5-Amaliy ish. Tarmoq hujumlarni aniqlash tizimlari
Snortni o'rnatish va sozlash
Download 1.77 Mb. Pdf ko'rish
|
5-6AMALIY ISH
|
3. Snortni o'rnatish va sozlash
Boshlash uchun www.snort.org saytidan Snort-ni yuklab oling. Bu yerda hozirda so‘nggi versiyaga to‘g‘ridan-to‘g‘ri havola http://www.snort.org/dl/binaries/linux/snort-1.9.1-1snort.i386 .rpm. Snort-ning turli xil modifikatsiyalari ham mavjud, masalan, MySQL, postgresql, snmp-ni qo'llab-quvvatlash bilan siz bularning barchasini bitta saytdan yuklab olishingiz mumkin va men o'rnatish uchun eng oson dastur sifatida bizning versiyamizni tanladim. O'rnatish juda oddiy: rpm –i snort-1.9.1-1snort.i386.rpm Shundan so'ng, barcha kerakli fayllar tizimga ko'chiriladi. Endi dasturni o'zingiz uchun sozlashingiz kerak, biz buni hozir qilamiz ... Keling, katalogga o'tamiz /etc/snort, bu yerda siz imzo ma'lumotlar bazalarini topishingiz mumkin (aniqrog'i, ularni Snort zararli trafikni aniqlaydigan qoidalar deb atash mumkin) va bir nechta konfiguratsiya fayllari, bizga snort.conf kerak. Bu erda biz HOME_NET, EXTERNAL_NET va boshqalar kabi o'zgaruvchan o'zgaruvchilarni o'rnatamiz ... Buni aniqlash qiyin bo'lmaydi, chunki har bir variant ingliz tilida bo'lsa-da, juda tushunarli sharhlar bilan birga keladi. Konfiguratsiya faylining eng oxirida plagin imzolari mavjud, unumdorlikni oshirish uchun keraksizlarini sharhlash mumkin. Mana mening konfiguratsiyamga misol: # 1-qadam: Tarmoq bilan bog'liq o'zgaruvchilarni sozlash # IP-ni mahalliy tarmoq manzillariga o'zgartiring # Bir nechta diapazonlarni vergul bilan ajratish orqali belgilashingiz mumkin var HOME_NET 192.168.168.0/24 var EXTERNAL_NET !$HOME_NET var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var ORACLE_PORTS 1521 var HTTP_PORTS 80 var SHELLCODE_PORTS !80 # Imzolar uchun yo'l var RULE_PATH /etc/snort #Aniqlangan hujum tasnifi va havolalarni o'z ichiga olgan kerakli fayllarni qo'shing # yuk mashinalari classification.config.ni qo'shing reference.config ni o'z ichiga oladi ################################################### # 2-qadam: Hujumni aniqlash mexanizmini o'rnating Old protsessor frag2 preprotsessor oqimi 4: aniqlash_skanerlar, o'chirish_evasion_alerts preprotsessor oqimi4_reassemble preprotsessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace protsessor rpc_decode: 111 32771 preprocessor portscan: $HOME_NET 4 3 portscan.log # Men ushbu parametrni qo'shishga majbur bo'ldim, chunki menda qo'llaniladigan ba'zi maxsus dasturlar Ko'pincha noto'g'ri ijobiy natijalarga olib keladigan # tarmoqlar preprocessor portscan-ignorehosts: 192.168.168.0/24 protsessor arpspoof protsessor suhbati: allow_ip_protocols all, timeout 60, max_conversations 32000 preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, kutish vaqti 60 #################################################################### # 3-qadam: Bizga qaysi imzolar kerakligini belgilang $RULE_PATH/bad-traffic.rules kiriting $RULE_PATH/exploit.rulesni o'z ichiga oladi $RULE_PATH/scan.rulesni o'z ichiga oladi $RULE_PATH/finger.rulesni o'z ichiga oladi $RULE_PATH/ftp.rulesni o'z ichiga oladi $RULE_PATH/dos.rulesni o'z ichiga oladi $RULE_PATH/ddos.rulesni o'z ichiga oladi $RULE_PATH/dns.rulesni o'z ichiga oladi $RULE_PATH/web-cgi.rulesni o'z ichiga oladi # Men statistika uchun keyingi variantni qoldirdim - mening serverim muntazam ravishda IIS xatolari uchun tekshiriladi, # Aniqrog'i, mening serverim emas, balki men ham kiradigan bir qator manzillar :) $RULE_PATH/web-iis.rulesni o'z ichiga oladi $RULE_PATH/web-client.rulesni o'z ichiga oladi $RULE_PATH/web-php.rulesni o'z ichiga oladi $RULE_PATH/sql.rulesni o'z ichiga oladi $RULE_PATH/icmp.rulesni o'z ichiga oladi $RULE_PATH/netbios.rulesni o'z ichiga oladi $RULE_PATH/misc.rulesni o'z ichiga oladi $RULE_PATH/attack-responses.rulesni o'z ichiga oladi $RULE_PATH/mysql.rulesni o'z ichiga oladi $RULE_PATH/pop3.rules kiriting $RULE_PATH/pop2.rulesni o'z ichiga oladi $RULE_PATH/other-ids.rulesni o'z ichiga oladi $RULE_PATH/web-attacks.rulesni o'z ichiga oladi $RULE_PATH/backdoor.rulesni o'z ichiga oladi $RULE_PATH/shellcode.rulesni o'z ichiga oladi Endi hamma narsa Snortni ishga tushirishga tayyor. Uni inittab-ga yozing va u tizimdan boshlanadi. Download 1.77 Mb. Do'stlaringiz bilan baham: 
|