5-Amaliy ish. Tarmoq hujumlarni aniqlash tizimlari


Snortni o'rnatish va sozlash


Download 0.99 Mb.
bet8/20
Sana16.04.2023
Hajmi0.99 Mb.
#1358847
1   ...   4   5   6   7   8   9   10   11   ...   20
Bog'liq
5-6AMALIY ISH

3. Snortni o'rnatish va sozlash
Boshlash uchun www.snort.org saytidan Snort-ni yuklab oling. Bu yerda hozirda so‘nggi versiyaga to‘g‘ridan-to‘g‘ri havola http://www.snort.org/dl/binaries/linux/snort-1.9.1-1snort.i386 .rpm. Snort-ning turli xil modifikatsiyalari ham mavjud, masalan, MySQL, postgresql, snmp-ni qo'llab-quvvatlash bilan siz bularning barchasini bitta saytdan yuklab olishingiz mumkin va men o'rnatish uchun eng oson dastur sifatida bizning versiyamizni tanladim.
O'rnatish juda oddiy:
rpm –i snort-1.9.1-1snort.i386.rpm
Shundan so'ng, barcha kerakli fayllar tizimga ko'chiriladi.
Endi dasturni o'zingiz uchun sozlashingiz kerak, biz buni hozir qilamiz ... Keling, katalogga o'tamiz /etc/snort, bu yerda siz imzo ma'lumotlar bazalarini topishingiz mumkin (aniqrog'i, ularni Snort zararli trafikni aniqlaydigan qoidalar deb atash mumkin) va bir nechta konfiguratsiya fayllari, bizga snort.conf kerak. Bu erda biz HOME_NET, EXTERNAL_NET va boshqalar kabi o'zgaruvchan o'zgaruvchilarni o'rnatamiz ... Buni aniqlash qiyin bo'lmaydi, chunki har bir variant ingliz tilida bo'lsa-da, juda tushunarli sharhlar bilan birga keladi. Konfiguratsiya faylining eng oxirida plagin imzolari mavjud, unumdorlikni oshirish uchun keraksizlarini sharhlash mumkin.
Mana mening konfiguratsiyamga misol:

# 1-qadam: Tarmoq bilan bog'liq o'zgaruvchilarni sozlash


# IP-ni mahalliy tarmoq manzillariga o'zgartiring
# Bir nechta diapazonlarni vergul bilan ajratish orqali belgilashingiz mumkin
var HOME_NET 192.168.168.0/24
var EXTERNAL_NET !$HOME_NET
var DNS_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var ORACLE_PORTS 1521
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
# Imzolar uchun yo'l
var RULE_PATH /etc/snort
#Aniqlangan hujum tasnifi va havolalarni o'z ichiga olgan kerakli fayllarni qo'shing
# yuk mashinalari
classification.config.ni qo'shing
reference.config ni o'z ichiga oladi
###################################################
# 2-qadam: Hujumni aniqlash mexanizmini o'rnating
Old protsessor frag2
preprotsessor oqimi 4: aniqlash_skanerlar, o'chirish_evasion_alerts
preprotsessor oqimi4_reassemble
preprotsessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
protsessor rpc_decode: 111 32771
preprocessor portscan: $HOME_NET 4 3 portscan.log
# Men ushbu parametrni qo'shishga majbur bo'ldim, chunki menda qo'llaniladigan ba'zi maxsus dasturlar
Ko'pincha noto'g'ri ijobiy natijalarga olib keladigan # tarmoqlar
preprocessor portscan-ignorehosts: 192.168.168.0/24
protsessor arpspoof
protsessor suhbati: allow_ip_protocols all, timeout 60, max_conversations 32000
preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, kutish vaqti 60
####################################################################
# 3-qadam: Bizga qaysi imzolar kerakligini belgilang
$RULE_PATH/bad-traffic.rules kiriting
$RULE_PATH/exploit.rulesni o'z ichiga oladi
$RULE_PATH/scan.rulesni o'z ichiga oladi
$RULE_PATH/finger.rulesni o'z ichiga oladi
$RULE_PATH/ftp.rulesni o'z ichiga oladi
$RULE_PATH/dos.rulesni o'z ichiga oladi
$RULE_PATH/ddos.rulesni o'z ichiga oladi
$RULE_PATH/dns.rulesni o'z ichiga oladi
$RULE_PATH/web-cgi.rulesni o'z ichiga oladi
# Men statistika uchun keyingi variantni qoldirdim - mening serverim muntazam ravishda IIS xatolari uchun tekshiriladi,
# Aniqrog'i, mening serverim emas, balki men ham kiradigan bir qator manzillar :)
$RULE_PATH/web-iis.rulesni o'z ichiga oladi
$RULE_PATH/web-client.rulesni o'z ichiga oladi
$RULE_PATH/web-php.rulesni o'z ichiga oladi
$RULE_PATH/sql.rulesni o'z ichiga oladi
$RULE_PATH/icmp.rulesni o'z ichiga oladi
$RULE_PATH/netbios.rulesni o'z ichiga oladi
$RULE_PATH/misc.rulesni o'z ichiga oladi
$RULE_PATH/attack-responses.rulesni o'z ichiga oladi
$RULE_PATH/mysql.rulesni o'z ichiga oladi
$RULE_PATH/pop3.rules kiriting
$RULE_PATH/pop2.rulesni o'z ichiga oladi
$RULE_PATH/other-ids.rulesni o'z ichiga oladi
$RULE_PATH/web-attacks.rulesni o'z ichiga oladi
$RULE_PATH/backdoor.rulesni o'z ichiga oladi
$RULE_PATH/shellcode.rulesni o'z ichiga oladi
Endi hamma narsa Snortni ishga tushirishga tayyor. Uni inittab-ga yozing va u tizimdan boshlanadi.

Download 0.99 Mb.

Do'stlaringiz bilan baham:
1   ...   4   5   6   7   8   9   10   11   ...   20




Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©fayllar.org 2024
ma'muriyatiga murojaat qiling