12일차
OSI 7계층
7계층(응용계층)
6계층(표현계층)
5계층(세션계층)
4계층(전송계층)
3계층(네트워크계층)
2계층(데이터 링크계층)
1계층(물리계층)
스노트 설치
sudo apt update
sudo apt upgrade
sudo apt -y install snort
snort --version
snort -v
cd /etc/snort/rules
ls
local.rules
nano local.rules
네트워크 계층 기반의 스노트 탐지
hping3 10.0.2.15 -a 10.0.2.15 -icmp
tcpdump -i enp0s3 -e icmp
nano /etc/snort/snort.conf
#site specific rules
include $RULE_PATH/local.rules -->얘 제외
#include $RULE_PATH/app-detect.rules
include>#include
...
...
...
#include $RULE_PATH/community-web-php.ruels
전부다 주석처리
snort -A console -q -u snort -g snort -c /etc/snort/snort.conf
alert icmp any any -> any any (msg:"DetectToIcmp"; sid:1000001;) msg안에 무조건 써야함
네트워크 공격
ICMP 플러딩 공격
공격
sudo hping3 10.0.2.15 --icmp --flood
탐지
alert icmp any any -> any any (msg:"PingOfDeath";threshold:type both,track by_src,count 10,seconds2;sid:1000002;)
공격
nmap 10.0.2.15 -p 22 -sT
탐지
alert icmp any any -> 10.0.2.15 22 (msg:"nmapScan";flags:S;sid:1000003;)
공격
ssh master@10.0.2.15
탐지
alert tcp any any -> 10.0.2.15 22 (msg:"sshAttack";content:"SSH";nocase;sid:1000004;)
nocase : 대소문자를 구별하지 않겠다.
content:"";nocase랑 쌍으로 사용함
공격
hydra -L user.txt -P pass.txt -f 10.0.2.15 ssh
hydra -L user.txt -P pass.txt -f 10.0.2.15 ftp
hydra -L user.txt -P pass.txt -f 10.0.2.15 web
slowhttptest -H -g -o slowloris -c 4000 -r 100 -i 10 -t GET -p 3 -x 3 -u http://10.0.2.15
탐지
alert tcp any any -> 10.0.2.15 21 (msg:"ftpAttack";content:"user root";nocase;sid:1000005;)
alert tcp any any -> 10.0.2.15 22 (msg:"sshBruteForceAttack";content:"SSH";nocase;offset:0;depth:4;sid:1000006;)
alert tcp any any -> 10.0.2.15 80 (msg:"httpBruteForceAttack";content:"GET / HTTP/1.";nocase;offset:0;depth:4;sid:1000006;)
alert tcp any any -> 10.0.2.15 80 (msg:"ToDetectSlowlowLorisAttack";flow:to_server,established;pcre:"/[^\x0d\x0a]\x0d\0a$/";threshold:type both,track by_src,count 10,seconds 2;sid:1000007;)
pcre : (Perl Compatible Regular Expressions ) : 펄 호환 정규 표현식
offset/depth는 지정한 위치에서 문자열 검색을 하기 위함
nocase : 대소문자를 구별하지 않겠다.
content:"";nocase랑 쌍으로 사용함
스노트 로그 mysql에 저장하기
[1단계]
apt update
apt -y install snort
apt -y install lrzsz
apt -y install net-tools
apt update
apt upgrade
reboot
apt -y install build-essential
apt -y install libpcap-dev libpcre3-dev libdumbnet-dev
apt -y install mysql-server libmysqlclient-dev mysql-client autoconf libtool
apt -y install bison flex
mysql
CREATE DATABASE snort;
CREATE USER 'snort'@'localhost' IDENTIFIED BY 'root';
GRANT ALL PRIVILEGES ON snort.* TO 'snort'@'localhost';
FLUSH PRIVILEGES;
exit
cd /usr/src
sudo git clone https://github.com/firnsy/barnyard2 barnyard_src
#파일 로컬에서 서버로 옮기기
wget https://snort.org/downloads/snort/daq-2.0.7.tar.gz
tar -xvzf daq-2.0.7.tar.gz
cd daq-2.0.7
./configure && make && make install
>warning은 보이나 설치 가능
touch /etc/snort/sid-msg.map
cat /etc/snort/snort.conf -n | egrep "output unified2"
>550과 551 라인 확인 가능함
cd ..
cd barnyard_src
autoreconf -fvi -I ./m4
> 파일이 생성됨
ln -s /usr/include/dumbnet.h /usr/include/dnet.h
ldconfig
getconf LONG_BIT
64 비트임을 알려줌
파일 수정
cd src/output-plugins
nano spo_alert_fwsam.c
중간에 typedef int socket 지움
nano spo_database.h
my_bool -> bool
cd ..
cd ..
./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu
make && make install
make 와 make install를 한번에 할 수 있다.
#설치 확인
/usr/local/bin/barnyard2 -V
______ -*> Barnyard2 <*-
/ ,,_ \ Version 2.1.14 (Build 337)
|o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
+ '''' + (C) Copyright 2008-2013 Ian Firns
cp /usr/src/barnyard_src/etc/barnyard2.conf /etc/snort/
mkdir /var/log/barnyard2
chmod 666 /var/log/barnyard2
touch /var/log/snort/barnyard2.waldo
chown snort.snort /var/log/snort/barnyard2.waldo
cd /usr/src/barnyard_src/schemas
mysql -p < create_mysql snort
nano /etc/snort/barnyard2.conf
output database: log, mysql, user=snort password=root dbname=snort host=localhost
sudo chmod o-r /etc/snort/barnyard2.conf
Testing
snort -q -u snort -g snort -c /etc/snort/snort.conf -i enp0s3
sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.bookmark -g snort -u snort
mysql -u snort -p snort
select count(*) from envent;