1. 공개 S/W 중 가장 대표적인 침입 탐지 시스템
2. 패킷 수집 라이브러리인 libpcap에 기반한 네트워크 스티퍼로 쉽게 정의할 수 있고, 침입 탐지 Rule들에 일치하는 네트워크 트래픽을 감시, 기록, 경고할 수 있는 도구
3. Overflow, Stealth 포트스캔, CGI 공격, SMB 탐색, Os 확인 히도 등 다양한 공격과 스캔 탐지 기능이 있다.
4. 탐지 Rule은 community를 통해 지속적으로 업데이트 되며, 자신이 직접 작성할 수 있으므로 최신의 공격에 적응이 용이하다.
tcpdump 다운로드
http://www.tcpdump.org/release/libpcap-0.9.5.tar.gz <- 소스파일
http://www.tcpdump.org/release/libpcap-0.9.5.tar.gz.sig <- signature
http://www.tcpdump.org/tcpdump-workers.asc <- 공개키
무결성 검사 - 공개키를 import시킨 뒤 아래와 같이 작업
[root@serv ~]# gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub 1024D/89E917F3 2003-02-26
uid tcpdump.org (SIGNING KEY) <tcpdump-workers@tcpdump.org>
sub 2048g/4460BC20 2003-02-26
[root@serv ~]# gpg --edit-key 89E917F3
gpg (GnuPG) 1.4.1; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
pub 1024D/89E917F3 created: 2003-02-26 expires: never usage: CSA
trust: unknown validity: unknown
sub 2048g/4460BC20 created: 2003-02-26 expires: never usage: E
[ unknown] (1). tcpdump.org (SIGNING KEY) <tcpdump-workers@tcpdump.org>
Command> trust
pub 1024D/89E917F3 created: 2003-02-26 expires: never usage: CSA
trust: unknown validity: unknown
sub 2048g/4460BC20 created: 2003-02-26 expires: never usage: E
[ unknown] (1). tcpdump.org (SIGNING KEY) <tcpdump-workers@tcpdump.org>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub 1024D/89E917F3 created: 2003-02-26 expires: never usage: CSA
trust: ultimate validity: unknown
sub 2048g/4460BC20 created: 2003-02-26 expires: never usage: E
[ unknown] (1). tcpdump.org (SIGNING KEY) <tcpdump-workers@tcpdump.org>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
Command> quit
[root@serv ~]# gpg --verify libpcap-0.9.5.tar.gz.sig libpcap-0.9.5.tar.gz
gpg: Signature made Wed 20 Sep 2006 05:12:01 AM KST using DSA key ID 89E917F3
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Good signature from "tcpdump.org (SIGNING KEY) <tcpdump-workers@tcpdump.org>"
[root@serv ~]#
소스 파일을 풀어 해당 디렉토리로 이동 후 소스컴파일 설치
[root@serv libpcap-0.9.5]# ./configure && make && make install
Snort 다운로드 (http://www.snort.org)
http://www.snort.org/dl/current/snort-2.6.1.3.tar.gz
http://www.snort.org/dl/current/snort-2.6.1.3.tar.gz.md5
http://www.snort.org/dl/current/snort-2.6.1.3.tar.gz.sig
http://www.snort.org/dl/pubkeys/public_key_2601
무결성 검사
[root@serv ~]# gpg --import public_key_2601
gpg: key FC0308A6: public key "Snort Release Team (Snort Release Team signing key) <releases@snort.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
[root@serv ~]# gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub 1024D/89E917F3 2003-02-26
uid tcpdump.org (SIGNING KEY) <tcpdump-workers@tcpdump.org>
sub 2048g/4460BC20 2003-02-26
pub 1024D/FC0308A6 2006-08-22 [expires: 2007-08-22]
uid Snort Release Team (Snort Release Team signing key) <releases@snort.org>
sub 1024g/0D5ABE4E 2006-08-22 [expires: 2007-08-22]
[root@serv ~]#
[root@serv ~]# gpg --edit-key FC0308A6
gpg (GnuPG) 1.4.1; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
pub 1024D/FC0308A6 created: 2006-08-22 expires: 2007-08-22 usage: CSA
trust: unknown validity: unknown
sub 1024g/0D5ABE4E created: 2006-08-22 expires: 2007-08-22 usage: E
[ unknown] (1). Snort Release Team (Snort Release Team signing key) <releases@snort.org>
Command> trust
pub 1024D/FC0308A6 created: 2006-08-22 expires: 2007-08-22 usage: CSA
trust: unknown validity: unknown
sub 1024g/0D5ABE4E created: 2006-08-22 expires: 2007-08-22 usage: E
[ unknown] (1). Snort Release Team (Snort Release Team signing key) <releases@snort.org>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub 1024D/FC0308A6 created: 2006-08-22 expires: 2007-08-22 usage: CSA
trust: ultimate validity: unknown
sub 1024g/0D5ABE4E created: 2006-08-22 expires: 2007-08-22 usage: E
[ unknown] (1). Snort Release Team (Snort Release Team signing key) <releases@snort.org>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
Command> quit
[root@serv ~]# gpg --verify snort-2.6.1.3.tar.gz.sig snort-2.6.1.3.tar.gz
gpg: Signature made Sat 17 Feb 2007 10:59:56 PM KST using DSA key ID FC0308A6
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2007-08-22
gpg: Good signature from "Snort Release Team (Snort Release Team signing key) <releases@snort.org>"
[root@serv ~]#
Sniff 모드
-v : OSI 7 Layer 3-4
-vd : OSI Layer 3-7
-vde : OSI 7 Layer 2-7
Logging mode
-K : logging option (pcap;바이너리, ascii;아스키 일반 텍스트 파일, none)
IDS mode (Rules 필요)
-c : 환경 설정 파일
-D : Daemon 으로 동작
[root@serv snort-2.6.1.3]# snort -vde -K ascii
Running in packet logging mode
ERROR:
[!] ERROR: Can not get write access to logging directory "/var/log/snort". <-해당 디렉토리가 없기 때문에 에러 발생, 직접 디렉토리를 생성해주면 됨
(directory doesn't exist or permissions are set incorrectly
or it is not a directory at all)
Fatal Error, Quitting..
[root@serv snort-2.6.1.3]# cd /var/log/snort
-bash: cd: /var/log/snort: No such file or directory
[root@serv snort-2.6.1.3]# cd /var/log/
[root@serv log]# mkdir snort
[root@serv log]# ls
acpid boot.log.2 lastlog messages.2 snort xferlog.1
anaconda.log btmp mail ppp spooler xferlog.2
anaconda.syslog cron maillog prelink.log spooler.1 xinetd.log
anaconda.xlog cron.1 maillog.1 rpmpkgs spooler.2 yum.log
audit cron.2 maillog.2 rpmpkgs.1 vbox
boot.log cups messages rpmpkgs.2 wtmp
boot.log.1 dmesg messages.1 secure xferlog
[root@serv log]#
[root@serv /]# cd /root/snort-2.6.1.3/etc
[root@serv etc]# ls
classification.config Makefile reference.config snort.conf <- 환경 설정 파일
generators Makefile.am sid threshold.conf
gen-msg.map Makefile.in sid-msg.map unicode.map
[root@serv etc]# mkdir /etc/snort
[root@serv etc]# cp * /etc/snort
[root@serv etc]# cd /etc/snort/
[root@serv snort]# vi snort.conf
[root@serv snort]# snort -c /etc/snort/snort.conf
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Var 'any_ADDRESS' defined, value len = 15 chars, value = 0.0.0.0/0.0.0.0
Var 'lo_ADDRESS' defined, value len = 19 chars, value = 127.0.0.0/255.0.0.0
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /etc/snort/snort.conf
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
Var 'HOME_NET' defined, value len = 15 chars, value = 192.168.58.0/24
Var 'EXTERNAL_NET' defined, value len = 3 chars, value = any
Var 'DNS_SERVERS' defined, value len = 15 chars, value = 192.168.58.0/24
Var 'SMTP_SERVERS' defined, value len = 15 chars, value = 192.168.58.0/24
Var 'HTTP_SERVERS' defined, value len = 15 chars, value = 192.168.58.0/24
Var 'SQL_SERVERS' defined, value len = 15 chars, value = 192.168.58.0/24
Var 'TELNET_SERVERS' defined, value len = 15 chars, value = 192.168.58.0/24
Var 'SNMP_SERVERS' defined, value len = 15 chars, value = 192.168.58.0/24
Var 'HTTP_PORTS' defined, value len = 2 chars, value = 80
Var 'SHELLCODE_PORTS' defined, value len = 3 chars, value = !80
Var 'ORACLE_PORTS' defined, value len = 4 chars, value = 1521
Var 'AIM_SERVERS' defined, value len = 185 chars
[64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9
.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
Var 'RULE_PATH' defined, value len = 16 chars, value = /etc/snort/rules
,-----------[Flow Config]----------------------
| Stats Interval: 0
| Hash Method: 2
| Memcap: 10485760
| Rows : 4099
| Overhead Bytes: 16400(%0.16)
`----------------------------------------------
Frag3 global config:
Max frags: 65536
Fragment memory cap: 4194304 bytes
Frag3 engine config:
Target-based policy: FIRST
Fragment timeout: 60 seconds
Fragment min_ttl: 1
Fragment ttl_limit: 5
Fragment Problems: 1
Bound Addresses: 0.0.0.0/0.0.0.0
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
Session count max: 8192 sessions
Session cleanup count: 5
State alerts: INACTIVE
Evasion alerts: INACTIVE
Scan alerts: INACTIVE
Log Flushed Streams: INACTIVE
MinTTL: 1
TTL Limit: 5
Async Link: 0
State Protection: 0
Self preservation threshold: 50
Self preservation period: 90
Suspend threshold: 200
Suspend period: 30
Enforce TCP State: INACTIVE
Midstream Drop Alerts: INACTIVE
Allow Blocking of TCP Sessions in Inline: ACTIVE
Server Data Inspection Limit: -1
WARNING /etc/snort/snort.conf(439) => flush_behavior set in config file, using old static flushpoints (0)
Stream4_reassemble config:
Server reassembly: INACTIVE
Client reassembly: ACTIVE
Reassembler alerts: ACTIVE
Zero out flushed packets: INACTIVE
Flush stream on alert: INACTIVE
flush_data_diff_size: 500
Reassembler Packet Preferance : Favor Old
Packet Sequence Overlap Limit: -1
Flush behavior: Small (<255 bytes)
Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306
HttpInspect Config:
GLOBAL CONFIG
Max Pipeline Requests: 0
Inspection Type: STATELESS
Detect Proxy Usage: NO
IIS Unicode Map Filename: /etc/snort/unicode.map
IIS Unicode Map Codepage: 1252
DEFAULT SERVER CONFIG:
Server profile: All
Ports: 80 8080 8180
Flow Depth: 300
Max Chunk Length: 500000
Inspect Pipeline Requests: YES
URI Discovery Strict Mode: NO
Allow Proxy Usage: NO
Disable Alerting: NO
Oversize Dir Length: 500
Only inspect URI: NO
Ascii: YES alert: NO
Double Decoding: YES alert: YES
%U Encoding: YES alert: YES
Bare Byte: YES alert: YES
Base36: OFF
UTF 8: OFF
IIS Unicode: YES alert: YES
Multiple Slash: YES alert: NO
IIS Backslash: YES alert: NO
Directory Traversal: YES alert: NO
Web Root Traversal: YES alert: YES
Apache WhiteSpace: YES alert: NO
IIS Delimiter: YES alert: NO
IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Non-RFC Compliant Characters: NONE
Whitespace Characters: 0x09 0x0b 0x0c 0x0d
rpc_decode arguments:
Ports to decode RPC on: 111 32771
alert_fragments: INACTIVE
alert_large_fragments: ACTIVE
alert_incomplete: ACTIVE
alert_multiple_requests: ACTIVE
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Sensitivity Level: Low
Memcap (in bytes): 10000000
Number of Nodes: 36900
ERROR: Unable to open rules file: /etc/snort/rules/local.rules or /etc/snort//etc/snort/rules/local.rules
Fatal Error, Quitting..
[root@serv snort]#
/etc/snort/rules 디렉토리가 없기 때문에 에러 발생, 디렉토리를 생성하여 룰을 추가해줘야 함.
serv컴에서 /etc/snort 디렉토리로 이동
[root@serv snort]# wget ftp://59.5.100.82/snortrules.tar
--14:26:46-- ftp://59.5.100.82/snortrules.tar
=> `snortrules.tar'
Connecting to 59.5.100.82:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD not needed.
==> PASV ... done. ==> RETR snortrules.tar ... done.
[ <=> ] 17,848,320 2.60M/s
14:26:52 (2.86 MB/s) - `snortrules.tar' saved [17,848,320]
[root@serv snort]# tar xf snortrules.tar
[root@serv snort]# ls
classification.config Makefile rules snortrules.tar
doc Makefile.am sid threshold.conf
generators Makefile.in sid-msg.map unicode.map
gen-msg.map reference.config snort.conf
[root@serv snort]# cd rules
[root@serv rules]# ls
attack-responses.rules misc.rules snmp.rules
backdoor.rules multimedia.rules snort.conf
bad-traffic.rules mysql.rules spyware-put.rules
chat.rules netbios.rules sql.rules
classification.config nntp.rules telnet.rules
ddos.rules oracle.rules tftp.rules
deleted.rules other-ids.rules threshold.conf
dns.rules p2p.rules unicode.map
dos.rules policy.rules virus.rules
experimental.rules pop2.rules VRT-License.txt
exploit.rules pop3.rules web-attacks.rules
finger.rules porn.rules web-cgi.rules
ftp.rules reference.config web-client.rules
generators rpc.rules web-coldfusion.rules
icmp-info.rules rservices.rules web-frontpage.rules
icmp.rules scan.rules web-iis.rules
imap.rules shellcode.rules web-misc.rules
info.rules sid-msg.map web-php.rules
local.rules smtp.rules x11.rules
[root@serv rules]#
여러가지 해킹 공격들에 대한 룰 정보가 들어 있음
snort 실행하여 프로세스가 실행되고 있는지 확인
[root@serv rules]# snort -c /etc/snort/snort.conf -D
[root@serv rules]# ps -ef | grep snort
root 1925 1 88 14:28 ? 00:00:09 snort -c /etc/snort/snort.conf -D
root 1928 1858 0 14:29 pts/0 00:00:00 grep snort
[root@serv rules]#
로그가 발생했는지 확인
[root@serv rules]# ls -l /var/log/snort
total 12
drwx------ 2 root root 4096 Mar 30 16:32 192.168.58.1
drwx------ 2 root root 4096 Mar 30 16:33 192.168.58.10
-rw------- 1 root root 0 Apr 2 14:28 alert <- 공격 패턴 로그
-rw------- 1 root root 270 Mar 30 16:33 ARP
-rw------- 1 root root 0 Mar 30 16:33 PACKET_NONIP
-rw------- 1 root root 0 Apr 2 14:28 snort.log.1175491730 <- 패킷 정보 로그
[root@serv rules]#
두 로그파일 모두 용량은 0 byte
타 컴퓨터에서 serv로 공격을 시도(nmap으로 스캐닝 시도)
work에 nmap 설치
[root@work ~]# rpm -Uvh http://download.insecure.org/nmap/dist/nmap-4.20-1.i386.rpm
Retrieving http://download.insecure.org/nmap/dist/nmap-4.20-1.i386.rpm
Preparing... ########################################### [100%]
1:nmap ########################################### [100%]
[root@work ~]# nmap -v -sS -O 192.168.58.10
[root@serv ~]# ls -l /var/log/snort/
total 80
drwx------ 2 root root 4096 Mar 30 16:32 192.168.58.1
drwx------ 2 root root 4096 Mar 30 16:33 192.168.58.10
-rw------- 1 root root 49934 Apr 2 14:34 alert
-rw------- 1 root root 270 Mar 30 16:33 ARP
-rw------- 1 root root 0 Mar 30 16:33 PACKET_NONIP
-rw------- 1 root root 9612 Apr 2 14:34 snort.log.1175491730
[root@serv ~]#
로그파일의 용량이 늘어나 있는 것 확인할 수 있다.
[root@serv ~]# less /var/log/snort/alert
침입 탐지 기록 확인(nmap으로 스캐닝 시도한 흔적 발견 가능)
http://www.securityfocus.com/bid/4089
SNMP 프로토콜에 휘약한 운영체제 리스트가 모두 나옴.
윈도우즈 계열은 거의 모두 취약한 것을 알 수 있다.
[root@serv ~]# less /var/log/snort/snort.log.1175491730
"/var/log/snort/snort.log.1175491730" may be a binary file. See it anyway?
바이너리 파일이라 내용을 알아 볼 수 없음. -r 옵션을 이용하여 snort 실행하면 우리가 알아볼 수 있는 정문 형태로 출력
[root@serv ~]# snort -r /var/log/snort/snort.log.1175491730 | less
work에 DB서버 설치
serv컴에선 snort 재컴파일 설치(DB를 이용하도록)
1 : yum -y install mysql-devel perl-DBD-MySQL
2 : ./configure --with-mysql && make && make install
주의!! 재컴파일하여 설치 시 기존에 컴파일 설치된 mysql을 make clean 명령어를 이용하여 깨끗이 삭제하고 reset 명령어로 메모리에 로드된 찌꺼기까지 제거한 뒤에 설치해야 함.
work에서 service mysqld start
mysql -u root
useradd aaa
passwd aaa
* SQL 구문
DDL(정의어)...create, alert, drop
DML(조작어)...select, insert, update, delete
DCL(제어어)...grant, revoke, deny
mysqladmin -u root password '12345'
mysql -u root -p
mysql> create database snort;
Query OK, 1 row affected (0.01 sec)
mysql> drop database test;
Query OK, 0 rows affected (0.05 sec)
mysql> use snort
Database changed
mysql> show tables;
Empty set (0.01 sec)
mysql> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+---------------------------+
| Tables_in_mysql |
+---------------------------+
| columns_priv |
| db |
| func |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |
| user |
+---------------------------+
15 rows in set (0.02 sec)
mysql> select * from db;
+------+---------+------+-------------+-------------+-------------+-------------+-------------+-----------+------------+-----------------+------------+------------+-----------------------+------------------+
| Host | Db | User | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Create_tmp_table_priv | Lock_tables_priv |
+------+---------+------+-------------+-------------+-------------+-------------+-------------+-----------+------------+-----------------+------------+------------+-----------------------+------------------+
| % | test | | Y | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y |
| % | test\_% | | Y | Y | Y | Y | Y | Y | N | Y | Y | Y | Y | Y |
+------+---------+------+-------------+-------------+-------------+-------------+-------------+-----------+------------+-----------------+------------+------------+-----------------------+------------------+
2 rows in set (0.00 sec)
mysql>
테이블은 위와 같이 2차원 구조를 취하고 있음
snort 로그 저장하기 위해
1. DB 생성 -> create database snort;
2. table 생성
mysql> show databases;
+----------+
| Database |
+----------+
| mysql |
| snort |
| test |
+----------+
3 rows in set (0.01 sec)
mysql> use snort;
Database changed
mysql> show tables;
Empty set (0.00 sec)
mysql>
serv 컴으로 이동
mysql-server가 문제없이 설치되었는지 확인
[root@serv snort-2.6.1.3]# echo $?
0
You have new mail in /var/spool/mail/root
[root@serv snort-2.6.1.3]# cd schemas/
[root@serv schemas]# ls
create_db2 create_mysql create_postgresql Makefile.am
create_mssql create_oracle.sql Makefile Makefile.in
[root@serv schemas]# vi create_mysql
scp를 이용하여 work의 root계정으로 전송
[root@serv schemas]# scp create_mysql root@192.168.58.20:
root@192.168.58.20's password:
create_mysql 100% 8239 8.1KB/s 00:00
[root@serv schemas]#
work로 이동하여 mysql에서 빠져나옴. create_mysql 파일이 전송되었는지 확인.
[root@work ~]# ls.
anaconda-ks.cfg index.html install.log
create_mysql index.html.1 install.log.syslog
[root@work ~]#
[root@work ~]# mysql -u root -p < create_mysql
Enter password:
ERROR 1046 (3D000) at line 23: No database selected
[root@work ~]#
DB명을 지정해 주지 않아 에러가 발생.
[root@work ~]# mysql -u root -p snort < create_mysql
Enter password:
[root@work ~]#
mysql서버의 snort 데이터베이스에 접속
[root@work ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 25 to server version: 4.1.20
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> use snort
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql>
테이블만 생성되어 있고 안에는 아무 내용이 없는 상태.
snort가 공격을 감지해야 안에 내용이 작성됨.
serv로 이동. snort 실행
재컴파일하여 데이터베이스에 저장되도록 snort가 파일 설치된 상태이므로 환경 수정 필요.
[root@serv schemas]# vi /etc/snort/snort.conf
830행 부근 아래와 같이 수정
825 # database: log to a variety of databases
826 # ---------------------------------------
827 # See the README.database file for more information about configuring
828 # and using this plugin.
829 #
830 output database: log, mysql, user=snort password=12345 dbname=snort host=192.168.58.20
831 output database: alert, mysql, user=snort password=12345 dbname=snort host=192.168.58.20
832 # output database: log, mysql, user=root password=test dbname=db host=localhost
833 # output database: alert, postgresql, user=snort dbname=snort
834 # output database: log, odbc, user=snort dbname=snort
835 # output database: log, mssql, dbname=snort user=snort password=test
836 # output database: log, oracle, dbname=snort user=snort password=test
[root@work ~]# snort -c /etc/snort/snort.conf
work의 DB에 root계정만 존재하기 때문에 에러 발생.
work에 계정 생성해야 함.
내일 수업을 위해 snort 사이트에 회원가입해 둘 것.
work에서 mysql 데몬 구동하고 접속
[root@work ~]# service mysqld status
mysqld is stopped
[root@work ~]# service mysqld start
Starting MySQL: [ OK ]
[root@work ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 4.1.20
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select * from user;
+------------------+------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+
| Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections |
+------------------+------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+
| localhost | root | 2e782c85379a326e | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 |
| work.linuzle.com | root | | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 |
| work.linuzle.com | | | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 |
| localhost | | | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 |
+------------------+------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+
4 rows in set (0.02 sec)
mysql> grant CREATE,SELECT,INSERT,UPDATE,DELETE on snort.* to snort@localhost;
Query OK, 0 rows affected (0.02 sec)
mysql> set password for snort@localhost=PASSWORD('12345');
Query OK, 0 rows affected (0.01 sec)
mysql> grant CREATE,SELECT,INSERT,UPDATE,DELETE on snort.* to snort@192.168.58.10;
Query OK, 0 rows affected (0.01 sec)
mysql> set password for snort@192.168.58.10=PASSWORD('12345');
Query OK, 0 rows affected (0.00 sec)
mysql> select * from user;
+------------------+-------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+
| Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections |
+------------------+-------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+
| localhost | root | 2e782c85379a326e | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 |
| work.linuzle.com | root | | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 |
| work.linuzle.com | | | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 |
| localhost | | | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 |
| localhost | snort | 446a12100c856ce9 | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 |
| 192.168.58.10 | snort | 446a12100c856ce9 | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 |
+------------------+-------+------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+
6 rows in set (0.01 sec)
mysql>
serv로 이동
[root@serv ~]# snort -c /etc/snort/snort.conf
아까 에러가 발생했던 것이 이제는 에러 없이 잘 실행되는 것을 확인할 수 있다.
백그라운드 실행
[root@serv ~]# snort -c /etc/snort/snort.conf -D
[root@serv ~]# tty
/dev/tty2
work로 이동
IP를 위장하여 serv를 nmap 스캐닝 시도 (-S 옵션 이용)
[root@serv ~]# nmap -v -sS -O -S 59.5.100.50(위장 IP) -e eth0 192.168.58.10
이제 work의 snort 데이터베이스를 확인해 본다.
mysql>use snort;
mysql> show tables;
mysql>select * from data;
mysql>select * from sensor;
mysql>select * from tcphdr;
ps -ef | grep snort
kill -9 4332
웹서버와 분석프로그램과 연동하여 사용하기 위해 아래 패키지들 설치
work로 이동하여 아래 패키지들 설치
httpd
php-gd
php-mysql
ADODB <- DB 라이브러리
BASE
(httpd, php-gd, php-mysql은 rpm 설치, ADODB와 BASE는 소스 설치)
yum -y install httpd php-gd php-mysql
ADODB 소스 다운로드 (http://adodb.sourceforge.net/)
메인페이지 좌측 최상단의 download 클릭
Download from SourceForge <- 클릭
http://downloads.sourceforge.net/adodb/adodb494.tgz 다운로드
BASE 소스 다운로드 (http://base.secureideas.net/)
메인페이지 좌측 상단의 download 클릭
http://downloads.sourceforge.net/secureideas/base-1.3.5.tar.gz 다운로드
[root@work ~]# mv adodb494.tgz /var/www/
[root@work ~]# mv base-1.3.5.tar.gz /var/www/html
[root@work ~]# cd /var/www
[root@work www]# tar xvfz adodb494.tgz
[root@work ~]# cd /var/www/html
[root@work html]# tar xvfz base-1.3.5.tar.gz
[root@work html]# mv base-1.3.5 base
[root@work html]# cd base
[root@work base-1.3.5]# ls
admin base_graph_main.php base_stat_alerts.php help
base_ag_common.php base_hdr1.php base_stat_class.php images
base_ag_main.php base_hdr2.php base_stat_common.php includes
base_common.php base_logout.php base_stat_ipaddr.php index.php
base_conf.php.dist base_main.php base_stat_iplink.php languages
base_db_common.php base_maintenance.php base_stat_ports.php scripts
base_db_setup.php base_payload.php base_stat_sensor.php setup
base_denied.php base_qry_alert.php base_stat_time.php sql
base_footer.php base_qry_common.php base_stat_uaddr.php styles
base_graph_common.php base_qry_form.php base_user.php
base_graph_display.php base_qry_main.php contrib
base_graph_form.php base_qry_sqlcalls.php docs
[root@work base-1.3.5]# cp base_conf.php.dist base_conf.php
[root@work base-1.3.5]# vi base_conf.php
48행 아래와 같이 수정
$BASE_urlpath = '/base';
70행 수정
$DBlib_path = '/var/www/adodb';
80행은 mysql을 사용하므로 그대로 둠. 다른 DB 프로그램 사용 시 수정 필요
92~96행 수정
$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'snort';
$alert_password = '12345';
아파치 시작
XP에서 웹브라우저로 접속
http://192.168.58.20/base
serv에 설치된 snort 룰 갱신
http://oinkmaster.sourceforge.net
좌측의 download 클릭
http://prdownloads.sourceforge.net/oinkmaster/oinkmaster-2.0.tar.gz 다운로드
압축 풀고 해당 디렉토리로 이동
[root@serv oinkmaster-2.0]# ls
ChangeLog LICENSE README template-examples.conf
contrib oinkmaster.1 README.gui UPGRADING
FAQ oinkmaster.conf README.templates
INSTALL oinkmaster.pl README.win32
[root@serv oinkmaster-2.0]# cp oinkmaster.conf /etc/snort/
[root@serv oinkmaster-2.0]# cp oinkmaster.pl /usr/local/bin
[root@serv oinkmaster-2.0]# cd contrib
[root@serv contrib]# ls
addmsg.pl create-sidmap.pl oinkgui.pl
addsid.pl makesidex.pl README.contrib
[root@serv contrib]# ./makesidex.pl /etc/snort/rules > /etc/snort/bbb.conf
[root@serv contrib]# vi /root/oinkmaster-2.0/oinkmaster.conf
52행 주석 해제하고 수정
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.4.tar.gz
http:// oinkcode
시간 정확히 유지
[root@serv oinkmaster-2.0]# rdate -s time.bora.net
[root@serv oinkmaster-2.0]# ls -l /etc/snort
total 18588
-rw-r--r-- 1 root root 96022 Apr 3 15:29 bbb.conf
-rw-r--r-- 1 root root 3455 Mar 30 16:23 classification.config
drwxr-xr-x 3 1210 1210 4096 Apr 25 2006 doc
-rw-r--r-- 1 root root 1906 Mar 30 16:23 generators
-rw-r--r-- 1 root root 11693 Mar 30 16:23 gen-msg.map
-rw-r--r-- 1 root root 9419 Mar 30 16:23 Makefile
-rw-r--r-- 1 root root 181 Mar 30 16:23 Makefile.am
-rw-r--r-- 1 root root 9283 Mar 30 16:23 Makefile.in
-rw-r--r-- 1 root root 20543 Apr 3 15:27 oinkmaster.conf
-rw-r--r-- 1 root root 548 Mar 30 16:23 reference.config
drwxr-xr-x 2 1210 1210 4096 Apr 25 2006 rules
-rw-r--r-- 1 root root 5 Mar 30 16:23 sid
-rw-r--r-- 1 root root 855741 Mar 30 16:23 sid-msg.map
-rw-r--r-- 1 root root 40580 Apr 2 15:26 snort.conf
-rw-r--r-- 1 root root 17848320 Apr 2 14:26 snortrules.tar
-rw-r--r-- 1 root root 2319 Mar 30 16:23 threshold.conf
-rw-r--r-- 1 root root 53841 Mar 30 16:23 unicode.map
[root@serv oinkmaster-2.0]# ls -l /etc/snort/rules
[root@serv rules]# ls -l /etc/snort/rules
total 3804
-rw-r--r-- 1 1210 1210 5569 Apr 25 2006 attack-responses.rules
-rw-r--r-- 1 1210 1210 78727 Apr 25 2006 backdoor.rules
-rw-r--r-- 1 1210 1210 3734 Apr 25 2006 bad-traffic.rules
-rw-r--r-- 1 1210 1210 8779 Apr 25 2006 chat.rules
-rw-r--r-- 1 1210 1210 3521 Apr 25 2006 classification.config
-rw-r--r-- 1 1210 1210 7454 Apr 25 2006 ddos.rules
-rw-r--r-- 1 1210 1210 263499 Apr 25 2006 deleted.rules
-rw-r--r-- 1 1210 1210 6808 Apr 25 2006 dns.rules
-rw-r--r-- 1 1210 1210 6497 Apr 25 2006 dos.rules
-rw-r--r-- 1 1210 1210 1327 Apr 25 2006 experimental.rules
-rw-r--r-- 1 1210 1210 46325 Apr 25 2006 exploit.rules
-rw-r--r-- 1 1210 1210 4227 Apr 25 2006 finger.rules
-rw-r--r-- 1 1210 1210 24037 Apr 25 2006 ftp.rules
-rw-r--r-- 1 1210 1210 1906 Apr 25 2006 generators
-rw-r--r-- 1 1210 1210 16474 Apr 25 2006 icmp-info.rules
-rw-r--r-- 1 1210 1210 5405 Apr 25 2006 icmp.rules
-rw-r--r-- 1 1210 1210 20544 Apr 25 2006 imap.rules
-rw-r--r-- 1 1210 1210 2762 Apr 25 2006 info.rules
-rw-r--r-- 1 1210 1210 199 Apr 25 2006 local.rules
-rw-r--r-- 1 1210 1210 21417 Apr 25 2006 misc.rules
-rw-r--r-- 1 1210 1210 3722 Apr 25 2006 multimedia.rules
-rw-r--r-- 1 1210 1210 6267 Apr 25 2006 mysql.rules
-rw-r--r-- 1 1210 1210 1521873 Apr 25 2006 netbios.rules
-rw-r--r-- 1 1210 1210 4959 Apr 25 2006 nntp.rules
-rw-r--r-- 1 1210 1210 173640 Apr 25 2006 oracle.rules
-rw-r--r-- 1 1210 1210 2239 Apr 25 2006 other-ids.rules
-rw-r--r-- 1 1210 1210 8085 Apr 25 2006 p2p.rules
-rw-r--r-- 1 1210 1210 8716 Apr 25 2006 policy.rules
-rw-r--r-- 1 1210 1210 2080 Apr 25 2006 pop2.rules
-rw-r--r-- 1 1210 1210 11728 Apr 25 2006 pop3.rules
-rw-r--r-- 1 1210 1210 5910 Apr 25 2006 porn.rules
-rw-r--r-- 1 1210 1210 608 Apr 25 2006 reference.config
-rw-r--r-- 1 1210 1210 53125 Apr 25 2006 rpc.rules
-rw-r--r-- 1 1210 1210 3776 Apr 25 2006 rservices.rules
-rw-r--r-- 1 1210 1210 4944 Apr 25 2006 scan.rules
-rw-r--r-- 1 1210 1210 5572 Apr 25 2006 shellcode.rules
-rw-r--r-- 1 1210 1210 653201 Apr 25 2006 sid-msg.map
-rw-r--r-- 1 1210 1210 29816 Apr 25 2006 smtp.rules
-rw-r--r-- 1 1210 1210 5771 Apr 25 2006 snmp.rules
-rw-r--r-- 1 1210 1210 34137 Apr 25 2006 snort.conf
-rw-r--r-- 1 1210 1210 137117 Apr 25 2006 spyware-put.rules
-rw-r--r-- 1 1210 1210 20533 Apr 25 2006 sql.rules
-rw-r--r-- 1 1210 1210 6442 Apr 25 2006 telnet.rules
-rw-r--r-- 1 1210 1210 4005 Apr 25 2006 tftp.rules
-rw-r--r-- 1 1210 1210 2319 Apr 25 2006 threshold.conf
-rw-r--r-- 1 1210 1210 53841 Apr 25 2006 unicode.map
-rw-r--r-- 1 1210 1210 4870 Apr 25 2006 virus.rules
-rw-r--r-- 1 1210 1210 16724 Apr 25 2006 VRT-License.txt
-rw-r--r-- 1 1210 1210 1470 Apr 25 2006 web-attacks.rules
-rw-r--r-- 1 1210 1210 105756 Apr 25 2006 web-cgi.rules
-rw-r--r-- 1 1210 1210 93018 Apr 25 2006 web-client.rules
-rw-r--r-- 1 1210 1210 10867 Apr 25 2006 web-coldfusion.rules
-rw-r--r-- 1 1210 1210 10481 Apr 25 2006 web-frontpage.rules
-rw-r--r-- 1 1210 1210 41503 Apr 25 2006 web-iis.rules
-rw-r--r-- 1 1210 1210 105432 Apr 25 2006 web-misc.rules
-rw-r--r-- 1 1210 1210 37701 Apr 25 2006 web-php.rules
-rw-r--r-- 1 1210 1210 1429 Apr 25 2006 x11.rules
[root@serv rules]#
좀 지난 룰임(작년 룰).
/etc/snort 디렉토리의 소유권을 root로 변경
[root@serv snort]# chown -R root.root /etc/snort
update 시도
[root@serv snort]# oinkmaster.pl --help
Unknown option: h
Oinkmaster v2.0, Copyright (C) 2001-2006 Andreas ?stling <andreaso@it.su.se>
Usage: oinkmaster.pl -o <outdir> [options]
<outdir> is where to put the new files.
This should be the directory where you store your Snort rules.
Options:
-b <dir> Backup your old rules into <dir> before overwriting them
-c Careful mode (dry run) - check for changes but do not update anything
-C <file> Use this configuration file instead of the default
May be specified multiple times to load multiple files
-e Enable all rules that are disabled by default
-h Show this usage information
-i Interactive mode - you will be asked to approve the changes (if any)
-m Minimize diff when printing result by removing common parts in rules
-q Quiet mode - no output unless changes were found
-Q Super-quiet mode - like -q but even more quiet
-r Check for rules files that exist in the output directory
but not in the downloaded rules archive
-s Leave out details in rules results, just print SID, msg and filename
-S <file> Look for new variables in this file in the downloaded archive instead
of the default (snort.conf). Used in conjunction with -U.
May be specified multiple times to search multiple files.
-T Config test - just check configuration file(s) for errors/warnings
-u <url> Download from this URL instead of URL(s) in the configuration file
(http|https|ftp|file|scp:// ... .tar.gz|.gz, or dir://<dir>)
May be specified multiple times to grab multiple rules archives
-U <file> Merge new variables from downloaded snort.conf(s) into <file>
-v Verbose mode (debug)
-V Show version and exit
[root@serv snort]# oinkmaster.pl -o /etc/snort/rules/ -C /etc/snort/oinkmaster.conf -C /etc/snort/bbb.conf
매주 화요일 오후 4시 57분에 자동 Rule update 작업이 실행되도록 설정하세요.
[root@serv bin]# vi /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
56 16 * * 2 root /usr/local/bin/oinkmaster.pl -o /etc/snort/rules -C /etc/snort/oinkmaster.conf -C /etc/snort/bbb.conf
[root@serv bin]# service crond restart
