Инструменты пользователя

Инструменты сайта


анализ_трафика

Это старая версия документа.


Анализ трафика

SPAN

Cisco Switch

monitor session 1 source interface f0/1 both
monitor session 1 destination interface f0/2

Unix

server# ifconfig eth1|le1 up

server# tcpdump -ni eth1|le1 -A -s 0 "port 80"

tcpdump, trafshow

Выделение tcp сессий

Анализ трафика для предотвращения атак - пакет Snort

FreeBSD

Периодически надо устанавливать новую версию из портов для поддержки новых правил

[server:~] # pkg_add -r snort

[server:~] # cd /usr/local/etc/snort

[server:~] # cat /usr/local/etc/snort/snort.conf
...
output alert_syslog: LOG_AUTH LOG_ALERT
output alert_fast: alert
...

[server:local/etc/snort] # fetch http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz

[server:local/etc/snort] # tar -xvf snortrules-snapshot-2.8.tar.gz rules/

!!! Раскомментировать правило
[server:local/etc/snort] # cat rules/web-iis.rules
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; metadata:service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:11;)

[server:~] # /usr/local/etc/rc.d/snort rcvar

[server:~] # cat /etc/rc.conf
...
snort_enable=YES
snort_interface=le1

[server:~] # /usr/local/etc/rc.d/snort start
Starting snort.

Ubuntu

root@server:~# apt-get install snort

root@server:~# cat /etc/snort/snort.debian.conf
...
DEBIAN_SNORT_INTERFACE="eth1"
DEBIAN_SNORT_HOME_NET="0.0.0.0/0"
...

[server:~] # cat /etc/snort/snort.conf
...
output alert_syslog: LOG_AUTH LOG_ALERT
output alert_fast: alert
...

Проверки

UNIX

# tail -f /var/log/snort/alert

FreeBSD

# tail -f /var/log/messages

Ubuntu

# tail -f /var/log/auth.log

Windows MSIE

http://192.168.X.3/root.exe

Обновление правил snort - пакет oinkmaster

FreeBSD

[server:~] # pkg_add -r oinkmaster

[server:~] # rehash

[server:~] # cd /usr/local/etc/

Ubuntu

root@server:~# apt-get install oinkmaster

root@server:~# cd /etc/

FreeBSD/Ubuntu

server# cat oinkmaster.conf
...
url = http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz
...
tmpdir = /var/tmp/
...

server# oinkmaster -o /CHANGE/DIR/snort/rules/

Построение отчета о работе snort - пакет snortsnarf (только FreeBSD)

[server:~] # pkg_add -r snortsnarf
[server:~] # cat /usr/local/etc/scripts/snortsnarf.sh
#!/bin/sh

D=`date -v-1d '+%Y.%m.%d'`

/usr/local/etc/rc.d/snort stop
/bin/mv /var/log/snort/alert /var/log/snort/alert.
/usr/local/etc/rc.d/snort start

for i in /var/log/snort/alert.*
do
  cat ${i} >> /var/log/snort/alert${D}
  rm ${i}
done
/usr/local/bin/snortsnarf -d /usr/local/www/apache22/data/snortsnarf/${D}/ -minprio=1 /var/log/snort/alert${D} 

rm /var/log/snort/alert${D}

/usr/bin/find /usr/local/www/apache22/data/snortsnarf/ -mtime +60 -type d -exec rm -r {} \;

Блокировка хостов - пакет Snortsam

FreeBSD

[server:~] # pkg_add -r snortsam

[server:~] # more /usr/local/share/doc/snortsam/README.conf

[server:~] # cd /usr/local/etc/snortsam/

Ubuntu

root@server:~# cd /usr/src

root@server:/usr/src# wget http://www.snortsam.net/files/snortsam/snortsam-src-2.69.tar.gz
root@server:/usr/src# tar -xvf snortsam-src-2.69.tar.gz
root@server:/usr/src# cd snortsam/

root@server:/usr/src/snortsam# sh makesnortsam.sh 
root@server:/usr/src/snortsam# cp snortsam /usr/sbin/

root@server:/usr/src/snortsam# mkdir /etc/snortsam
root@server:/usr/src/snortsam# cd /etc/snortsam

Варианты взаимодействия snortsam и cisco

В случае использования aaa new-model требуется пользователь c priv-lvl = 1

Использование списков доступа и протокола telnet

(nat подменяет обратный адрес)

server# cat snortsam.acl
conf terminal
no ip access-list extended ACL_FIREWALL
ip access-list extended ACL_FIREWALL
 snortsam-ciscoacl-begin
 snortsam-ciscoacl-end
 permit tcp any host 192.168.X.3 eq www
 permit icmp any any
 permit udp any any
 permit tcp any any established
 deny   ip any any log
end
server# cat snortsam.conf
daemon
nothreads
accept 127.0.0.1
defaultkey secret
# ciscoacl 192.168.X.2 student/tacacs cisco /usr/local/etc/snortsam/snortsam.acl
# ciscoacl 192.168.X.2 cisco cisco /etc/snortsam/snortsam.acl
logfile /var/log/snortsam.log

FreeBSD:

[server:~] # /usr/local/etc/rc.d/snortsam rcvar

[server:~] # /usr/local/etc/rc.d/snortsam start

Ubuntu:

root@server:~# /usr/sbin/snortsam /etc/snortsam/snortsam.conf
Использование списков доступа и протокола tftp
server# cat /tftpboot/snortsam.acl
no ip access-list extended ACL_FIREWALL
ip access-list extended ACL_FIREWALL
 snortsam-ciscoacl-begin
 snortsam-ciscoacl-end
 permit tcp any host 192.168.X.3 eq www
 permit icmp any any
 permit udp any any
 permit tcp any any established
 deny   ip any any log
end
server# cat snortsam.tftp 
copy tftp://192.168.X.1/ running-config

server# cat snortsam.conf
...
# ciscoacl 192.168.X.2 student/tacacs cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp
# ciscoacl 192.168.X.2 student/tacacs cisco snortsam.acl|/etc/snortsam/snortsam.tftp
...
server# cd /tftpboot/

FreeBSD:

[server:/tftpboot] # snortsam /usr/local/etc/snortsam/snortsam.conf

Ubuntu:

root@server:/tftpboot# snortsam /etc/snortsam/snortsam.conf
Использование null маршрутов
server# cat snortsam.conf
...
cisconullroute 192.168.X.2 student/tacacs cisco
...

Подключение Snort к Snortsam

FreeBSD

[server:~] # cd /usr/ports/security/snort

[server:ports/security/snort] # make config

[server:ports/security/snort] # cat /var/db/ports/snort/options 
...
WITH_SNORTSAM=true
...

[server:ports/security/snort] # make install clean

[server:ports/security/snort] # cd /usr/local/etc/snort/

Ubuntu

http://www.snortsam.net/files/snort-plugin/readme.txt

root@server:~# apt-get install libpcap-dev libpcre3-dev libtool automake autoconf

root@server:~# cd /usr/src
root@server:/usr/src# wget http://www.snortsam.net/files/snort-plugin/snortsam-2.8.6.diff.gz
root@server:/usr/src# gunzip snortsam-2.8.6.diff.gz

root@server:/usr/src# wget http://dl.snort.org/downloads/116
root@server:/usr/src# mv snort-2.8.6.1.tar.gz\?AWSA...  snort-2.8.6.1.tar.gz

root@server:/usr/src# tar -xvf snort-2.8.6.tar.gz
root@server:/usr/src# cd snort-2.8.6

root@server:/usr/src/snort-2.8.6# patch -p1 < ../snortsam-2.8.6.diff 
root@server:/usr/src/snort-2.8.6# sh autojunk.sh 
root@server:/usr/src/snort-2.8.6# ./configure --prefix /usr/local/snort
root@server:/usr/src/snort-2.8.6# make

root@server:/usr/src/snort-2.8.6# make install
root@server:/usr/src/snort-2.8.6# cp -r etc/ /usr/local/snort/

root@server:~# ln -s /usr/local/snort/lib/snort_dynamicengine /usr/local/lib/snort_dynamicengine
root@server:~# ln -s /usr/local/snort/lib/snort_dynamicpreprocessor /usr/local/lib/snort_dynamicpreprocessor

root@server:~# cd /usr/local/snort/

root@server:/usr/local/snort# wget http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxxxxxxxxxxx/snortrules-snapshot-2.8.tar.gz
root@server:/usr/local/snort# tar -xvf snortrules-snapshot-2.8.tar.gz rules/
root@server:/usr/local/snort# cd /usr/local/snort/etc

Настройка FreeBSD/Ubuntu

server# cat snort.conf
...
output alert_fwsam: 127.0.0.1:898/secret
...
server# cat sid-block.map
1256: src, 2 min
!!! Раскомментировать правило !!!

server# grep 1256 web-iis.rules
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256;  rev:7;)

server# grep web-application-attack classification.config 
config classification: web-application-attack,Web Application Attack,1

Запуск в Ubuntu

root@server:~# /usr/local/snort/bin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1
анализ_трафика.1290166598.txt.gz · Последние изменения: 2013/05/22 13:50 (внешнее изменение)