Snort dasturi misolida ruhsatsiz kirishni aniqlash va oldini olish tizimlarini o'rnatish bo'yicha asosiy ko'nikmalarni takomillashtirish


Dastur va uning rejimlarini o'rganish


Download 42.12 Kb.
bet3/4
Sana31.01.2024
Hajmi42.12 Kb.
#1831545
1   2   3   4
2. Dastur va uning rejimlarini o'rganish
Ushbu bo'limda biz SNORT tushunchalari va buyruqlarini batafsil muhokama qilamiz. Ushbu vazifani dasturning barcha kalitlarini aks ettiradigan oddiy buyruq bilan boshlaymiz:
root@lord snort -?
Buyruq quyidagilarni beradi:
-*> Snort! <*-
Version 1.7
By Martin Roesch (roesch@clark.net, www.snort.org)
USAGE: snort [-options]
Options:
-A Set alert mode: fast, full, or none (alert file alerts only)
'unsock' enables UNIX socket logging (experimental).
-a Display ARP packets
-b Log packets in tcpdump format (much faster!)
-c Use Rules File
-C Print out payloads with character data only (no hex)
-d Dump the Application Layer
-D Run Snort in background (daemon) mode
-e Display the second layer header info
-F Read BPF filters from file
-g Run snort gid as 'gname' user or uid after initialization
-h Home network =
-i Listen on interface
-l Log to directory
-n Exit after receiving packets
-N Turn off logging (alerts still work)
-o Change the rule testing order to Pass|Alert|Log
-O Obfuscate the logged IP addresses
-p Disable promiscuous mode sniffing
-P set explicit snaplen [sp? -ed.] of packet (default: 1514)
-q Quiet. Don't show banner and status report
-r Read and process tcpdump file
-s Log alert messages to syslog

Yuqorida aytib o'tilganidek, SNORT uch xil rejimda ishlaydi:


1. Paketli sniffer rejimi: Snort ushbu rejimda ishlayotgan bo'lsa, u barcha tarmoq paketlarini o'qiydi va deshifrlaydi va stdout (ekraningiz) ga dump hosil qiladi. Snortni sniffer rejimiga o'tkazish uchun quyidagi kalitdan foydalanamiz:
v: root @lord]# ./snort –v
Shuni esda tutingki, ushbu rejimda faqat paket sarlavhalari ko'rsatiladi. To'plamning sarlavhasini va mazmunini ko'rish uchun quyidagi buyruq kiritiladi:
root @lord]# ./snort -X
2. Paketni ro'yxatdan o'tkazish rejimi: Ushbu rejim paketlarni diskka yozib oladi va ularni ASCII formatida kodlaydi.
root @lord]# Snort -l < directory to log packets to >
3. Ruxsatsiz kirishni aniqlash rejimi: Signal ma'lumotlari aniqlash mexanizmi tomonidan ro'yxatga olinadi (standart jurnal katalogida "alert" deb nomlangan fayl, lekin syslog, Winpop xabarlari va boshqalar ham bo’lishi mumkin). Standart jurnal katalogi -/var/log/snort ko’rinishida bo’ladi, lekin "- l" kaliti yordamida o'zgartirilishi mumkin. Endi paketni tahlil qilish uchun odatiy Snort buyrug'ini ko'rib chiqamiz:
root @lord]# snort -v -d -e -i eth0 -h 192.168.3.0/24
Bu erda biz C sinfi qismtarmog’ining 192.168.3.0-192.168.3.255 (qismtarmoq maskasi: 255.255.255.0) oralig'ini ko'rib chiqamiz. Buning ma'nosini tushunish uchun yuqoridagi buyruqni batafsil tahlil qilaylik:
'-v': konsolingizga batafsil javob yuboradi.
'-d': dekodlangan dastur qatlami ma’lumotlarining borini hosil qiladi
'-e': dekodlangan Ethernet sarlavhalarini ko'rsatadi.
'-i': paketni tahlil qilish uchun tekshiriladigan interfeysni belgilaydi.
'-h': boshqariladigan tarmoqni belgilaydi.
Keyingi misolda biz Snortda ogohlantirishlarni yaratamiz. Snort ogohlantirish rejimlari uchta asosiy guruhga ega:
a. Tez: "alert" fayliga ogohlantirishlarni bitta satrda, xuddi syslog singari yozadi.
b. To'liq: To'liq sarlavha dekodlangan holda 'alert' faylini yuborish uchun ogohlantirishlarni yozadi.
v. None: - ogohlantirish bermaydi, so'ngra buyruq quyidagiga o'zgaradi:
root @lord]# snort -v -d -e -i eth0 -h 192.168.3.0/24 -A fast

Download 42.12 Kb.

Do'stlaringiz bilan baham:
1   2   3   4




Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©fayllar.org 2024
ma'muriyatiga murojaat qiling