Snort ¼³Ä¡ ¹× ¼¼Æà | ÀÛ¼ºÀÏ : 2003/10/01 00:17 |
Á¶È¸¼ö : 9465 |
ÀÛ¼ºÀÚ : sin, http://chtla.com/ ÃʽÉÀ¸·Î..(¸®´ª½º Ä¿¹Â´ÏƼ) Snort´Â ³×Æ®¿öÅ© ĨÀÔ Å½Áö ½Ã½ºÅÛÀ¸·Î ½Ç½Ã°£ Æ®·¡ÇÈ ºÐ¼®°ú, IP ³×Æ®¿öÅ©¿¡¼ÀÇ ÆÐŶ ó¸®ÀÛ¾÷À» ó¸®ÇÏ´Â µ¥¸óÀÌ´Ù. ±×¸®°í ÇÁ·ÎÅäÄÝ ºÐ¼®, ÄÁÅÙÃ÷ °Ë»ö/Á¶ÇÕ ÀÛ¾÷À» ÇÒ ¼ö ÀÖÀ¸¸ç, buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts°ú °°Àº ´Ù¾çÇÑ °ø°ÝÀ» °¨ÁöÇÒ ¼öµµ ÀÖ´Ù. ¶ÇÇÑ Snort´Â À¯¿¬ÇÑ languageÀÇ »ç¿ëÀ¸·Î trafficÀ» ºÐ¼®ÇÏ¸ç ¸ðµâÈµÈ Å½Áö ¿£ÁøÀ» Áö¿øÇÏ°í ½Ç½Ã°£ °æ°í ±â´Éµµ Áö¿øÇÏ´Âµî ´Ù¾çÇÏ°í º¹ÀâÇÑ Ä§ÀÔ Å½Áö°¡ °¡´ÉÇÏ´Ù.. (±×·± ¸¸Å ¼³Á¤µî »ç¿ëÀÌ º¹ÀâÇØ Áø´Ù..) ´ÜÁ¡ : TCP ½ºÆ®¸² ÀçÁ¶ÇÕ(reassembly)À» Áö¿øÇÏÁö ¾Ê½À´Ï´Ù. µû¶ó¼ ¸ðµç ½Ã±×³ÊÃÄ ºÐ¼®Àº ÆÐŶ ´ÜÀ§·Î ÇàÇØ Áý´Ï´Ù. whisker µîÀÇ ÅøµéÀº ÀÌ·¯ÇÑ ºÐ¼®¹ýÀ» ¿ìȸÇÒ ¼ö ÀÖ´Â ¸ÞÄ«´ÏÁòÀ» °®°í ÀÖ½À´Ï´Ù. TCP ½ºÆ®¸²À» ÀçÁ¶ÇÕÇϸé ÆÐŶ ºÐ¼® È¿À²ÀÌ ¶³¾îÁö°Ô µË´Ï´Ù. È¿À² ÀúÇϸ¦ ÃÖ¼ÒÈ ÇÏ¸é¼ TCP ½ºÆ®¸²À» ÀçÁ¶ÇÕÇÏ°í ºÐ¼®ÇÏ´Â °ÍÀº Èûµç ÀÛ¾÷ÀÔ´Ï´Ù. IP Á¶°¢ ÆÐŶ(fragmented packet)¿¡ ´ëÇؼ ÀçÁ¶ÇÕÀ» ÇÒ ¼ö ¾ø½À´Ï´Ù. ´ë½Å minfrag¶ó´Â ·ê ¿É¼ÇÀ» »ç¿ëÇÏ¿© ÆÐŶ Á¶°¢ÀÇ ÃÖ¼Ò Å©±â¸¦ ÁöÁ¤ÇÒ ¼ö ÀÖ½À´Ï´Ù. »ç¿ë ³×Æ®¿öÅ© Àåºñ Áß¿¡ 256byte ÀÌÇÏ Å©±âÀÇ ÆÐŶÀ» Á¶°¢È(fragmentation)ÇÏ´Â °æ¿ì´Â ¾øÀ¸¹Ç·Î minfrag¸¦ ÀÌ °ª, 256À¸·Î ÁöÁ¤Çϸé ÃæºÐÈ÷ °ø°ÝÀ» Àâ¾Æ ³¾ ¼ö ÀÖ´Ù°í ÇÕ´Ï´Ù. ÇÏÁö¸¸ ¿©ÀüÈ÷ ´ÜÁ¡¿¡ ¼ÓÇÕ´Ï´Ù. ·Î±× ±â´ÉÀÌ ¾àÇÕ´Ï´Ù. Á¦´ë·Î ¼¼¼¼ÇÑ ³»¿ëÀÇ ·Î±×¸¦ »ý¼ºÇØ ³»±â´Â ÇÏÁö¸¸ ´©±¸³ª ±×·¯ÇÑ ·Î±×¸¦ º¸°í »óȲÀ» ÆľÇÇϱ⿡´Â ·Î±× ½Ã½ºÅÛÀÌ ³Ê¹« ¾àÇÏ´Ù´Â ´À³¦ÀÌ ÀÖ½À´Ï´Ù 4¿ù 22ÀÏ Ãß°¡³»¿ë) ======================================== Snort ÀÇ Stream4 (TCP) Integer Overflow Ãë¾àÁ¡ÀÌ 4¿ù18ÀÏ ¹ß°ßµÇ¾ú½À´Ï´Ù. Snort 2.0.0 beta ¹öÁ¯, Snort 1.9.x, Snort 1.8.x ¼³Ä¡½Ã ¼ºñ½º°ÅºÎ°ø°Ý(DoS) °ø°ÝÀ» ÀÏÀ¸Å³ ¼ö ÀÖÀ¸¸ç, ¿ø°Ý¿¡¼ ¸í·É¾î¸¦ ½ÇÇà½Ãų ¼ö ÀÖ½À´Ï´Ù. ±×·¯´Ï ÇöÀç °¡Àå ÃֽŠ¹öÀüÀÎ 2.0À» ´Ù¿î ¹Þ¾Æ¼ ¼³Ä¡ÇϽñ⠹ٶø´Ï´Ù. º¸´Ù ÀÚ¼¼ÇÑ ³»¿ëÀº ¾Æ·¡ ¸µÅ©¸¦ ÂüÁ¶ÇϽñ⠹ٶø´Ï´Ù. http://chtla.com/viewtopic.php?t=106 ==================================================== ´Ù¿î : http://www.snort.org ÃֽŠ¹öÀü ´Ù¿î (ÇöÀç ÃֽŠ¹öÀü snort-1.8.7) ÂüÁ¶ »çÀÌÆ® : http://www.certcc.or.kr/tools/Snort.html [root@kan up]# rpm -qa|grep libpcap libpcap-0.6.2-12 [root@kan up]# cd /home/kan/ [root@kan up]# tar xvfz snort-1.8.7.tar.gz [root@kan snort-1.8.7]# ./configure [root@kan snort-1.8.7]# make [root@kan snort-1.8.7]# make install ============================================ snort 1.9.1 [root@dream snort-1.9.1]# rpm -qa|grep libcap libcap-1.10-12 libcapplet0-1.4.0.1-9 libcap-devel-1.10-12 [root@dream snort-1.9.1]# ./configure .. checking for pcap_datalink in -lpcap... no ERROR! Libpcap library/headers not found, go get it from http://www.tcpdump.org/ or use the --with-libpcap-* options, if you have it installed in unusual place ÀÌ·± ¸Þ¼¼Áö¿Í ÇÔ²² configure¿¡ ¿¡·¯ ¹ß»ýÇÔ.. http://www.tcpdump.org/ libpcap-0.7.2.tar.gz À» ´Ù¿î¹ÞÀ½.. tar ÇØÁ¦ÈÄ # ./configure # make # make install ·Î ¸ÕÀú ¼³Ä¡¸¦ ÇÑ´Ù.. À̹ø¿£ libpcapÀ» rpmfind.net¿¡¼ libpcap-0.6.2-16.i386.rpm À» ´Ù¿î¹Þ¾Æ rpmÀ¸·Î ¼³Ä¡ÇÑ´Ù. [root@dream rpm]# rpm -Uvh libpcap-0.6.2-16.i386.rpm ########################################### [100%] 1:libpcap ########################################### [100%] [root@dream snort-1.9.1]# ./configure [root@dream snort-1.9.1]# make [root@dream snort-1.9.1]# make install /usr/local/bin/snort /usr/local/man/man8/snort.8 ÀÌ »ý¼ºµÊ.. [root@dream kan]# mv snort-1.9.1 /usr/local [root@dream kan]# cd /usr/local/snort-1.9.1 [root@dream snort-1.9.1]# mkdir /var/log/snort <== log¸¦ ±â·ÏÇÒ µð·ºÅ丮 [root@dream snort-1.9.1]# vi etc/snort.conf var HOME_NET 211.xx.xx.xxx/32 <======================= =================================== your_ip: snort ·Î °ø°Ý´çÇÏ´Â °ÍÀ» °¨½ÃÇÒ IP ÁÖ¼Ò subnet: ¼ºê³Ý ¸¶½ºÅ©¸¦ ¼³Á¤ÇÏ¿© ³×Æ®¿öÅ©¸¦ °¨½Ã your_ip/subnetÀ¸·Î ÁÖ¼Ò¸¦ ÁöÁ¤ÇÏ´Â ¹æ¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. È£½ºÆ® À̸§À» »ç¿ëÇÒ ¼ö ¾ø°í, È£½ºÆ®³ª ³×Æ®¿öÅ©¸¦ ÁöÁ¤Çϱâ À§Çؼ IP ÁÖ¼Ò¿Í ¼ºê³Ý¸¶½ºÅ©·Î Ç¥ÇöÇÕ´Ï´Ù. ¼ºê³Ý¸¶½ºÅ©´Â CIDR ºí·°À» »ç¿ëÇؼ ÁöÁ¤ÇÕ´Ï´Ù. CIDR ºí·°Àº ¼ºê³Ý¸¶½ºÅ©¸¦ ¼ýÀڷΠǥÇöÇÑ°ÍÀ¸·Î ÁּҺκÐÀÇ ºñÆ®¼ö¸¦ »ç¿ëÇÕ´Ï´Ù. ¿¹¸¦ µé¾î C class ³×Æ®¿öÅ©´Â /24·Î B Ŭ·¡½º(class) ³×Æ®¿öÅ©´Â /16À¸·Î ,A Ŭ·¡½º ³×Æ®¿öÅ©´Â /8·Î È£½ºÆ®¸¦ ÁöÁ¤Çϱâ À§Çؼ´Â /32¸¦ »ç¿ëÇÕ´Ï´Ù. ÁÖ¼Ò ÁöÁ¤¿¡¼ ÁÖ¼Ò ÁöÁ¤ÇÑ ºÎºÐ ¾Õ¿¡ !¸¦ »ç¿ëÇÏ¸é ±× ÁÖ¼Ò¸¦ Á¦¿ÜÇÑ ³×Æ®¿öÅ©³ª È£½ºÆ®¸¦ ÀǹÌÇÏ°Ô µË´Ï´Ù. ¿¹¸¦ µé¾î !192.1.1.0/24 ´Â 192.1.1.0 C Ŭ·¡½º ³×Æ®¿öÅ©¸¦ Á¦¿ÜÇÑ ³×Æ®¿öÅ©¸¦ ÀǹÌÇÏ°Ô µË´Ï´Ù. Ưº°È÷ any ´Â ¸ðµç IP °ø°£À» ÁöÁ¤ÇÒ ¶§ »ç¿ëµË´Ï´Ù. ¿¹) 10.1.1.1 È£½ºÆ®¿¡ ´ëÇÑ °ø°ÝÀ» ¸ðµÎ °¨ÁöÇÕ´Ï´Ù. var HOME_NET 10.1.1.1/32 ==================================== var EXTERNAL_NET !$HOME_NET <== home_netÀ» Á¦¿ÜÇÑ ¸ðµç ³×Æ®¿öÅ©ÀÇ È£½ºÆ® preprocessor portscan: $HOME_NET 4 3 /var/log/snort/portscan.log <== ÁÖ¼®Á¦°ÅÈÄ ÀúÀåµÉ °æ·Î¸¦ Àû¾îÁÜ.. 4 3 ´Â 4°³ÀÌ»óÀÇ Ä¿³Ø¼ÇÀÌ 3Ãʵµ¾È ¹ß»ýÇϸé Æ÷Æ® ½ºÄ³´×À¸·Î Ãë±ÞÇϰԵǴ ÀǹÌÀÓ.. var DNS_SERVERS [211.xx.xx.xxx,16.81.63.1,168.126.63.1] <== dns¼¹ö preprocessor portscan-ignorehosts: $DNS_SERVERS <== Æ÷Æ®½ºÄµ½Ã Á¦¿ÜµÉ ¾ÆÀÌÇǵé [root@dream log]# snort -D -d -l /var/log/snort -c /usr/local/snort-1.9.1/etc/snort.conf <== snort ½ÇÇà.. -D : snort ¸¦ µ¥¸ó¸ðµå·Î ½ÇÇà½ÃÅ´ -d : ¾ÖÇø®ÄÉÀÌ¼Ç ·¹À̾ ´ýÇÁ½ÃÅ´ -l : ÁöÁ¤µÈ µð·ºÅ丮¿¡ ·Î±× µ¥ÀÌŸ¸¦ ÀúÀåÇÑ´Ù. -c : ÁöÁ¤µÈ ÆÄÀÏÀ» ·ê ÆÄÀÏ·Î »ç¿ëÇÑ´Ù. ½ÇÇàÈÄ /var/log/snort¸¦ º¸¸é alert¿Í portscan.log ÆÄÀÏÀÌ »ý¼ºµÈ °ÍÀ» º¼¼ö ÀÖ´Ù. [root@dream etc]# vi /etc/rc.d/rc.local <== ºÎÆýà ½ÇÇàÀ» À§Çؼ.. # snort 1.9.1 snort -D -d -l /var/log/snort -c /usr/local/snort-1.9.1/etc/snort.conf ¿É¼Çµé ========================================= USAGE: snort [-options] <filter options> Options: -A ¾ó·µ ¸ðµå¸¦ fast,full,none ÁßÀÇ Çϳª·Î ÁöÁ¤ÇÕ´Ï´Ù. unsock À» ÁöÁ¤Çϸé UNIX ¼ÒÄÏÀ» »ç¿ëÇÏ¿© ·Î±ëÀ» ÇÑ´Ù(¾ÆÁ÷ ½ÃÇèÀûÀ̶ó°í ÇÑ´Ù). -a ARP ÆÐŶÀ» ÇÁ¸°Æ®ÇÕ´Ï´Ù. -b ÆÐŶÀ» tcpdump ÆÄÀÏ·Î ÀúÀåÇÕ´Ï´Ù. ¹ÙÀ̳ʸ® Æ÷¸ËÀ̹ǷΠÀúÀå ¼Óµµ°¡ »¡¶óÁý´Ï´Ù. -c <rules> :<rules>·Î ÁöÁ¤µÈ ÆÄÀÏÀ» ·ê ÆÄÀÏ·Î »ç¿ëÇÕ´Ï´Ù. -C : ÆÐŶÀÇ »ç¿ëÀÚ µ¥ÀÌŸ ºÎºÐ(payload)¸¦ ¹®ÀÚ¸¸ ÇÁ¸°Æ®ÇÕ´Ï´Ù. Çí½º ÇüÅ·δ ÇÁ¸°Æ®ÇÏÁö ¾Ê½À´Ï´Ù. -D : snort¸¦ µ¥¸ó ¸ðµå·Î µ¹¸³´Ï´Ù. ¹Ù·Î ¹é±×¶ó¿îµå·Î µé¾î°¡°í Å͹̳ÎÀ» Á¾·áÇصµ °è¼Ó µ¹°Ô µË´Ï´Ù. -F <bpf> BPF ÇÊÅ͸µ½ÄÀ» <bpf>·Î ÁöÁ¤µÈ ÈÀÏ¿¡¼ ÀÐ¾î ¿É´Ï´Ù. BPF ÇÊÅ͸µ½ÄÀº tcpdump¿¡¼ ¿øÇÏ´Â ÆÐŶ ¸¸À» ´ýÇÁÇϱâ À§Çؼ »ç¿ëµÇ´Â ½ÄÀÔ´Ï´Ù. -g <gname> snortÀÇ gid¸¦ <gname>À¸·Î ±×·ìÀ¸·Î ¼³Á¤ÇÕ´Ï´Ù. -h <hn> Ȩ³×Æ®¿öÅ© º¯¼ö HOME_NET¸¦ <hn>ÀÇ °ªÀ¸·Î ¼¼ÆÃÇÕ´Ï´Ù. -i <if> : <if>·Î ÁöÁ¤µÈ ³×Æ®¿öÅ© ÀÎÅÍÆäÀ̽º¸¦ ¸ð´ÏÅ͸µÇÕ´Ï´Ù. <if> °ªÀ¸·Î eth0,eth1 µîÀÌ ¿Ã ¼ö ÀÖ½À´Ï´Ù. -I : ¾ó·µ °á°ú¹°¿¡ ³×Æ®¿öÅ© ÀÎÅÍÆäÀ̽º À̸§À» ºÙÀδÙ. -l <ld> : <ld>·Î ÁöÁ¤µÈ µð·ºÅ丮¿¡ ·Î±× µ¥ÀÌŸ¸¦ ÀúÀåÇÕ´Ï´Ù. -n <cnt> : <cnt> °³ÀÇ ÆÐŶ¸¸À» ¸ð´ÏÅ͸µÇÏ°í ÇÁ·Î±×·¥À» Á¾·áÇÕ´Ï´Ù. -N : ·Î±ë ±â´ÉÀ» »ç¿ëÇÏÁö ¾Ê½À´Ï´Ù. ¾ó·µ¸¸ÀÌ ÀúÀåµË´Ï´Ù. -o : ·ê¼Â Å×½ºÆ® ¼ø¼¸¦ Pass, Alert, Log¼ø¼·Î ¹Ù²Û´Ù. -O : IPÁÖ¼Ò¸¦ ¾Ë ¼ö ¾øµµ·Ï Ç¥½ÃÇÑ´Ù. -p : ¹«ÀÛÀ§ ¸ðµå(promiscuous mode)¸¦ »ç¿ëÇÏÁö ¾Ê°í ½º´ÏÇÎÀ» ÇÕ´Ï´Ù. ½º´ÏÇÎÇϴ ȣ½ºÆ®ÀÇ MAC ÁÖ¼Ò·Î ¿À´Â ÆÐŶÀ̳ª ºê·Îµåij½ºÆà ÆÐŶ¸¸À» ¸ð´ÏÅ͸µÇÕ´Ï´Ù. -P <snap> : ÆÐŶÀÇ ½º³À·»(snaplen)À» ÁöÁ¤ÇÕ´Ï´Ù. µðÆúÆ®´Â 1514ÀÔ´Ï´Ù. ½º³À·»Àº ĸÃÄÇÒ ¼ö ÀÖ´Â ÆÐŶÀÇ ÃÖ´ë Å©±âÀÔ´Ï´Ù. ¸¸¾à ½º³À·»º¸´Ù Å« ÆÐŶÀ» ĸÃÄÇÒ °æ¿ì ½º³À·»¸¸Å¸¸ ĸÃÄ µË´Ï´Ù. -q : ¾Æ¹«·± ¸Þ½ÃÁöµµ »Ñ¸®Áö ¾Ê½À´Ï´Ù. -r <tf> <tf>·Î ÁöÁ¤µÈ tcpdump ÆÄÀÏÀÇ ÆÐŶµé¿¡ ´ëÇؼ IDS ¿£ÁøÀ» µ¹¸³´Ï´Ù. -s ¾ó·µ ·Î±× ¸Þ½ÃÁö¸¦ syslog ½Ã½ºÅÛÀ» ÅëÇØ ½Ã½ºÅÛ¿¡ º¸³À´Ï´Ù. -S <n=v> ·ê ÆÄÀÏÀÇ var ·Î ÁöÁ¤µÈ º¯¼ö¸¦ ÀçÁ¤ÀÇ ÇÒ ¼ö ÀÖ½À´Ï´Ù. ·êÆÄÀÏÀÇ º¯¼ö nÀÇ °ªÀ» v·Î ÁöÁ¤ÇÕ´Ï´Ù. -t <dir> ÃʱâÈ ÈÄ <dir> µð·ºÅ丮·Î chrootÇÕ´Ï´Ù. -u <uname> ÃʱâÈ ÈÄ snortÀÇ uid¸¦ <uname>ÀÇ »ç¿ëÀÚ·Î ¹Ù²ß´Ï´Ù. -v ¸¹Àº ¸Þ½ÃÁö¸¦ »Ñ¸³´Ï´Ù. -V ¹öÀü Á¤º¸¸¦ Ç¥½ÃÇÕ´Ï´Ù. -X ¸µÅ© ·¹À̾îÀÇ ·Î¿ì ÆÐŶ µ¥ÀÌŸ¸¦ ´ýÇÁÇÕ´Ï´Ù. -e µÎ¹ø° ·¹À̾îÀÇ Çì´õ Á¤º¸¸¦ ÇÁ¸°Æ®ÇÕ´Ï´Ù. -d ¾îÇø®ÄÉÀÌ¼Ç ·¹À̾ ´ýÇÁÇÕ´Ï´Ù. -? µµ¿ò¸»À» º¸¿©ÁÝ´Ï´Ù. <filter options> À§Ä¡¿¡ ÁöÁ¤µÇ´Â ÇÊÅ͸µ ¿É¼ÇÀº tcpdump °°ÀÌ BPF¸¦ »ç¿ëÇÕ´Ï´Ù. |
Ä¿ÇǴнº, ½Ã½ºÅÛ ¿£Áö´Ï¾îÀÇ ½°ÅÍ / URL : http://coffeenix.net/board_view.php?bd_code=85 |