Amaliy mashg’ulot Snort hujumini aniq


Download 0.67 Mb.
bet6/15
Sana18.06.2023
Hajmi0.67 Mb.
#1563619
1   2   3   4   5   6   7   8   9   ...   15
Bog'liq
Tahdid razvedkasi amaliy

3. Snortni o'rnatish va sozlash

Boshlash uchun www.snort.org saytidan Snort-ni yuklab oling. Bu yerda hozirda so‘nggi versiyaga to‘g‘ridan-to‘g‘ri havola http://www.snort.org/dl/binaries/linux/snort-1.9.1-1snort.i386 .rpm. Snort-ning turli xil modifikatsiyalari ham mavjud, masalan, MySQL, postgresql, snmp-ni qo'llab-quvvatlash bilan siz bularning barchasini bitta saytdan yuklab olishingiz mumkin va men o'rnatish uchun eng oson dastur sifatida bizning versiyamizni tanladim.

O'rnatish juda oddiy:



rpm –i snort-1.9.1-1snort.i386.rpm

Shundan so'ng, barcha kerakli fayllar tizimga ko'chiriladi.

Endi dasturni o'zingiz uchun sozlashingiz kerak, biz buni hozir qilamiz ... Keling, katalogga o'tamiz /etc/snort, bu yerda siz imzo ma'lumotlar bazalarini topishingiz mumkin (aniqrog'i, ularni Snort zararli trafikni aniqlaydigan qoidalar deb atash mumkin) va bir nechta konfiguratsiya fayllari, bizga snort.conf kerak. Bu erda biz HOME_NET, EXTERNAL_NET va boshqalar kabi o'zgaruvchan o'zgaruvchilarni o'rnatamiz ... Buni aniqlash qiyin bo'lmaydi, chunki har bir variant ingliz tilida bo'lsa-da, juda tushunarli sharhlar bilan birga keladi. Konfiguratsiya faylining eng oxirida plagin imzolari mavjud, unumdorlikni oshirish uchun keraksizlarini sharhlash mumkin.

Mana mening konfiguratsiyamga misol:

# 1-qadam: Tarmoq bilan bog'liq o'zgaruvchilarni sozlash # IP-ni mahalliy tarmoq manzillariga o'zgartiring
# Bir nechta diapazonlarni vergul bilan ajratish orqali belgilashingiz mumkin var HOME_NET 192.168.168.0/24
var EXTERNAL_NET !$HOME_NET var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET var ORACLE_PORTS 1521
var HTTP_PORTS 80
var SHELLCODE_PORTS !80

# Imzolar uchun yo'l


var RULE_PATH /etc/snort

#Aniqlangan hujum tasnifi va havolalarni o'z ichiga olgan kerakli fayllarni qo'shing # yuk mashinalari

classification.config.ni qo'shing reference.config ni o'z ichiga oladi

###################################################

# 2-qadam: Hujumni aniqlash mexanizmini o'rnating

Old protsessor frag2


preprotsessor oqimi 4: aniqlash_skanerlar, o'chirish_evasion_alerts preprotsessor oqimi4_reassemble
preprotsessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace
protsessor rpc_decode: 111 32771
preprocessor portscan: $HOME_NET 4 3 portscan.log
# Men ushbu parametrni qo'shishga majbur bo'ldim, chunki menda qo'llaniladigan ba'zi maxsus dasturlar
Ko'pincha noto'g'ri ijobiy natijalarga olib keladigan # tarmoqlar preprocessor portscan-ignorehosts: 192.168.168.0/24 protsessor arpspoof
protsessor suhbati: allow_ip_protocols all, timeout 60, max_conversations 32000 preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, kutish vaqti 60 Bizga qaysi imzolar kerakligini belgilang

$RULE_PATH/bad-traffic.rules kiriting $RULE_PATH/exploit.rulesni o'z ichiga oladi $RULE_PATH/scan.rulesni o'z ichiga oladi $RULE_PATH/finger.rulesni o'z ichiga oladi $RULE_PATH/ftp.rulesni o'z ichiga oladi $RULE_PATH/dos.rulesni o'z ichiga oladi $RULE_PATH/ddos.rulesni o'z ichiga oladi $RULE_PATH/dns.rulesni o'z ichiga oladi $RULE_PATH/web-cgi.rulesni o'z ichiga oladi


# Men statistika uchun keyingi variantni qoldirdim - mening serverim muntazam ravishda IIS xatolari uchun tekshiriladi,
# Aniqrog'i, mening serverim emas, balki men ham kiradigan bir qator manzillar :) $RULE_PATH/web-iis.rulesni o'z ichiga oladi
$RULE_PATH/web-client.rulesni o'z ichiga oladi $RULE_PATH/web-php.rulesni o'z ichiga oladi $RULE_PATH/sql.rulesni o'z ichiga oladi $RULE_PATH/icmp.rulesni o'z ichiga oladi $RULE_PATH/netbios.rulesni o'z ichiga oladi $RULE_PATH/misc.rulesni o'z ichiga oladi $RULE_PATH/attack-responses.rulesni o'z ichiga oladi $RULE_PATH/mysql.rulesni o'z ichiga oladi

$RULE_PATH/pop3.rules kiriting $RULE_PATH/pop2.rulesni o'z ichiga oladi $RULE_PATH/other-ids.rulesni o'z ichiga oladi $RULE_PATH/web-attacks.rulesni o'z ichiga oladi $RULE_PATH/backdoor.rulesni o'z ichiga oladi $RULE_PATH/shellcode.rulesni o'z ichiga oladi

Endi hamma narsa Snortni ishga tushirishga tayyor. Uni inittab-ga yozing va u tizimdan boshlanadi.


Download 0.67 Mb.

Do'stlaringiz bilan baham:
1   2   3   4   5   6   7   8   9   ...   15




Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©fayllar.org 2024
ma'muriyatiga murojaat qiling