Snort¸¦ ÀÌ¿ëÇÑ ³×Æ®À¨ ħÀÔ Å½Áö
(Network Intrusion Detection Using Snort)

¹ø¿ª / À̱¹Çö(errai@hitel.net) 

 

 

    ÀÌ ¹®¼­´Â µ¶Àڵ鿡°Ô ±âÃÊÀûÀΠħÀÔŽÁö ½Ã½ºÅÛÀ» ±¸ÃàÇϵµ·Ï µµ¿ÍÁØ´Ù.
    ±×¸®°í Snort ³×Æ®¿öÅ© ħÀÔŽÁö ½Ã½ºÅÛÀ» µ¿ÀÛÇϱâ À§ÇÑ È£½ºÆ® ¼³Á¤ ¹×, Å×½ºÆ®, °¡´ÉÇÑ Ä§ÀÔÀ̺¥Æ®¿¡ ´ëÇÑ À̾߱⸦ ÇÒ °ÍÀÌ´Ù.

    Snort´Â Martin Roesch°¡ °³¹ßÇÑ ¼ÒÇÁÆ®¿þ¾î ±â¹ÝÀÇ ¸®¾óŸÀÓ Ä§ÀÔŽÁö ½Ã½ºÅÛÀ¸·Î½á, °¡´É¼ºÀִ ħÀԽõµ¿¡ ´ëÇؼ­ °ü¸®ÀÚ¿¡°Ô ¾Ë·ÁÁÖ´Â ±â´ÉÀ» °¡Áö°í ÀÖ´Ù.
    Snort´Â ¹Ù·Î½á ¸ÔÀ» ¼ö ÀÖ´Â exploit¸¦ °¡Áø Å©·¡Ä¿µéÀÌ ¿©·¯ºÐÀÇ À¥ ÆäÀÌÁö¸¦ º¯°æ ¹× Æı«Çϱâ À§ÇØ ½ÃµµÇÏ´Â ¹æ¹ýµé¿¡ ´ëÇÑ ±â·ÏÀ» ¿©·¯ºÐ¿¡°Ô °æ°íÇØÁØ´Ù.

    Áö±Ý±îÁöÀÇ Ä§ÀÔŽÁö ÀåÄ¡µéÀº »ó¿ëÀ¸·Î µ·À» ÁöºÒÇØ¾ß Çϰųª, ¸®¾óŸÀÓÀÌ ¾Æ´Ï°í, ȤÀº ¼³Ä¡Çϱâ Èûµé¾ú´Ù. Snort´Â ºñ»ó¿ëÀε¥´Ù°¡ ¼Ò±Ô¸ðÀÇ TCP/IP ³×Æ®¿öÅ©¸¦ ¸ð´ÏÅ͸µ ÇØÁÖ´Â ¼Ö·ç¼ÇÀ» Á¦°øÇÑ´Ù. ¶Ç »ç¿ëÇϱ⠽±°í , ÀÛÀº ¿ë·®¿¡ ¸¹Àº ±â´ÉÀ» ´ë½ÅÇÒ ¼ö ÀÖ´Ù.

 

* ³×Æ®¿öÅ© ħÀÔ Å½Áö ½Ã½ºÅÛÀ̶õ ¹«¾ùÀΰ¡?

    Network Intrusion Detection System(³×Æ®¿öÅ© ħÀÔŽÁö ½Ã½ºÅÛ / ÀÌÇÏ NIDS)´Â ³×Æ®¿öÅ©¿¡ ºÎ´çÇÑ Á¢¼ÓÀÚ³ª, ±ÇÇÑÀÌ ¾ø´Â µ¥ÀÌŸ°¡ »ý°åÀ» ¶§ ±×°ÍÀ» ŽÁöÇØ ³½´Ù. ÀÌ°ÍÀº Firewall°ú´Â ´Ù¸¥µ¥, FirewallÀº ƯÁ¤ÇÑ ±ÔÄ¢(rule)À» Àû¿ëÇÏ¿© Ưº°ÇÑ ¼­ºñ½º³ª È£½ºÆ®¸¦ Çã¶ôÇÏ°í °ÅºÎÇÏ´Â ¼³Á¤À» ÇÑ´Ù. ¸¸¾à ³×Æ®¿öÅ© Æ®·¡ÇÈÀÌ Çã¶ôµÈ ÆÐÅÏ°ú ÀÏÄ¡ÇÑ´Ù¸é ±× ¼­ºñ½º³ª Á¢¼ÓÀ» Çã¶ôÇÏ°í, ±×°ÍÀÌ ¾î¶² ÆÐŶÀ» Æ÷ÇÔÇÏ°í ÀÖ´ÂÁö´Â °í·ÁÇÏÁö ¾Ê´Â´Ù. ±×·¯³ª NIDS´Â ¸ðµç Æ®·¡ÇÈÀ» ĸÃÄÇÏ°í ¸é¹ÐÈ÷ »ìÇÉ´Ù. ±×¸®°í ±×°ÍÀÌ Çã¶ôµÇ¾ú´ÂÁö ¾Æ´ÑÁö´Â °í·ÁÇÏÁö ¾Ê´Â´Ù. IP³ª application level¿¡¼­ ¸ðµç ÀڷḦ ±â¹ÝÀ¸·Î ÇÏ¿© °æ°í¸¦ »êÃâÇØ ³½´Ù.

    Snort´Â ¼Ò¿ë·® NIDSÀ¸·Î ´Ù¸¥ ÇÁ·Î±×·¥¿¡ ¿µÇâÀ» ¹ÌÄ¡Áö ¾Ê°í, ½¬¿î ¼³Á¤¿¡ ½±°Ô ½ÇÇàµÇ°í, ÀνºÅçÇϴµ¥ ¿ÀÁ÷ ¸î ºÐ¸¸ÀÌ ¼Ò¿äµÈ´Ù. Snort´Â ÇöÀç 1100°³ ÀÌ»óÀÇ °¡´É¼º ÀÖ´Â Ãë¾àÁ¡À» ŽÁöÇØ ³»´Â ±â´ÉÀ» Æ÷ÇÔÇÏ°í ÀÖ´Ù. ħÀÔŽÁö ÀåÄ¡´Â ´Ù¸¥ º¸¾È ÀåÄ¡¿Í ÇÔ²² µ¿ÀÛÇÑ´Ù. ħÀÔŽÁöÀåÄ¡°¡ ´Ù¸¥ ÁÁÀº º¸¾È ÇÁ·Î±×·¥À» ´ëüÇÒ ¼ö ¾ø´Ù´Â °ÍÀ» ±â¾ïÇØ¾ß ÇÑ´Ù.

    Snort´Â ´ÙÀ½°ú °°Àº ±â´ÉÀ» Æ÷ÇÔÇÏ°í ÀÖ´Ù.

    - buffer overflow, stealth port scans, CGI °ø°Ý, SMB probe, NetBIOS query,
       NMAP ȤÀº ´Ù¸¥ portscanner, Àß ¾Ë·ÁÁø ¹éµµ¾î, ½Ã½ºÅÛ Ãë¾àÁ¡, DDoS Ŭ¶óÀ̾ðÆ®,
       ±× ¹Û¿¡ ±âŸµîµîÀ» Æ÷ÇÔÇÑ Â¡Èĵ鿡 ´ëÇØ ÆÐÅÏ ¸ÅĪÀ» ±â¹ÝÀ¸·Î ÇÑ Å½Áö ¹× °æ°í.

    - syslog¸¦ ÀÌ¿ëÇØ SMB ¡°WinPopUp¡± ¸Þ¼¼Áö³ª È­ÀÏÀ» °ü¸®ÀÚ¿¡°Ô °æ°íÇØÁÜ.

    - Ãë¾àÁ¡ÀÌ ¾Ë·ÁÁ³À» ¶§ ºü¸£°Ô »õ·Î¿î ruleÀ» °³¹ß½Ãų ¼ö ÀÖ´Ù.

    - À§¹ÝµÈ IP address·ÎºÎÅÍ »ç¶÷ÀÌ ÀÐÀ» ¼ö ÀÖ´Â »óÅ·ΠÆÐŶÀ» ÀúÀåÇÔ

    - NFS³ª Napster Á¢¼Ó°°ÀÌ ³×Æ®¿öÅ©¿¡¼­ ¹ß°ßµÇÁö ¾Ê´Â Æ®·¡ÇÈÀ» ÀúÀåÇϱâ À§ÇØ
       ¡°passive trap¡±À» ÀÌ¿ë.

    - °¡Á¤ÀÇ DSL Á¢¼Ó ¸ð´ÏÅ͸¦ À§ÇØ ¿öÅ©½ºÅ×À̼ǿ¡¼­ »ç¿ë ¹×, ¹ýÀÎ À¥½ÎÀÌÆ®¸¦ ¸ð´ÏÅÍÇϱâ
       À§ÇØ ÁöÁ¤µÈ ¼­¹ö¿¡¼­ »ç¿ë.

    Snort´Â libpcap ¶óÀ̺귯¸®¸¦ »ç¿ëÇϴµ¥, ÀÌ ¶óÀ̺귯¸®´Â tcpdump¿¡¼­ ÆÐŶ ½º´ÏÇÎÀ» Çϴµ¥µµ »ç¿ëµÇ¾ú´Ù. Snort´Â promiscous mode¸¦ ÀÌ¿ëÇÏ¿© ³×Æ®¿öÅ©¸¦ Áö³ª°¡´Â ¸ðµç ÆÐŶÀ» Çؼ®ÇÑ´Ù. ±× °¢°¢ÀÇ ÆÐŶ°ú ¼³Á¤È­ÀÏ ¾È¿¡ Á¤ÀÇµÈ ·êÀ» ±â¹ÝÀ¸·Î ÇÏ¿©, °æ°í¸¦ »êÃâÇØ ³½´Ù.

 

* ¿Ö ħÀÔŽÁö¸¦ »ç¿ëÇϴ°¡?

    ħÀÔŽÁö ÀåÄ¡´Â ¾î¶² ³×Æ®¿öÅ©¿¡¼­µµ ¾ø¾î¼­´Â ¾ÈµÈ´Ù. ÀÎÅͳÝÀº ²÷ÀÓ¾øÀÌ ¹ßÀüÇÏ°í ÀÖ°í, »õ·Î¿î Ãë¾àÁ¡°ú exploitµéÀÌ ±ÔÄ¢ÀûÀ¸·Î ¹ß°ßµÇ°í ÀÖ´Ù.
    ħÀÔŽÁö ÀåÄ¡´Â ħÀÔÀÚ¿¡ ´ëÇÑ Å½Áö¸¦ À§ÇØ Çâ»óµÈ ·¹º§ÀÇ º¸È£ÀåÄ¡¸¦ Á¦°øÇÏ°í, °ø°ÝÀÚÀÇ Çൿ¿¡ ´ëÇÑ Ã³¸®¹æ¹ýÀ» µµ¿ÍÁØ´Ù.

 

* Snort¸¦ ¼³Ä¡Çϱâ Àü¿¡

    ¿©·¯ºÐÀÌ Snort¸¦ ¼³Ä¡Çϱâ Àü¿¡ °áÁ¤ÇØ¾ß ÇÒ ¸î °¡Áö °ÍµéÀÌ ÀÖ´Ù.

    - ¿©·¯ºÐÀÇ ³×Æ®¿öÅ© ±×·ì¿¡¼­ ħÀÔŽÁö ÀåÄ¡¸¦ µ¿ÀÛÇϱâ À§ÇÑ µ¿ÀǸ¦ ¾ò¾ú´Â°¡?

    - ¿©·¯ºÐÀÌ Snort¸¦ ÀνºÅçÇÏ·Á°í ÇÏ´Â ½Ã½ºÅÛÀº º¸¾ÈÀÌ Àß µÇ¾îÀÖ´Â ½Ã½ºÅÛÀΰ¡?
       Ä§ÀÔÀÚ¿¡ ÀÇÇØ ½Ã½ºÅÛÀÌ ÀÌ¹Ì º¯°æµÇ¾îÁø °æ¿ìÀÎÁö Àß È®ÀÎÇØ¾ß ÇÑ´Ù. remote access¸¦
       À§Çؼ­´Â OpenSSH(http://www.openssh.com)¸¦ ÀÌ¿ëÇÏ´Â °ÍÀÌ ÇʼöÀÌ´Ù.
       Solaris Security FAQ (
    http://www.sunworld.com/sunworldonline/common/f_security
       -faq.html ) ±×¸®°í Linux Security HOWTO(http://www.linuxsecurity.com/ docs/)
       ¸¦ Àо´Â °ÍÀÌ µµ¿òÀÌ µÉ °ÍÀÌ´Ù.

    - ¾îµð¼­ ³ÖÀ» °ÍÀΰ¡? ¸¸¾à ¿©·¯ºÐÀÌ °£´ÜÇÏ°Ô ¿©·¯ºÐÀÇ Áý ÄÄÇ»ÅÍ·Î ÇàÇØÁö´Â
       port scanning À̳ª ½Ã½ºÅÛÀ» °ø°ÝÇÏ´Â ½Ãµµ¸¦ ¹ß°ßÇϱâ À§ÇÑ´Ù¸é, ¸Å¿ì ½¬¿î °áÁ¤ÀÌ´Ù.
       ±×·¯³ª ÇϳªÀÇ ³×Æ®¿öÅ© ¸ðÀÓ¿¡¼­ ¾îµð¿¡ ¹èÄ¡ÇÏ´À³Ä ÇÏ´Â ¹®Á¦´Â Á»´õ ¾î·Æ´Ù.

    - ³¯Â¥¿Í ½Ã°£Àº ¿Ã¹Ù¸¥°¡? Snort°¡ µ¿ÀÛÇÒ È£½ºÆ®ÀÇ ³¯Â¥¿Í ½Ã°£Àº ¿Ã¹Ù¸£°Ô ÇØ¾ß ÇÑ´Ù.
       xntpd time server(www.eecis.udel.edu/~ntp/) ¸¦ ¼³Ä¡ÇÏ¸é ½Ã°£°ú °ü·ÃµÈ ±â·ÏÀÌ È®½ÇÇØ
       Áú °ÍÀÌ´Ù. ¸¸¾à ÀÌ¹Ì ¼³Ä¡µÇ¾îÀÖ´Â °æ¿ì¶óµµ ¼³Á¤ÀÌ ÇÊ¿äÇÒÁöµµ ¸ð¸¥´Ù. Çѹø Àû´çÇÑ
       timeserverÀÇ URL¸¦ ¾Ë¾Æ³»¼­ root crontab entry¿¡ ´ÙÀ½°ú °°ÀÌ Ãß°¡½ÃÄÑ º¸ÀÚ.

      00 * * * * root /usr/sbin/ntpdate -u

 

* ħÀÔ Å½ÁöÀåÄ¡ÀÇ ¹èÄ¡

    ÀåÄ¡´Â ¿ÜºÎÀÇ ½Å·ÚÇÏÁö ¸øÇÏ´Â ³×Æ®¿öÅ©¿Í firewall »çÀÌ, ³×Æ®¿öÅ© Á¶Á÷ÀÇ firewall ¹Ù±ùÂÊ¿¡ À§Ä¡ÇÒ °ÍÀÌ´Ù. ÀÌ´Â snort°¡ firewallÀ» ÅëÇØ µé¾î¿Â ħÀÔÀÚ»Ó¸¸ ¾Æ´Ï¶ó firewall¿¡ ÀÇÇØ ¸·È÷´Â °Í±îÁö ŽÁöÇØ ³¾ ¼ö ÀÖµµ·Ï ÇÑ´Ù.

    switch, router

    firewallµéÀº ¿Ã¹Ù¸£°Ô ¹èÄ¡µÇ¾îÁú °ÍÀÌ´Ù. °áÁ¤Àº ¿©·¯ºÐÀÌ ½ÇÁ¦·Î ¿øÇÏ´Â ³×Æ®¿öÅ© ¸ð´ÏÅ͸µ¿¡ ´Þ·ÁÀÖ´Ù. firewallÀÇ ³»ºÎ local side¿¡ ¹èÄ¡Çϸé firewall¿¡ ÀÇÇØ ÀÌ¹Ì Çã¶ôµÇ¾îÁø Æ®·¡ÇÈÀ» ¸ð´ÏÅ͸µ ÇÒ °ÍÀÌ´Ù. ¹°·Ð firewallÀÌ ÀÌ¹Ì ¸·¾Æ¹ö¸° ÀáÀçÀûÀÎ ¸¶½ºÄ¿·¹À̵ù port scan À̳ª, Ž»ö, ´Ù¸¥ ŸÀÔÀÇ °ø°Ýµé¿¡ ´ëÇؼ­´Â Æ®·¡ÇÈÀ» Àâ¾Æ³»Áö ¾ÊÀ» °ÍÀÌ´Ù.

 

* Single Interface

    single interface ¹Ú½º°¡ °¡Àå ½¬¿î ¼³Á¤ÀÌ´Ù. µ¿ÀÏÇÑ ÀÎÅÍÆäÀ̽º°¡ ³×Æ®¿öÅ© Æ®·¡ÇÈ¿¡ listenÇÏ°íÀÖ´Â µ¿ÀÏÇÑ ÀÎÅÍÆäÀ̽º´Â °ü¸®ÀÚ ½Ã½ºÅÛÀÌ ÀÖ´Â Àå¼Ò¿Í °°Àº Àå¼Ò¿¡¼­ µ¿ÀÛÇÒ °ÍÀÌ´Ù.

    ÀÌ°ÍÀº ÀüÇüÀûÀΠȨ ³×Æ®¿öÅ© À¯Àú¿Í °ü¸®ÀÚ°¡ ³»ºÎ ³×Æ®¿öÅ©¸¦ ¸ð´ÏÅ͸µ ÇÏ´Â ¼³Á¤ÀÌ´Ù.

 

* Dual Interface

    dual-interface ¼³Á¤Àº ÇϳªÀÇ ÀÎÅÍÆäÀ̽º´Â promiscuous mode¿¡¼­ ³×Æ®¿öÅ© Æ®·¡ÇÈ¿¡ ´ëÇØ listenÇÏ°íÀÖ°í, ´Ù¸¥ Çϳª´Â remote °ü¸®¿¡ »ç¿ëµÇ´Â °ÍÀÌ´Ù. ÀÌ ¼³Á¤ ŸÀÔÀº °°Àº ÀÎÅÍÆäÀ̽º°¡ ³×Æ®¿öÅ© Æ®·¡ÇÈ¿¡ ´ëÇØ listeningÇÏ´Â °ÍÀÌ °¡´ÉÇÏÁö ¾ÊÀº ȯ°æ¿¡ »ç¿ëµÈ´Ù.

    ÀÌ ¼³Á¤Àº ¿ÜºÎ ÀÎÅÍÆäÀ̽º´Â Àß º¸È£µÇ¾îÁ®¾ß¸¸ ÇÑ´Ù. ³»ºÎ ÀÎÅÍÆäÀ̽º´Â ¿ÀÁ÷ ssh¸¦ Á¦¿ÜÇÏ°í´Â ¾î¶² ³×Æ®¿öÅ© ¼­ºñ½ºµµ Á¦°øÇÏÁö ¾Ê¾Æ¾ß¸¸ ÇÑ´Ù.

    <Images Courtesy Network Flight Recorder >

 

* SnortÀÇ ¼³Ä¡

    snortÇÁ·Î±×·¥À» source code·Î ´Ù¿î¹ÞÀ¸¸é INSTALLÆÄÀÏ¿¡ ¹èÆ÷ÆÇÀÌ Æ÷ÇÔÇÏ°í ÀÖ´Â ¼³Ä¡¿Í ¼³Á¤¿¡ ´ëÇÑ ¼³¸íÀÌ ÀûÇôÀÖ´Ù. ½±°Ô ÄÄÆÄÀÏÇÒ ¼ö ÀÖ°í ¼³Á¤ÇÏ°í ¼³Ä¡ÇÒ ¼ö ÀÖÀ» °ÍÀÌ´Ù.
    ¸¸¾à RedHat°è¿­ÀÇ À¯Àú¶ó¸é ÀÌ¹Ì ÄÄÆÄÀÏµÈ RPMÆÄÀÏÀ» »ç¿ëÇÏ¸é µÈ´Ù.
    (http://www.linuxsecurity.com/programs/snort-1.6.2.2-1.i386.rpm) ±×¸®°í libpcap-0.4 ÆÐÅ°Áöµµ ¼³Ä¡µÇ¾îÀÖ¾î¾ß ÇÑ´Ù. ¼Ò½ºÄڵ峪 ´Ù¸¥ Á¤º¸´Â (ftp://ftp.ee.lbl.gov/ libpcap.tar.Z) ¿¡¼­ ´Ù¿î¹Þ±æ ¹Ù¶õ´Ù.

 

* Snort RulesetÀÇ ¼³Ä¡

    Snort¸¦ ÀνºÅç ÇÑ ÈÄ¿¡´Â ÃֽŠrule ÆÄÀÏÀ» ´Ù¿î¹Þ¾Æ¾ß ÇÑ´Ù. ÇöÀç µÎ °¡ÁöÀÇ rulesetÀÌ ÀÖ´Ù. Jim Forster¿¡ ÀÇÇØ °³¹ßµÇ°í ÀÖ´Â rulesetÀ» ´Ù¿î¹Þ´Â °÷Àº
    http://www.snort.org/ snort-files.htm#Rules ÀÌ´Ù.

    ´Ù¸¥ rulesetÀº Max VisionÀÇ ArachNIDS ¿¡¼­ °³¹ßÇÏ°í ÀÖ´Ù. ÀÌ°ÍÀº http://dev.whitehats.com/ ids/ vision.conf ¿¡¼­ ´Ù¿î¹ÞÀ» ¼ö ÀÖ°í, ½Ã°£´ÜÀ§·Î ¾÷µ¥ÀÌÆ® µÈ´Ù.

    Max Vision rulesetÀº °øÅëÀûÀÎ Ãë¾àÁ¡µé¿¡ °üÇÑ (CVE) µ¥ÀÌŸº£À̽º¸¦ µû¸£°í Àֱ⠶§¹®¿¡ Ưº°È÷ ÁÁ´Ù. ÀÏ°üµÈ À̸§À» ÀÌ¿ëÇÏ¿© Ưº°ÇÑ Ãë¾àÁ¡¿¡ ´ëÇÑ Á¦°øÀ» ÇØÁØ´Ù.
    ¾Æ·¡´Â CVE Frequently Asked QuestionsÀÇ ÀϺÎÀÌ´Ù.

    ¡°CVE´Â º¸¾È Ãë¾àÁ¡°ú À§ÇèÇÑ ºÎºÐ¿¡ ´ëÇÑ Á¤º¸ ¸®½ºÆ®ÀÌ´Ù. ¾Ë·ÁÁø ¹®Á¦¿¡ ´ëÇÏ¿© ÀÏ°üµÈ À̸§À¸·Î Á¤º¸¸¦ Á¦°øÇÑ´Ù. CVEÀÇ ¸ñÀûÀº °¢°¢ÀÇ Ãë¾àÁ¡¿¡ ´ëÇØ µ¥ÀÌŸº£À̽º¸¦ ¸¸µêÀ¸·Î½á º¸¾È ÅøµéÀÌ ÀÌ°ÍÀ» °øÅëÀûÀΠǥ°°Àº °ÍÀ¸·Î ÀÌ¿ëÇÏ¿© Á»´õ ½±°Ô º¸¾È±â´ÉÀ» ÇàÇÒ ¼ö ÀÖµµ·Ï Çϱâ À§ÇÔÀÌ´Ù.¡±

    ¸¸¾à snort¸¦ RPMÀ¸·Î ¼³Ä¡Çß´Ù¸é Dave Dittrich°¡ ¸¸µç ½ºÅ©¸³Æ®ÀÎ /usr/sbin/snort-update ¸¦ ÀÌ¿ëÇϸé Max VisionÀÇ ÃֽŠrulesetÀ» ´Ù¿î ¹ÞÀ» ¼ö ÀÖ´Ù. cron¿¡ ´ÙÀ½À» Ãß°¡Çصµ µÈ´Ù.

    00 00 * * * root /usr/sbin/snort-update -q ÀÌ ½ºÅ©¸³Æ® ¶ÇÇÑ http://www.linuxsecurity.com/programs/snort-update ¿¡¼­ ´Ù¿î¹ÞÀ» ¼ö ÀÖ´Ù.

    ÀÌ ½ºÅ©¸³Æ®´Â wget ÆÐÅ°Áö°¡ ¼³Ä¡µÇ¾îÀÖ¾î¾ß µ¿ÀÛÇÒ °ÍÀÌ´Ù. Á÷Á¢ ´Ù¿î¹ÞÀ¸·Á¸é http://dev.whitehats.com/ ids/vision.conf ¸¦ ´Ù¿î¹ÞÀ¸¸é µÈ´Ù. ÀÌ°ÍÀº ¼º°øÀûÀ¸·Î ¸ÞÀÏÀ» °ü¸®ÀÚ¿¡°Ô ¹è´ÞÇÒ °ÍÀÌ´Ù.

    snort-update ½ºÅ©¸³Æ®´Â vision.conf ¸¦ ´ë½ÅÇÒ vision.conf.new¸¦ ´Ù¿î ¹Þ´Â´Ù. ±×¸®°í localÀÇ root(ÀÌÀü¹öÁ¯¿¡¼­´Â ´Ù¸¥ À̸§)¿¡°Ô ÅëÁö¹®À» ¸ÞÀÏ·Î º¸³½´Ù. vision.conf.new¸¦ vision.conf·Î ¹Ù²Ù´Â °ÍÀ» ÀØÁö ¸»µµ·Ï ÇÏÀÚ.

    ¿©·¯ºÐÀº ¾Æ¸¶ Max Vision ruleset¿¡¼­ µ¡ºÙ¿©Áø snort.org rulesetÀ» »ç¿ëÇÏ°í ½ÍÀ»Áöµµ ¸ð¸¥´Ù. ±×·³ ´ÙÀ½ÀÇ ÁÖ¼Ò¿¡¼­ ´Ù¿î¹ÞÀ¸¸é µÈ´Ù.
    (http://www.snort.org/snort-files.htm#Rules) ÀÌ rulesetÀ» °áÇÕÇÑ °Í¿¡ ´ëÇÑ Á¤º¸´Â ¾Æ·¡¿¡ Æ÷ÇԵǾî ÀÖ´Ù.

    The backdoor-lib, misc-lib, overflow-lib ±×¸®°í ´Ù¸¥ À¯»çÇÑ È­ÀÏÀº ¼Ò½ºÄڵ带 Æ÷ÇÔÇÏ°í ÀÖÁö¸¸, ¸¹Àº µ¥ÀÌÅÍ°¡ ÀÖÁö¸¸ ÀϹÝÀûÀ¸·Î »ç¿ëÇÏÁö ¾Ê´Â´Ù.

    ( ¿ªÀÚÁÖ:  snort-update¸¦ ½ÃµµÇÏ·ÁÇßÁö¸¸ dev.whitehats.com ¿¡ Á¢¼ÓÀÌ µÇÁö ¾Ê¾Ò´Ù.
                  ±×¸®°í snort¸¦ RPMÀ¸·Î ¼³Ä¡ÇßÀ» °æ¿ì¿¡ snort ¶ó´Â À¯Àú¸¦ ¸¸µé¾î ÁÖ¾î¾ß ½ÇÇàÀÌ
                  µÈ´Ù. ·¹µåÇÞ °è¿­À̶ó¸é adduserÀ̶ó´Â ¸í·É¾î¸¦ ÀÌ¿ëÇÏ¸é µÈ´Ù.
                  ±×¸®°í vision.conf °¡ ¾Æ´Ï¶ó vision.rules ¶ó´Â È­ÀÏÀ» »ç¿ëÇÏ¿´´Ù. )

 

* ¿î¿µµÇ´Â º¯¼ö ¼±¾ðÇϱâ

    snort ¸¦ ½ÃÀÛÇϱâ Àü¿¡ ¸î °¡Áö º¯¼ö¸¦ ¼±¾ðÇØ ÁÖ¾î¾ß ÇÑ´Ù. ¶ÇÇÑ snort RPM¾È¿¡´Â rules.base¶ó°í ºÎ¸£´Â È­ÀÏÀ» Æ÷ÇÔÇÏ°í Àִµ¥ Max VisionÀÇ vision.conf È­ÀÏ¿¡¼­ ÆÄ»ýµÈ °ÍÀÌ´Ù. ÀÌ ÀÛÀº È­ÀÏÀº ¸î °¡Áö º¯¼ö¸¦ Æ÷ÇÔÇÏ°í Àִµ¥ ¿©·¯ºÐÀÇ ³»ºÎ¿Í ¿ÜºÎ ³×Æ®¿öÅ©, È£½ºÆ®¿¡¼­ ¹«½ÃÇØ¾ß ÇÒ portscanµé°ú ŽÁöÇØ¾ß ÇÒ portscanµé¿¡ ´ëÇÑ Á¤ÀǸ¦ ÇÏ°í ÀÖ´Ù.
    ±×°ÍÀº http://www.linuxsecurity.com/programs/rules.base ¿¡¼­ ´Ù¿î ¹ÞÀ» ¼ö ÀÖ´Ù.

    portscanÀº TÃÊ µ¿¾È¿¡ P portº¸´Ù ´õ ¸¹ÀÌ TCP Á¢¼Ó ½Ãµµ¸¦ ÇÏ´Â °ÍÀÌ´Ù.
    ȤÀº UDPÆÐŶÀ» T section¿¡¼­ P portº¸´Ù ´õ ¸¹ÀÌ º¸³»´Â °ÍÀÌ´Ù.
    MartinÀÇ ¡°Writing Snort Rules(http://www.chark.net/ ~roesch/snort_rules.html)¸¦ Àо¸é portscan¿¡ ´ëÇÑ ÃæºÐÇÑ ¼³¸íÀÌ µÉ °ÍÀÌ´Ù.

    ¿©·¯ºÐÀÇ ³»ºÎ ¿Í ¿ÜºÎ ³×Æ®¿öÅ©¿¡ ´ëÇÑ Á¤º¸¸¦ Á¦°øÇÒ ÇÊ¿ä°¡ ÀÖ´Ù. ±×¸®°í DNS ¼­¹ö·ÎºÎÅÍ portscan ŽÁö¸¦ ¾îµð¼­ ½ÃÀÛÇØ¾ß ÇÒÁö¸¦ Á¦°øÇØ¾ß ÇÑ´Ù.

    rules.base È­ÀÏÀº ´ÙÀ½°ú °°´Ù.
     

    #
    # Taken and modified from ¡°vision.conf¡±, part of Max Vision¡¯s
    # ArachNIDs work. See /usr/doc/snort-1.6/README.snort-stuff for more
    # information on how to use this file.

    var INTERNAL 192.168.1.0/24
    var EXTERNAL 63.87.101.0/24
    var DNSSERVERS 63.87.101.90/32 63.87.101.92/32

    preprocessor http_decode: 80 443 8080
    preprocessor minfrag: 128
    preprocessor portscan-ignorehosts: $DNSSERVERS
    preprocessor portscan: $EXTERNAL 3 5 /var/log/snort/portscan.log
    # |
    # Log file (path/name) ----------------------------------+

    # Ruleset, available (updated hourly) from:
    #
    # http://dev.whitehats.com/ids/vision.conf

    # Include the latest copy of Max Vision¡¯s ruleset
    include /etc/snort/vision.conf

    #
    # Uncomment the next line if you wish to include the latest
    # copy of the snort.org ruleset. Be sure to download the latest
    # one from http://www.snort.org/snort-files.htm#Rules
    #
    # include /etc/snort/06082k.rules

    #
    # If you wish to monitor multiple INTERNAL networks, you can include
    # another variable that defines the additional network, then include
    # the snort ruleset again. Uncomment the two following lines.
    #
    # var INTERNAL 192.168.2.0/24
    # include /etc/snort/vision.conf

    # include other rules here if you wish.

     

    ¸¸¾à dialup machineÀ» »ç¿ëÇÏ°í ÀÖ´Ù¸é ¿©·¯ºÐÀÇ dialup ÀÎÅÍÆäÀ̽º¸¦ /32 subnet mask·Î È£½ºÆ® ±× ÀÚü¸¦ ³ªÅ¸³»µµ·Ï ÇØ¾ß ÇÑ´Ù.

    µ¡ºÙ¿©¼­, ¿©·¯ºÐÀº snort ·Î±×¸¦ Æ÷ÇÔÇÑ ´Ù¸¥ º¸¾È »ç°Ç¿¡ ´ëÇÑ Æ¯Á¤ÇÑ ·Î±×ÆÄÀÏÀ» ³²±â±â À§ÇØ syslogd¸¦ ¼³Á¤ÇÒ ÇÊ¿ä°¡ ÀÖÀ»Áöµµ ¸ð¸¥´Ù. /etc/syslog.conf ¸¦ ¿¡µðÆ®Çؼ­ snort °æ°í¿¡ ´ëÇÑ logµµ ¼³Á¤Çϵµ·Ï ÇÏÀÚ.

      /etc/syslog.conf file:

      authpriv.* /var/log/secure.log

      [root@krypton ~]# /usr/bin/killall -HUP syslogd

 

* Preprocessor »ç¿ëÇϱâ

    preprocessor´Â ħÀÔŽÁö ¿£ÁøÀÌ ÆÐŶ¿¡ ´ëÇÑ rulesetÀ» Àû¿ëÇϱâ Àü¿¡ data flow¸¦ °Ë»çÇϱâ À§ÇØ ¸®½ºÆ®·Î ÀûÇôÁø °ÍÀÌ´Ù. ÀÌ°ÍÀº ÆÐŶÀÇ ³»¿ëÀ» °íÄ¥ ¼ö ÀÖ°í, ŽÁö ¿£Áø¿¡ ƯÁ¤ÇÑ ÆÐŶ¿¡ ´ëÇØ ÁøÇàÇÏÁö ¾Êµµ·Ï ½ÅÈ£¸¦ º¸³¾ ¼ö ÀÖ´Ù.

    The preprocessor httpd_decode : web ¼­¹ö°¡ µ¹¾Æ°¡°í ÀÖ´Â port ¿¡ ´ëÇÑ Àû¿ë.(¿ªÀÚÁÖ: ÀÌ ³»¿ë¹Û¿¡ ÀÌÇØÇϱⰡ Èûµå³×¿ä. URIµµ ¿ÀŸ °°°í)

    The preprocessor portscan : È£½ºÆ® ³ª ³×Æ®¿öÅ©¿¡ ´ëÇÑ Á÷Á¢ÀûÀÎ Á¤ÀǸ¦ ³»¸°´Ù. È£½ºÆ® ±× ÀÚü¿¡ ´ëÇؼ­´Â 32-bit subnetÀ¸·Î IP address¸¦ ³ªÅ¸³½´Ù. /32 ¶ó°í Ç¥½ÃÇÏ¸é µÇ°Ú°í, ¿¹¸¦ µé¾î Class CÀÎ °æ¿ì¿¡´Â /24 ¶ó°í Àû¾îÁÖ¸é µÈ´Ù.

    The portscan-ignorehosts preprocessor´Â ¹Ù·Î ¾Ë ¼ö ÀÖµíÀÌ ¹«½ÃÇÒ È£½ºÆ® Àû¾îÁÖ¸é µÈ´Ù. space·Î ±¸ºÐÇÑ´Ù.

    preprocessor portscan-ignorehosts: 63.87.101.90/32 63.87.101.92/32

    ¸¸¾à ÇÊ¿äÇÏÁö ¾Ê´Ù¸é À§ ºÎºÐÀ» Àû¾îÁÖÁö ¾Ê¾Æµµ µÈ´Ù.

    minfrag preprocessor ´Â fragmented packet(http://www.faqs.org/rfc/rfc1858.txt)À» üũÇÑ´Ù.

 

* SnortÀÇ µ¿ÀÛ Å×½ºÆ®!

    ÀÌÁ¦ ¿©·¯ºÐÀÌ ¼³Á¤ÇÑ ÆÄÀÏ¿¡ ´ëÇÑ ÀϹÝÀûÀÎ Å×½ºÆ®¸¦ Çغ¸ÀÚ.
     

    [root@krypton ~]# snort -d -l /var/log/snort -c /etc/snort/rules.base
    Initializing Network Interface...
    User level filter, protocol ALL, raw packet socket
    Decoding Ethernet on interface eth0
    Initializing Preprocessors!
    -------------------------------------------------
    Keyword | Preprocessor @
    -------------------------------------------------
    http_decode : 0x8053070
    minfrag : 0x8053290
    portscan : 0x8053ce0
    portscan-ignorehosts: 0x8054340
    -------------------------------------------------

    Initializing Plug-ins!
    -------------------------------------------------
    Keyword | Plugin Registered @
    -------------------------------------------------
    content : 0x8052050
    offset : 0x8052080
    depth : 0x80520f0
    nocase : 0x8052160
    flags : 0x8052710
    itype : 0x80528f0
    icode : 0x8052a00
    ttl : 0x8052b10
    id : 0x8052bf0
    ack : 0x8052cd0
    seq : 0x8052dc0
    dsize : 0x8052ec0
    ipopts : 0x8054420
    rpc : 0x8054670
    icmp_id : 0x8054830
    icmp_seq : 0x8054930
    session : 0x8055300
    -------------------------------------------------

    Initializating Output Plugins!
    -------------------------------------------------
    Keyword | Output @
    -------------------------------------------------
    alert_syslog : 0x8054a20
    log_tcpdump : 0x8054ff0
    -------------------------------------------------

     

    +++++++++++++++++++++++++++++++++++++++++++++++++++
    Initializing rule chains...
    255 Snort rules read...
    255 Option Chains linked into 140 Chain Headers
    +++++++++++++++++++++++++++++++++++++++++++++++++++

    Performing Rule List Integrity Tests...
    ---------------------------------------
    Alert TCP Chains : OK
    Alert UDP Chains : OK
    Alert ICMP Chains : OK
    Log TCP Chains : Empty list...
    Log UDP Chains : Empty list...
    Log ICMP Chains : Empty list...
    Pass TCP Chains : Empty list...
    Pass UDP Chains : Empty list...
    Pass ICMP Chains : Empty list...
    ---------------------------------------

     

    -*> Snort! <*-
    Version 1.6
    By Martin Roesch (roesch@clark.net, www.clark.net/~roesch)

     

    snortÀÇ µ¿ÀÛÀ» ¸ØÃß·Á¸é ctrl-C¸¦ ´©¸£¸é µÈ´Ù. ÀÌ°ÍÀº ±âº»ÀûÀÎ snortÀÇ ½ÇÇà¹æ¹ýÀÌ°í, ¼öµ¿À¸·Î ½ÇÇà½ÃÅ°·Á¸é ´ÙÀ½°ú °°ÀÌ ÇÏ¸é µÈ´Ù.

    [root@krypton ~]# /usr/sbin/snort -s -d -D -i eth0 -l /var/log/snort ¡¬
    -c /etc/snort/rules.base
    [root@krypton ~]#

    -D ½ºÀ§Ä¡´Â snort¸¦ µ¥¸ó°ú ¸¶Âù°¡Áö·Î ¹é±×¶ó¿îµå·Î ½ÇÇà½ÃÅ°´Â °ÍÀÌ´Ù.
    ¸¸¾à eth0¸¦ »ç¿ëÇÏÁö ¾Ê´Â´Ù¸é ¹Ù²ã¼­ ½áÁֱ⠹ٶõ´Ù. ¸¸¾à RPMÀ¸·Î ¼³Ä¡Çß´Ù¸é /etc/rc.d/init.d/snortdÀÇ INTERFACE º¯¼ö¸¦ °íÄ¡¸é µÈ´Ù. ±×¸®°í RPM ¼³Ä¡À¯Àú´Â ´ÙÀ½°ú °°ÀÌ snort¸¦ ½ÇÇà½Ãų ¼ö ÀÖ´Ù.
    (¿ªÀÚÁÖ : RPMÀ¸·Î ¼³Ä¡ÇßÀ» °æ¿ì rc.d ¿¡ ¸ðµç ½ºÅ©¸³Æ®¸¦ ¼³Ä¡Çسõ±â ¶§¹®¿¡ ÀçºÎÆà ÇÒ ¶§ ÀÚµ¿À¸·Î snort°¡ ½ÇÇàµÉ °ÍÀÌ´Ù.)

    [root@krypton ~]# /etc/rc.d/init.d/snortd
    Starting snort: [ OK ]
    [root@krypton ~]# ps awx | grep snort
    9131 ? S 0:04 /usr/sbin/snort -s -d -D -i eth0 -l
    /var/log/snort -c /etc/snort/rules.base
    9149 pts/1 S 0:00 grep snort
    [root@krypton ~]#

 

* ħÀÔ ½Ãµµ °üÂûÇϱâ

    snort°¡ Á¤È®ÇÏ°Ô µ¿ÀÛÇÑ´Ù°í ¹ÏÀº ÈÄ¿¡´Â , ¿©·¯ºÐ ½º½º·Î °ø°ÝÀÚ°¡µÇ¾î ³×Æ®¿öÅ©¸¦ °ø°ÝÇغ¸ÀÚ. ¡°¿ÀÁ÷ ¿©·¯ºÐ ¼ÒÀ¯!ÀÇ ³×Æ®¿öÅ©¡± ¿¡ ¸»ÀÌ´Ù. ³ªÀÇ °ø°Ý È£½ºÆ®(krypton)´Â 192.168.100.189ÀÌ°í Á¦¹°ÀÌ µÉ È£½ºÆ®´Â 192.168.200.189ÀÌ´Ù. nmapÀ» ÀÌ¿ëÇÏ¿´°í, ·çÆ®±ÇÇÑÀ¸·Î ½ÇÇàÇØ¾ß ÇÒ °ÍÀÌ´Ù.

    [root@krypton ~]# nmap -p 25,53 -sX -P0 -D 1.2.3.4,5.6.7.8 192.168.200.189

    Starting nmap V. 2.54BETA1 by fyodor@insecure.org (www.insecure.org/nmap/)
    Interesting ports on smtp.mydomain.com (192.168.200.189):
    Port State Service
    25/tcp open smtp
    53/tcp open domain

    Nmap run completed -- 1 IP address (1 host up) scanned in 19 seconds

    192.168.200.189 ´ë½Å¿¡ ¿©·¯ºÐ ³×Æ®¿öÅ©ÀÇ È£½ºÆ® IP ÁÖ¼Ò¸¦ Àû¾î³ÖÀÚ.
    /var/log/auth.log È­ÀÏÀº ´ÙÀ½°ú À¯»çÇÑ ¸ð½ÀÀ» º¼ ¼ö ÀÖÀ» °ÍÀÌ´Ù.

    (¿ªÀÚÁÖ:  ¸®´ª½º¿¡¼­ ±âº»ÀûÀÎ syslog ¼³Á¤¿¡ µû¸£¸é /var/log/secure È­ÀÏÀ» º¸¸é ´ÙÀ½°ú
                 °°Àº ¸ð½ÀÀ» º¼ ¼ö ÀÖÀ» °ÍÀÌ´Ù.)

    [root@krypton ~]# /usr/bin/snort2html /var/log/auth.log
    Jun 18 15:57:52 krypton snort[9131]: spp_portscan: PORTSCAN DETECTED from 1.2.3.4
    Jun 18 15:57:52 krypton snort[9131]: spp_portscan: PORTSCAN DETECTED from 5.6.7.8
    Jun 18 15:57:58 krypton snort[9131]: spp_portscan: portscan status from
    192.168.1.100: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH
    Jun 18 15:57:58 krypton snort[9131]: spp_portscan: portscan status from
    1.2.3.4: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH
    Jun 18 15:57:58 krypton snort[9131]: spp_portscan: portscan status from
    5.6.7.8: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH

    /var/log/snort µð·ºÅ丮¿¡´Â °¢°¢ÀÇ È£½ºÆ®¿¡ ´ëÇÑ ÀÚ¼¼ÇÑ Ä§ÀÔ ½Ãµµ Á¤º¸°¡ ÀúÀåµÇ¾îÀÖ´Ù.
    ¿¹¸¦ µé¸é ´ÙÀ½°ú °°´Ù.
     

    [root@krypton ~]# cd /var/log/snort
    [root@krypton snort]# find 192.168.200.189
    192.168.100.189
    192.168.100.189/ICMP_ECHO
    192.168.100.189/ICMP_PORT_UNRCH
    192.168.100.189/TCP:57554-32771
    192.168.100.189/TCP:57555-32771
    [root@krypton ~]#

     

    TCP:57554-32771È­ÀÏÀÌ ³ªÅ¸³»´Â °ÍÀ» º¸ÀÚ.
     

    [root@krypton 192.168.100.189]# cat TCP:57554-32771
    ** MISC-Attempted Sun RPC high port access **
    06/18-00:48:31.928357 192.168.100.189:57554 -> 192.168.200.189:32771
    TCP TTL:42 TOS:0x0 ID:5410
    ***F*P*U Seq: 0x0 Ack: 0x0 Win: 0x400
    00 00 00 00 00 00

     

    syslog entry´Â ´ÙÀ½°ú À¯»çÇÒ °ÍÀÌ´Ù.

    Jun 18 00:48:31 krypton snort[8757]: MISC-Attempted Sun RPC high port
    access: 192.168.100.189:57554 -> 192.168.200.189:32771

    µ¡ºÙ¿©¼­ Dan SwanÀÌ perl·Î ¸¸µç snort2html(http://www.linuxsecurity.com/programs/snort2html) ÇÁ·Î±×·¥À» ÀÌ¿ëÇϸé HTML Çü½ÄÀ¸·Î Á¤º¸¸¦ º¼ ¼ö ÀÖÀ¸´Ï Âü°í Çϱ⠹ٶõ´Ù.
     

    Resources

    - tracks an intruder(http://www.enteract.com/~lspitz/forensics.html)

    - snort internals(http://scorpions.net/~fygrave/misc/snortdoc/)

    - snort download page(http://www.snort.org/snort-files.htm)

    - snort.org(http://www.snort.org/)

     

    ÀÌ ±ÛÀÇ ¿ø¹®Àº http://www.linuxsecurity.com/using-snort.html ¿¡ ÀÖ½À´Ï´Ù.




¡ã top

homeÀ¸·Î...