Ä¿ÇÇÇâÀÌ ³ª´Â *NIX
Ä¿ÇǴнº
½Ã½ºÅÛ/³×Æ®¿÷/º¸¾ÈÀ» ´Ù·ç´Â °÷
*
HanIRCÀÇ #coffeenix ¹æ
[
Àåºñ ¹× ȸ¼± ÈÄ¿ø
]
> Forum <
IT ÀÏÁ¤
N
e
w
!
ÀÚµ¿È ÇÁ·ÎÁ§Æ®
HOME
>
º¸¾È(security)
>
¹æȺ®, ÆÐŶ ÇÊÅ͸µ / IDS
µµ¿ò¸»
°Ë»ö :
»çÀÌÆ®
WHOIS
À¥¼¹ö Á¾·ù
Snort ¼³Ä¡ ¹× ¼¼ÆÃ
ÀÛ¼ºÀÏ : 2003/10/01 00:17
±Û¾´ÀÌ : sin (
http://chtla.com/
)
Á¶È¸¼ö : 9479
[
ÀÌÀüȸé
/
¼öÁ¤
] ºñ¹Ð¹øÈ£ :
ÀÛ¼ºÀÚ : sin,
http://chtla.com/
ÃʽÉÀ¸·Î..(¸®´ª½º Ä¿¹Â´ÏƼ)
Snort´Â ³×Æ®¿öÅ© ĨÀÔ Å½Áö ½Ã½ºÅÛÀ¸·Î ½Ç½Ã°£ Æ®·¡ÇÈ ºÐ¼®°ú, IP ³×Æ®¿öÅ©¿¡¼ÀÇ ÆÐŶ ó¸®ÀÛ¾÷À» ó¸®ÇÏ´Â µ¥¸óÀÌ´Ù.
±×¸®°í ÇÁ·ÎÅäÄÝ ºÐ¼®, ÄÁÅÙÃ÷ °Ë»ö/Á¶ÇÕ ÀÛ¾÷À» ÇÒ ¼ö ÀÖÀ¸¸ç, buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts°ú °°Àº ´Ù¾çÇÑ °ø°ÝÀ» °¨ÁöÇÒ ¼öµµ ÀÖ´Ù.
¶ÇÇÑ Snort´Â À¯¿¬ÇÑ languageÀÇ »ç¿ëÀ¸·Î trafficÀ» ºÐ¼®ÇÏ¸ç ¸ðµâÈµÈ Å½Áö ¿£ÁøÀ» Áö¿øÇÏ°í ½Ç½Ã°£ °æ°í ±â´Éµµ Áö¿øÇϴµî
´Ù¾çÇÏ°í º¹ÀâÇÑ Ä§ÀÔ Å½Áö°¡ °¡´ÉÇÏ´Ù..
(±×·± ¸¸Å ¼³Á¤µî »ç¿ëÀÌ º¹ÀâÇØ Áø´Ù..)
´ÜÁ¡ :
TCP ½ºÆ®¸² ÀçÁ¶ÇÕ(reassembly)À» Áö¿øÇÏÁö ¾Ê½À´Ï´Ù. µû¶ó¼ ¸ðµç ½Ã±×³ÊÃÄ ºÐ¼®Àº ÆÐŶ ´ÜÀ§·Î ÇàÇØ Áý´Ï´Ù. whisker µîÀÇ ÅøµéÀº ÀÌ·¯ÇÑ ºÐ¼®¹ýÀ» ¿ìȸÇÒ ¼ö ÀÖ´Â ¸ÞÄ«´ÏÁòÀ» °®°í ÀÖ½À´Ï´Ù.
TCP ½ºÆ®¸²À» ÀçÁ¶ÇÕÇϸé ÆÐŶ ºÐ¼® È¿À²ÀÌ ¶³¾îÁö°Ô µË´Ï´Ù. È¿À² ÀúÇϸ¦ ÃÖ¼ÒÈ ÇÏ¸é¼ TCP ½ºÆ®¸²À» ÀçÁ¶ÇÕÇÏ°í ºÐ¼®ÇÏ´Â °ÍÀº Èûµç ÀÛ¾÷ÀÔ´Ï´Ù.
IP Á¶°¢ ÆÐŶ(fragmented packet)¿¡ ´ëÇؼ ÀçÁ¶ÇÕÀ» ÇÒ ¼ö ¾ø½À´Ï´Ù. ´ë½Å minfrag¶ó´Â ·ê ¿É¼ÇÀ» »ç¿ëÇÏ¿© ÆÐŶ Á¶°¢ÀÇ ÃÖ¼Ò Å©±â¸¦ ÁöÁ¤ÇÒ ¼ö ÀÖ½À´Ï´Ù. »ç¿ë ³×Æ®¿öÅ© Àåºñ Áß¿¡ 256byte ÀÌÇÏ Å©±âÀÇ ÆÐŶÀ» Á¶°¢È(fragmentation)ÇÏ´Â °æ¿ì´Â ¾øÀ¸¹Ç·Î minfrag¸¦ ÀÌ °ª, 256À¸·Î ÁöÁ¤Çϸé ÃæºÐÈ÷ °ø°ÝÀ» Àâ¾Æ ³¾ ¼ö ÀÖ´Ù°í ÇÕ´Ï´Ù. ÇÏÁö¸¸ ¿©ÀüÈ÷ ´ÜÁ¡¿¡ ¼ÓÇÕ´Ï´Ù.
·Î±× ±â´ÉÀÌ ¾àÇÕ´Ï´Ù. Á¦´ë·Î ¼¼¼¼ÇÑ ³»¿ëÀÇ ·Î±×¸¦ »ý¼ºÇØ ³»±â´Â ÇÏÁö¸¸ ´©±¸³ª ±×·¯ÇÑ ·Î±×¸¦ º¸°í »óȲÀ» ÆľÇÇϱ⿡´Â ·Î±× ½Ã½ºÅÛÀÌ ³Ê¹« ¾àÇÏ´Ù´Â ´À³¦ÀÌ ÀÖ½À´Ï´Ù
4¿ù 22ÀÏ Ãß°¡³»¿ë) ========================================
Snort ÀÇ Stream4 (TCP) Integer Overflow Ãë¾àÁ¡ÀÌ 4¿ù18ÀÏ ¹ß°ßµÇ¾ú½À´Ï´Ù.
Snort 2.0.0 beta ¹öÁ¯, Snort 1.9.x, Snort 1.8.x ¼³Ä¡½Ã ¼ºñ½º°ÅºÎ°ø°Ý(DoS)
°ø°ÝÀ» ÀÏÀ¸Å³ ¼ö ÀÖÀ¸¸ç, ¿ø°Ý¿¡¼ ¸í·É¾î¸¦ ½ÇÇà½Ãų ¼ö ÀÖ½À´Ï´Ù.
±×·¯´Ï ÇöÀç °¡Àå ÃֽŠ¹öÀüÀÎ 2.0À» ´Ù¿î ¹Þ¾Æ¼ ¼³Ä¡ÇϽñ⠹ٶø´Ï´Ù.
º¸´Ù ÀÚ¼¼ÇÑ ³»¿ëÀº ¾Æ·¡ ¸µÅ©¸¦ ÂüÁ¶ÇϽñ⠹ٶø´Ï´Ù.
http://chtla.com/viewtopic.php?t=106
====================================================
´Ù¿î :
http://www.snort.org
ÃֽŠ¹öÀü ´Ù¿î (ÇöÀç ÃֽŠ¹öÀü snort-1.8.7)
ÂüÁ¶ »çÀÌÆ® :
http://www.certcc.or.kr/tools/Snort.html
[root@kan up]# rpm -qa|grep libpcap
libpcap-0.6.2-12
[root@kan up]# cd /home/kan/
[root@kan up]# tar xvfz snort-1.8.7.tar.gz
[root@kan snort-1.8.7]# ./configure
[root@kan snort-1.8.7]# make
[root@kan snort-1.8.7]# make install
============================================
snort 1.9.1
[root@dream snort-1.9.1]# rpm -qa|grep libcap
libcap-1.10-12
libcapplet0-1.4.0.1-9
libcap-devel-1.10-12
[root@dream snort-1.9.1]# ./configure
..
checking for pcap_datalink in -lpcap... no
ERROR! Libpcap library/headers not found, go get it from
http://www.tcpdump.org/
or use the --with-libpcap-* options, if you have it installed
in unusual place
ÀÌ·± ¸Þ¼¼Áö¿Í ÇÔ²² configure¿¡ ¿¡·¯ ¹ß»ýÇÔ..
http://www.tcpdump.org/
libpcap-0.7.2.tar.gz À» ´Ù¿î¹ÞÀ½..
tar ÇØÁ¦ÈÄ
# ./configure
# make
# make install
·Î ¸ÕÀú ¼³Ä¡¸¦ ÇÑ´Ù..
À̹ø¿£ libpcapÀ» rpmfind.net¿¡¼ libpcap-0.6.2-16.i386.rpm À» ´Ù¿î¹Þ¾Æ rpmÀ¸·Î ¼³Ä¡ÇÑ´Ù.
[root@dream rpm]# rpm -Uvh libpcap-0.6.2-16.i386.rpm
########################################### [100%]
1:libpcap ########################################### [100%]
[root@dream snort-1.9.1]# ./configure
[root@dream snort-1.9.1]# make
[root@dream snort-1.9.1]# make install
/usr/local/bin/snort
/usr/local/man/man8/snort.8
ÀÌ »ý¼ºµÊ..
[root@dream kan]# mv snort-1.9.1 /usr/local
[root@dream kan]# cd /usr/local/snort-1.9.1
[root@dream snort-1.9.1]# mkdir /var/log/snort <== log¸¦ ±â·ÏÇÒ µð·ºÅ丮
[root@dream snort-1.9.1]# vi etc/snort.conf
var HOME_NET 211.xx.xx.xxx/32 <=======================
===================================
your_ip: snort ·Î °ø°Ý´çÇÏ´Â °ÍÀ» °¨½ÃÇÒ IP ÁÖ¼Ò
subnet: ¼ºê³Ý ¸¶½ºÅ©¸¦ ¼³Á¤ÇÏ¿© ³×Æ®¿öÅ©¸¦ °¨½Ã
your_ip/subnetÀ¸·Î ÁÖ¼Ò¸¦ ÁöÁ¤ÇÏ´Â ¹æ¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù.
È£½ºÆ® À̸§À» »ç¿ëÇÒ ¼ö ¾ø°í, È£½ºÆ®³ª ³×Æ®¿öÅ©¸¦ ÁöÁ¤Çϱâ À§Çؼ IP ÁÖ¼Ò¿Í ¼ºê³Ý¸¶½ºÅ©·Î Ç¥ÇöÇÕ´Ï´Ù.
¼ºê³Ý¸¶½ºÅ©´Â CIDR ºí·°À» »ç¿ëÇؼ ÁöÁ¤ÇÕ´Ï´Ù. CIDR ºí·°Àº ¼ºê³Ý¸¶½ºÅ©¸¦ ¼ýÀڷΠǥÇöÇÑ°ÍÀ¸·Î ÁּҺκÐÀÇ ºñÆ®¼ö¸¦ »ç¿ëÇÕ´Ï´Ù. ¿¹¸¦ µé¾î C class ³×Æ®¿öÅ©´Â /24·Î B Ŭ·¡½º(class) ³×Æ®¿öÅ©´Â /16À¸·Î ,A Ŭ·¡½º ³×Æ®¿öÅ©´Â /8·Î È£½ºÆ®¸¦ ÁöÁ¤Çϱâ À§Çؼ´Â /32¸¦ »ç¿ëÇÕ´Ï´Ù.
ÁÖ¼Ò ÁöÁ¤¿¡¼ ÁÖ¼Ò ÁöÁ¤ÇÑ ºÎºÐ ¾Õ¿¡ !¸¦ »ç¿ëÇÏ¸é ±× ÁÖ¼Ò¸¦ Á¦¿ÜÇÑ ³×Æ®¿öÅ©³ª È£½ºÆ®¸¦ ÀǹÌÇÏ°Ô µË´Ï´Ù.
¿¹¸¦ µé¾î !192.1.1.0/24 ´Â 192.1.1.0 C Ŭ·¡½º ³×Æ®¿öÅ©¸¦ Á¦¿ÜÇÑ ³×Æ®¿öÅ©¸¦ ÀǹÌÇÏ°Ô µË´Ï´Ù.
Ưº°È÷ any ´Â ¸ðµç IP °ø°£À» ÁöÁ¤ÇÒ ¶§ »ç¿ëµË´Ï´Ù.
¿¹) 10.1.1.1 È£½ºÆ®¿¡ ´ëÇÑ °ø°ÝÀ» ¸ðµÎ °¨ÁöÇÕ´Ï´Ù.
var HOME_NET 10.1.1.1/32
====================================
var EXTERNAL_NET !$HOME_NET <== home_netÀ» Á¦¿ÜÇÑ ¸ðµç ³×Æ®¿öÅ©ÀÇ È£½ºÆ®
preprocessor portscan: $HOME_NET 4 3 /var/log/snort/portscan.log
<== ÁÖ¼®Á¦°ÅÈÄ ÀúÀåµÉ °æ·Î¸¦ Àû¾îÁÜ..
4 3 ´Â 4°³ÀÌ»óÀÇ Ä¿³Ø¼ÇÀÌ 3Ãʵµ¾È ¹ß»ýÇϸé Æ÷Æ® ½ºÄ³´×À¸·Î Ãë±ÞÇϰԵǴ ÀǹÌÀÓ..
var DNS_SERVERS [211.xx.xx.xxx,16.81.63.1,168.126.63.1] <== dns¼¹ö
preprocessor portscan-ignorehosts: $DNS_SERVERS <== Æ÷Æ®½ºÄµ½Ã Á¦¿ÜµÉ ¾ÆÀÌÇǵé
[root@dream log]# snort -D -d -l /var/log/snort -c /usr/local/snort-1.9.1/etc/snort.conf
<== snort ½ÇÇà..
-D : snort ¸¦ µ¥¸ó¸ðµå·Î ½ÇÇà½ÃÅ´
-d : ¾ÖÇø®ÄÉÀÌ¼Ç ·¹À̾ ´ýÇÁ½ÃÅ´
-l : ÁöÁ¤µÈ µð·ºÅ丮¿¡ ·Î±× µ¥ÀÌŸ¸¦ ÀúÀåÇÑ´Ù.
-c : ÁöÁ¤µÈ ÆÄÀÏÀ» ·ê ÆÄÀÏ·Î »ç¿ëÇÑ´Ù.
½ÇÇàÈÄ /var/log/snort¸¦ º¸¸é alert¿Í portscan.log ÆÄÀÏÀÌ »ý¼ºµÈ °ÍÀ» º¼¼ö ÀÖ´Ù.
[root@dream etc]# vi /etc/rc.d/rc.local <== ºÎÆýà ½ÇÇàÀ» À§Çؼ..
# snort 1.9.1
snort -D -d -l /var/log/snort -c /usr/local/snort-1.9.1/etc/snort.conf
¿É¼Çµé =========================================
USAGE: snort [-options] <filter options>
Options:
-A ¾ó·µ ¸ðµå¸¦ fast,full,none ÁßÀÇ Çϳª·Î ÁöÁ¤ÇÕ´Ï´Ù.
unsock À» ÁöÁ¤Çϸé UNIX ¼ÒÄÏÀ» »ç¿ëÇÏ¿© ·Î±ëÀ» ÇÑ´Ù(¾ÆÁ÷ ½ÃÇèÀûÀ̶ó°í ÇÑ´Ù).
-a ARP ÆÐŶÀ» ÇÁ¸°Æ®ÇÕ´Ï´Ù.
-b ÆÐŶÀ» tcpdump ÆÄÀÏ·Î ÀúÀåÇÕ´Ï´Ù. ¹ÙÀ̳ʸ® Æ÷¸ËÀ̹ǷΠÀúÀå ¼Óµµ°¡ »¡¶óÁý´Ï´Ù.
-c <rules> :<rules>·Î ÁöÁ¤µÈ ÆÄÀÏÀ» ·ê ÆÄÀÏ·Î »ç¿ëÇÕ´Ï´Ù.
-C : ÆÐŶÀÇ »ç¿ëÀÚ µ¥ÀÌŸ ºÎºÐ(payload)¸¦ ¹®ÀÚ¸¸ ÇÁ¸°Æ®ÇÕ´Ï´Ù. Çí½º ÇüÅ·δ ÇÁ¸°Æ®ÇÏÁö ¾Ê½À´Ï´Ù.
-D : snort¸¦ µ¥¸ó ¸ðµå·Î µ¹¸³´Ï´Ù. ¹Ù·Î ¹é±×¶ó¿îµå·Î µé¾î°¡°í Å͹̳ÎÀ» Á¾·áÇصµ °è¼Ó µ¹°Ô µË´Ï´Ù.
-F <bpf> BPF ÇÊÅ͸µ½ÄÀ» <bpf>·Î ÁöÁ¤µÈ ÈÀÏ¿¡¼ ÀÐ¾î ¿É´Ï´Ù.
BPF ÇÊÅ͸µ½ÄÀº tcpdump¿¡¼ ¿øÇÏ´Â ÆÐŶ ¸¸À» ´ýÇÁÇϱâ À§Çؼ »ç¿ëµÇ´Â ½ÄÀÔ´Ï´Ù.
-g <gname> snortÀÇ gid¸¦ <gname>À¸·Î ±×·ìÀ¸·Î ¼³Á¤ÇÕ´Ï´Ù.
-h <hn> Ȩ³×Æ®¿öÅ© º¯¼ö HOME_NET¸¦ <hn>ÀÇ °ªÀ¸·Î ¼¼ÆÃÇÕ´Ï´Ù.
-i <if> : <if>·Î ÁöÁ¤µÈ ³×Æ®¿öÅ© ÀÎÅÍÆäÀ̽º¸¦ ¸ð´ÏÅ͸µÇÕ´Ï´Ù. <if> °ªÀ¸·Î eth0,eth1 µîÀÌ ¿Ã ¼ö ÀÖ½À´Ï´Ù.
-I : ¾ó·µ °á°ú¹°¿¡ ³×Æ®¿öÅ© ÀÎÅÍÆäÀ̽º À̸§À» ºÙÀδÙ.
-l <ld> : <ld>·Î ÁöÁ¤µÈ µð·ºÅ丮¿¡ ·Î±× µ¥ÀÌŸ¸¦ ÀúÀåÇÕ´Ï´Ù.
-n <cnt> : <cnt> °³ÀÇ ÆÐŶ¸¸À» ¸ð´ÏÅ͸µÇÏ°í ÇÁ·Î±×·¥À» Á¾·áÇÕ´Ï´Ù.
-N : ·Î±ë ±â´ÉÀ» »ç¿ëÇÏÁö ¾Ê½À´Ï´Ù. ¾ó·µ¸¸ÀÌ ÀúÀåµË´Ï´Ù.
-o : ·ê¼Â Å×½ºÆ® ¼ø¼¸¦ Pass, Alert, Log¼ø¼·Î ¹Ù²Û´Ù.
-O : IPÁÖ¼Ò¸¦ ¾Ë ¼ö ¾øµµ·Ï Ç¥½ÃÇÑ´Ù.
-p : ¹«ÀÛÀ§ ¸ðµå(promiscuous mode)¸¦ »ç¿ëÇÏÁö ¾Ê°í ½º´ÏÇÎÀ» ÇÕ´Ï´Ù.
½º´ÏÇÎÇϴ ȣ½ºÆ®ÀÇ MAC ÁÖ¼Ò·Î ¿À´Â ÆÐŶÀ̳ª ºê·Îµåij½ºÆà ÆÐŶ¸¸À» ¸ð´ÏÅ͸µÇÕ´Ï´Ù.
-P <snap> : ÆÐŶÀÇ ½º³À·»(snaplen)À» ÁöÁ¤ÇÕ´Ï´Ù. µðÆúÆ®´Â 1514ÀÔ´Ï´Ù.
½º³À·»Àº ĸÃÄÇÒ ¼ö ÀÖ´Â ÆÐŶÀÇ ÃÖ´ë Å©±âÀÔ´Ï´Ù. ¸¸¾à ½º³À·»º¸´Ù Å« ÆÐŶÀ» ĸÃÄÇÒ °æ¿ì ½º³À·»¸¸Å¸¸ ĸÃÄ µË´Ï´Ù.
-q : ¾Æ¹«·± ¸Þ½ÃÁöµµ »Ñ¸®Áö ¾Ê½À´Ï´Ù.
-r <tf> <tf>·Î ÁöÁ¤µÈ tcpdump ÆÄÀÏÀÇ ÆÐŶµé¿¡ ´ëÇؼ IDS ¿£ÁøÀ» µ¹¸³´Ï´Ù.
-s ¾ó·µ ·Î±× ¸Þ½ÃÁö¸¦ syslog ½Ã½ºÅÛÀ» ÅëÇØ ½Ã½ºÅÛ¿¡ º¸³À´Ï´Ù.
-S <n=v> ·ê ÆÄÀÏÀÇ var ·Î ÁöÁ¤µÈ º¯¼ö¸¦ ÀçÁ¤ÀÇ ÇÒ ¼ö ÀÖ½À´Ï´Ù. ·êÆÄÀÏÀÇ º¯¼ö nÀÇ °ªÀ» v·Î ÁöÁ¤ÇÕ´Ï´Ù.
-t <dir> ÃʱâÈ ÈÄ <dir> µð·ºÅ丮·Î chrootÇÕ´Ï´Ù.
-u <uname> ÃʱâÈ ÈÄ snortÀÇ uid¸¦ <uname>ÀÇ »ç¿ëÀÚ·Î ¹Ù²ß´Ï´Ù.
-v ¸¹Àº ¸Þ½ÃÁö¸¦ »Ñ¸³´Ï´Ù.
-V ¹öÀü Á¤º¸¸¦ Ç¥½ÃÇÕ´Ï´Ù.
-X ¸µÅ© ·¹À̾îÀÇ ·Î¿ì ÆÐŶ µ¥ÀÌŸ¸¦ ´ýÇÁÇÕ´Ï´Ù.
-e µÎ¹ø° ·¹À̾îÀÇ Çì´õ Á¤º¸¸¦ ÇÁ¸°Æ®ÇÕ´Ï´Ù.
-d ¾îÇø®ÄÉÀÌ¼Ç ·¹À̾ ´ýÇÁÇÕ´Ï´Ù.
-? µµ¿ò¸»À» º¸¿©ÁÝ´Ï´Ù.
<filter options> À§Ä¡¿¡ ÁöÁ¤µÇ´Â ÇÊÅ͸µ ¿É¼ÇÀº tcpdump °°ÀÌ BPF¸¦ »ç¿ëÇÕ´Ï´Ù.
Ä¿ÇǴнº Ä«Æä ÃÖ±Ù ±Û
[04/25]
±¹°¡
[04/24]
º¸Çè
[04/22]
Re: OpenSSL Ãë¾àÁ¡ Á¤¸®, Logjam(·Î±×Àë)¿¡¼ Heartbleed±îÁö
[04/21]
LET¡¯S START WITH ON
[04/21]
º¸Çè
[04/20]
Á¦ÁÖ
[04/20]
±¹³»
[04/19]
Á¦ÁÖ
[04/18]
??? ?????
[04/17]
???? onion ?????? -
[04/11]
±¹°¡
[04/10]
Stride Into Dream:
[03/20]
Re: ¿Â¶óÀΰÔÀÓÀÇ Á¾ÁÖ±¹ ´ëÇѹα¹
[10/20]
Cross Compiler ±ò
[07/14]
SSL ¬¡¬°
N
e
w
! ÃÖ±Ù¿¡ µî·ÏÇÑ ÆäÀÌÁö
KiCad EDA Suite project (Free/Libre/Open-Source EDA Suite) (CAD)
¿ÀÇÂij½ºÄÉÀ̵å ijµå (OpenCASCADE CAD)
QCad for Windows --- GNU GPL (Free Software)
The Hello World Collection
IPMI¸¦ È°¿ëÇÑ ¸®´ª½º ¼¹ö°ü¸®
DNS ¼³Á¤ °Ë»ç
nagiosgraph ¼³Ä¡ ¹æ¹ý
Slony-I ¼³Ä¡ ¹æ¹ý (postgresql replication tool)
Qmail±â¹ÝÀÇ Anti spam ½Ã½ºÅÛ ±¸ÃàÇϱâ
clusterssh
[ ÇÔ²²ÇÏ´Â »çÀÌÆ® ]
¿î¿µÁø :
ÁÁÀºÁøÈ£(truefeel)
, ¾ß¼ö(yasu), ¹ü³ÃÀÌ, sCag
2003³â 8¿ù 4ÀÏ~