEthernet1/1 ip accounting output-packets
Unix
# rsh router "clear ip acco" # rsh router "show ip acco check"
Технология NetFlow
Cisco
ip flow-export version 5 ip flow-export destination gate 4444 interface FastEthernet1/0 ip route-cache flow interface FastEthernet1/1 ip route-cache flow
Unix
gate# tcpdump -ni le0 "port 4444" gate# tcpdump -ni eth0 "port 4444"
Простейший коллектор NetFlow - пакет ehnt (Extreme Happy Netflow Tool)
FreeBSD
[gate:~] # pkg_add -r ehnt [gate:~] # /usr/local/etc/rc.d/ehntserv.sh.sample start [gate:~] # rehash [gate:~] # ehnt Using report interval of 60 minute(s) flow #1 received from router 172.16.1.X, IP protocol 1 input ifIndex: 2 source IP address: 194.87.0.50 source port: 0 source AS: <unknown>(0) output ifIndex: 0 dest IP address: 192.168.X.40 dest port: 0 dest AS: <unknown>(0) bytes in flow: 1K packets in flow: 20 ... [gate:~] # /usr/local/etc/rc.d/ehntserv.sh.sample stop
Ubuntu (don't work)
root@gate:~# cd /usr/src root@gate:/usr/src# wget http://downloads.sourceforge.net/project/ehnt/ehnt/0.4/ehnt-0.4.tgz?use_mirror=sunet root@gate:/usr/src# tar -xvzf ehnt-0.4.tgz root@gate:/usr/src# cd ehnt root@gate:/usr/src/ehnt# make root@gate:/usr/src/ehnt# ./ehntserv bind Unix error: No such file or directory
Пакет flow-tools
Установка, настройка, запуск
FreeBSD
[gate:~] # pkg_add -r flow-tools [gate:~] # grep flow /etc/rc.conf flow_capture_enable=yes flow_capture_port=4444 [gate:~] # /usr/local/etc/rc.d/flow_capture start
Ubuntu
root@gate:~# apt-get install flow-tools root@gate:~# cat /etc/flow-tools/flow-capture.conf -w /var/db/flows 0/0/4444 root@gate:~# mkdir -p /var/db/flows root@gate:~# /etc/init.d/flow-capture start
Вывод информации в читабельном виде
Для скорейшего преобразования временного файла в постоянный можно перезапустить сервис
[gate:~] # flow-cat /var/db/flows/ | flow-print или более подробно, включая дату начала и окончания потоков [gate:~] # flow-cat /var/db/flows/ | flow-print -f5 [gate:~] # flow-cat -t "5/2/2012 00:00:00" -T "5/2/2012 23:59:59" /var/db/flows/ | flow-print
(время считается местное)
Учет трафика пакетом NetAMS
gate# cat netams.conf ... unit host name router ip 172.16.1.X acct-policy ip www mail unit host name gate ip 192.168.X.1 acct-policy ip www mail unit user name student ip 192.168.X.40 parent CLIENTS email student@corpX.un acct-policy ip www mail unit net name LAN ip 192.168.X.0/24 acct-policy ip www mail ... service data-source 1 type netflow source 192.168.X.2 listen 0 4444 ... path /PATH/TO/APACHE/DOCUMENTROOT/netams ... url http://192.168.X.1/netams/ ...
Технология SPAN
Cisco Switch
monitor session 1 source interface f0/1 both monitor session 1 destination interface f0/2
Unix
[gate:~] # ifconfig eth1 up [gate:~] # tcpdump -ni eth1 -A -s 0 "port 80"
tcpdump, trafshow
Выделение tcp сессий
Анализ трафика для предотвращения атак - пакет Snort
FreeBSD
Периодически надо устанавливать новую версию из портов для поддержки новых правил
[gate:~] # pkg_add -r snort [gate:~] # cd /usr/local/etc/snort [gate:~] # cat /usr/local/etc/snort/snort.conf ... output alert_syslog: LOG_AUTH LOG_ALERT output alert_fast: alert ... [gate:local/etc/snort] # fetch http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz [gate:local/etc/snort] # tar -xvf snortrules-snapshot-2.8.tar.gz rules/ !!! Раскомментировать правило [gate:local/etc/snort] # cat rules/web-iis.rules alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;) [gate:~] # /usr/local/etc/rc.d/snort rcvar [gate:~] # cat /etc/rc.conf ... snort_enable=YES snort_interface=le1 [gate:~] # /usr/local/etc/rc.d/snort start Starting snort.
Ubuntu
root@gate:~# apt-get install snort root@gate:~# cat /etc/snort/snort.debian.conf ... DEBIAN_SNORT_INTERFACE="eth1" DEBIAN_SNORT_HOME_NET="0.0.0.0/0" ... [gate:~] # cat /etc/snort/snort.conf ... output alert_syslog: LOG_AUTH LOG_ALERT output alert_fast: alert ...
Проверки
UNIX
# tail -f /var/log/snort/alert
FreeBSD
# tail -f /var/log/messages
Ubuntu
# tail -f /var/log/auth.log
Windows MSIE
http://val.bmstu.ru/root.exe
Обновление правил snort - пакет oinkmaster
FreeBSD
[gate:~] # pkg_add -r oinkmaster [gate:~] # rehash [gate:~] # cd /usr/local/etc/
Ubuntu
root@gate:~# apt-get install oinkmaster root@gate:~# cd /etc/
FreeBSD/Ubuntu
gate# cat oinkmaster.conf ... url = http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz ... tmpdir = /var/tmp/ ... gate# oinkmaster -o /CHANGE/DIR/snort/rules/
Построение отчета о работе snort - пакет snortsnarf (только FreeBSD)
[gate:~] # pkg_add -r snortsnarf
[gate:~] # cat /usr/local/etc/scripts/snortsnarf.sh
#!/bin/sh
D=`date -v-1d '+%Y.%m.%d'`
/usr/local/etc/rc.d/snort stop
/bin/mv /var/log/snort/alert /var/log/snort/alert.
/usr/local/etc/rc.d/snort start
for i in /var/log/snort/alert.*
do
cat ${i} >> /var/log/snort/alert${D}
rm ${i}
done
/usr/local/bin/snortsnarf -d /usr/local/www/apache22/data/snortsnarf/${D}/ -minprio=1 /var/log/snort/alert${D}
rm /var/log/snort/alert${D}
/usr/bin/find /usr/local/www/apache22/data/snortsnarf/ -mtime +60 -type d -exec rm -r {} \;
Блокировка хостов - пакет Snortsam
FreeBSD
[gate:~] # pkg_add -r snortsam [gate:~] # more /usr/local/share/doc/snortsam/README.conf [gate:~] # cd /usr/local/etc/snortsam/
Ubuntu
root@gate:~# cd /usr/src root@gate:/usr/src# wget http://www.snortsam.net/files/snortsam/snortsam-src-2.69.tar.gz root@gate:/usr/src# tar -xvf snortsam-src-2.69.tar.gz root@gate:/usr/src# cd snortsam/ root@gate:/usr/src/snortsam# sh makesnortsam.sh root@gate:/usr/src/snortsam# cp snortsam /usr/sbin/ root@gate:/usr/src/snortsam# mkdir /etc/snortsam root@gate:/usr/src/snortsam# cd /etc/snortsam
Варианты взаимодействия snortsam и cisco
В случае использования aaa new-model требуется пользователь c priv-lvl = 1
Использование списков доступа и протокола telnet
(nat подменяет обратный адрес)
gate# cat snortsam.acl
conf terminal no ip access-list extended ACL_FIREWALL ip access-list extended ACL_FIREWALL snortsam-ciscoacl-begin snortsam-ciscoacl-end permit tcp any host 192.168.X.3 eq www permit icmp any any permit udp any any permit tcp any any established deny ip any any log end
gate# cat snortsam.conf
daemon nothreads accept 127.0.0.1 defaultkey secret # ciscoacl 192.168.X.2 student/tacacs cisco /usr/local/etc/snortsam/snortsam.acl # ciscoacl 192.168.X.2 cisco cisco /etc/snortsam/snortsam.acl logfile /var/log/snortsam.log
FreeBSD:
[gate:~] # /usr/local/etc/rc.d/snortsam rcvar [gate:~] # /usr/local/etc/rc.d/snortsam start
Ubuntu:
root@gate:~# /usr/sbin/snortsam /etc/snortsam/snortsam.conf
Использование списков доступа и протокола tftp
gate# cat /tftpboot/snortsam.acl
no ip access-list extended ACL_FIREWALL ip access-list extended ACL_FIREWALL snortsam-ciscoacl-begin snortsam-ciscoacl-end permit tcp any host 192.168.X.3 eq www permit icmp any any permit udp any any permit tcp any any established deny ip any any log end
gate# cat snortsam.tftp copy tftp://192.168.X.1/ running-config gate# cat snortsam.conf ... # ciscoacl 192.168.X.2 student/tacacs cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp # ciscoacl 192.168.X.2 student/tacacs cisco snortsam.acl|/etc/snortsam/snortsam.tftp ... gate# cd /tftpboot/
FreeBSD:
[gate:/tftpboot] # snortsam /usr/local/etc/snortsam/snortsam.conf
Ubuntu:
root@gate:/tftpboot# snortsam /etc/snortsam/snortsam.conf
Использование null маршрутов
gate# cat snortsam.conf ... cisconullroute 192.168.X.2 student/tacacs cisco ...
Подключение Snort к Snortsam
FreeBSD
[gate:~] # cd /usr/ports/security/snort [gate:ports/security/snort] # make config [gate:ports/security/snort] # cat /var/db/ports/snort/options ... WITH_SNORTSAM=true ... [gate:ports/security/snort] # make install clean [gate:ports/security/snort] # cd /usr/local/etc/snort/
Ubuntu
http://www.snortsam.net/files/snort-plugin/readme.txt
root@gate:~# apt-get install libpcap-dev libpcre3-dev libtool automake autoconf root@gate:~# cd /usr/src root@gate:/usr/src# wget http://www.snortsam.net/files/snort-plugin/snortsam-2.8.6.diff.gz root@gate:/usr/src# gunzip snortsam-2.8.6.diff.gz root@gate:/usr/src# wget http://dl.snort.org/downloads/116 root@gate:/usr/src# mv snort-2.8.6.1.tar.gz\?AWSA... snort-2.8.6.1.tar.gz root@gate:/usr/src# tar -xvf snort-2.8.6.tar.gz root@gate:/usr/src# cd snort-2.8.6 root@gate:/usr/src/snort-2.8.6# patch -p1 < ../snortsam-2.8.6.diff root@gate:/usr/src/snort-2.8.6# sh autojunk.sh root@gate:/usr/src/snort-2.8.6# ./configure --prefix /usr/local/snort root@gate:/usr/src/snort-2.8.6# make root@gate:/usr/src/snort-2.8.6# make install root@gate:/usr/src/snort-2.8.6# cp -r etc/ /usr/local/snort/ root@gate:~# ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine root@gate:~# ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor root@gate:~# cd /usr/local/snort/ root@gate:/usr/local/snort# wget http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz root@gate:/usr/local/snort# tar -xvf snortrules-snapshot-2.8.tar.gz rules/ root@gate:/usr/local/snort# cd /usr/local/snort/etc
Настройка FreeBSD/Ubuntu
gate# cat snort.conf
... output alert_fwsam: 127.0.0.1:898/secret ...
gate# cat sid-block.map
1256: src, 2 min
!!! Раскомментировать правило !!! gate# grep 1256 web-iis.rules alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:7;) gate# grep web-application-attack classification.config config classification: web-application-attack,Web Application Attack,1
Запуск в Ubuntu
root@gate:~# /usr/local/snort/bin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1
анализ_трафика.1284113656.txt.gz · Last modified: 2013/05/22 13:50 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
