Snort
インターネット側からの不正アクセスを検知するためにオープンソースのIDSであるSnortを導入する。
KAJUKAJU.netではTOPページのネットワーク図にもあるとおりインターネット側にステルスでNICを接続してあるため、全パケットを取得することが可能である。
また、この構成にすることで内部ネットワークからサーバへのアクセスに関しては全て検知対象外にしている。
# /sbin/ifconfig eth0 -arp up
○ステルス化前
# /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:aa:11:bb:22:cc
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:11 Base address:0x4f00
○ステルス化後
# /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:aa:11:bb:22:cc
UP BROADCAST RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:11 Base address:0x4f00
SnortはプロミスキャスモードでNICを稼働させることで自分宛以外のパケットも処理できるようにする。libpcapをソースからインストールする。
$ wget http://www.tcpdump.org/release/libpcap-0.9.4.tar.gzSnortを起動する専用ユーザを作成する。
$ tar xvzf libpcap-0.9.4.tar.gz
$ cd libpcap-0.9.4
$ ./configure
$ make
# make install
# groupadd -g 20003 snortSnortの公式サイトよりソースファイルを入手しインストールする。
# useradd -u 20003 -g 20003 -s /sbin/nologin -d /dev/null snort
Snortが検知したアラート情報はMySQLに保存されるようにする。
$ wget http://www.snort.org/dl/current/snort-2.4.3.tar.gz
$ tar xvzf snort-2.4.3.tar.gz
$ cd snort-2.4.3
$ ./configure --prefix=/usr/local/snort \
--with-mysql=/usr/local/mysql
$ make
# make install
Snort関連のファイルをインストールディレクトリにコピーする。
# cp -R contrib/ doc/ etc/ templates/ /usr/local/snortインストールディレクトリのパーミッションを変更する。
# chown -R snort:snort /usr/local/snortMySQLデータベースにSnortのデータベースを作成する。
# /usr/local/mysql/bin/mysqladmin -u root -p create database作成されたデータベースを確認する。
Enter password:********
# /usr/local/mysql/bin/mysql -u root -p database < schemas/create_mysql
Enter password:********
$ /usr/local/mysql/bin/mysql -u root -p database mysql> show tables; +------------------------+ | Tables_in_snortdb | +------------------------+ | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +-----------------------+ 16 rows in set (0.00 sec)Snortからデータベースに接続する際のパスワードを設定する。
mysql> GRANT ALL ON database.* TO username@localhost IDENTIFIED BY '********';Snortのルールセットを公式サイトより入手する。 事前にユーザ登録が必要になる。
Query OK, 0 rows affected (0.16 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.09 sec)
$ wget http://www.snort.org/pub-bin/oinkmaster.cgi/xxxxx.....xxxxx/snortrules-snapshot-2.4.tar.gzSnortの設定を行う。
# cp snortrules-snapshot-2.4.tar.gz /usr/local/snort
# cd /usr/local/snort
# tar xvzf snortrules-snapshot-2.4.tar.gz
# cd rules
# mv classification.config gen-msg.map generators reference.config sid sid-msg.map snort.conf threshold.conf unicode.map ../etc/
/usr/local/snort/etc/snort.conf
output database: log, mysql, user=username password=******** dbname=database host=localhost起動スクリプトを作成する。
/etc/rc.d/init.d/snortd
#!/bin/sh
# $Id: snortd,v 1.13 2003/10/03 12:17:01 dwittenb Exp $
#
# snortd Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 90 60
# description: snort is a lightweight network intrusion detection tool that \
# currently detects more than 1100 host and network \
# vulnerabilities, portscans, backdoors, and more.
#
# Source function library.
. /etc/rc.d/init.d/functions
RETVAL=0
prog="snort"
WAN_IP=`wget -q -O - http://ieserver.net/ipcheck.shtml`
# See how we were called.
start() {
echo -n $"Starting $prog: "
daemon "/usr/local/snort/bin/snort -D -i eth0 -S HOME_NET=$WAN_IP -u snort -g snort -c /usr/local/snort/etc/snort.conf"
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/snortd
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc snort
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/snortd
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
stop
start
RETVAL=$?
;;
status)
status snort
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|status|restart|reload}"
RETVAL=1
esac
exit $RETVAL
起動スクリプトを登録する。
# chmod 755 /etc/rc.d/init.d/snortd # /sbin/chkconfig --add snortd # /sbin/chkconfig --list snortd 0:オフ 1:オフ 2:オン 3:オン 4:オン 5:オン 6:オフSnortを起動する。
# /usr/local/snort/bin/snort -u snort -g snort -i eth0 -c /usr/local/snort/etc/snort.conf -D起動時にこのようなエラーが出た場合はライブラリが見つけられていない。
snort: error while loading shared libraries: libmysqlclient.so.14: cannot open shared object file: No such file or directoryライブラリに登録する。
# ldd snort
libpcre.so.0 => /lib/libpcre.so.0 (0x00edb000)
libmysqlclient.so.14 => not found
libz.so.1 => /usr/lib/libz.so.1 (0x0053d000)
libm.so.6 => /lib/tls/libm.so.6 (0x00381000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00800000)
libc.so.6 => /lib/tls/libc.so.6 (0x00111000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x004bb000)
/etc/ld.so.conf
/usr/local/lib
/usr/lib
/usr/kerberos/lib
/usr/X11R6/lib
/usr/local/mysql/lib/mysql
# /sbin/ldconfig -v
# ldd snort
libpcre.so.0 => /lib/libpcre.so.0 (0x00cd9000)
libmysqlclient.so.14 => /usr/local/mysql/lib/mysql/libmysqlclient.so.14 (0x00111000)
libz.so.1 => /usr/lib/libz.so.1 (0x00fa1000)
libm.so.6 => /lib/tls/libm.so.6 (0x0055f000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00cbc000)
libc.so.6 => /lib/tls/libc.so.6 (0x009a4000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00f34000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x008e5000)
動作確認する。
# ps -aux |grep snort snort 28213 5.3 26.1 71460 66420 ? S 01:05 0:03 /usr/local/snort/bin/snort -u snort -g snort -i eth0 -c /usr/local/snort/etc/snort.conf -DMySQLにイベントが記録されているか確認する。
mysql> select * from event; +-----+-----+-----------+---------------------+ | sid | cid | signature | timestamp | +-----+-----+-----------+---------------------+ | 1 | 1 | 1 | 2005-11-27 01:09:10 | | 1 | 2 | 2 | 2005-11-27 01:09:10 | | 1 | 3 | 3 | 2005-11-27 01:09:10 | | 1 | 4 | 4 | 2005-11-27 01:09:10 | | 1 | 5 | 1 | 2005-11-27 01:09:11 | | 1 | 6 | 2 | 2005-11-27 01:09:11 | +-----+-----+-----------+---------------------+ 6 rows in set (0.00 sec)Snort稼働時のログ。
# tail /var/log/messages Nov 27 01:04:59 boris kernel: eth0: Promiscuous mode enabled. Nov 27 01:04:59 boris kernel: device eth0 entered promiscuous mode Nov 27 01:04:59 boris snort: OpenPcap() device eth0 network lookup: eth0: no IPv4 address assigned Nov 27 01:04:59 boris snort[28212]: Initializing daemon mode Nov 27 01:04:59 boris snort[28213]: PID path stat checked out ok, PID path set to /var/run/ Nov 27 01:04:59 boris snort[28213]: Writing PID "28213" to file "/var/run//snort_eth0.pid" Nov 27 01:04:59 boris snort[28213]: Parsing Rules file /usr/local/snort/etc/snort.conf Nov 27 01:04:59 boris snort[28213]: ,-----------[Flow Config]---------------------- Nov 27 01:04:59 boris snort[28213]: | Stats Interval: 0 Nov 27 01:04:59 boris snort[28213]: | Hash Method: 2 Nov 27 01:04:59 boris snort[28213]: | Memcap: 10485760 Nov 27 01:04:59 boris snort[28213]: | Rows : 4099 Nov 27 01:04:59 boris snort[28213]: | Overhead Bytes: 16400(%0.16) Nov 27 01:04:59 boris snort[28213]: `---------------------------------------------- Nov 27 01:04:59 boris snort[28213]: Frag3 global config: Nov 27 01:04:59 boris snort[28213]: Max frags: 65536 Nov 27 01:04:59 boris snort[28213]: Fragment memory cap: 4194304 bytes Nov 27 01:04:59 boris snort[28213]: Frag3 engine config: Nov 27 01:04:59 boris snort[28213]: Target-based policy: FIRST Nov 27 01:04:59 boris snort[28213]: Fragment timeout: 60 seconds Nov 27 01:04:59 boris snort[28213]: Fragment min_ttl: 1 Nov 27 01:04:59 boris snort[28213]: Fragment ttl_limit: 5 Nov 27 01:04:59 boris snort[28213]: Fragment Problems: 1 Nov 27 01:04:59 boris snort[28213]: Bound Addresses: 0.0.0.0/0.0.0.0 Nov 27 01:04:59 boris snort[28213]: Stream4 config: Nov 27 01:04:59 boris snort[28213]: Stateful inspection: ACTIVE Nov 27 01:04:59 boris snort[28213]: Session statistics: INACTIVE Nov 27 01:04:59 boris snort[28213]: Session timeout: 30 seconds Nov 27 01:04:59 boris snort[28213]: Session memory cap: 8388608 bytes Nov 27 01:04:59 boris snort[28213]: Session count max: 8192 sessions Nov 27 01:04:59 boris snort[28213]: Session cleanup count: 5 Nov 27 01:04:59 boris snort[28213]: State alerts: INACTIVE Nov 27 01:04:59 boris snort[28213]: Evasion alerts: INACTIVE Nov 27 01:04:59 boris snort[28213]: Scan alerts: INACTIVE Nov 27 01:04:59 boris snort[28213]: Log Flushed Streams: INACTIVE Nov 27 01:04:59 boris snort[28213]: MinTTL: 1 Nov 27 01:04:59 boris snort[28213]: TTL Limit: 5 Nov 27 01:04:59 boris snort[28213]: Async Link: 0 Nov 27 01:04:59 boris snort[28213]: State Protection: 0 Nov 27 01:04:59 boris snort[28213]: Self preservation threshold: 50 Nov 27 01:04:59 boris snort[28213]: Self preservation period: 90 Nov 27 01:04:59 boris snort[28213]: Suspend threshold: 200 Nov 27 01:04:59 boris snort[28213]: Suspend period: 30 Nov 27 01:04:59 boris snort[28213]: Enforce TCP State: INACTIVE Nov 27 01:04:59 boris snort[28213]: Midstream Drop Alerts: INACTIVE Nov 27 01:04:59 boris snort[28213]: Server Data Inspection Limit: -1 Nov 27 01:05:00 boris snort[28213]: WARNING /usr/local/snort/etc/snort.conf(372) => flush_behavior set in config file, using old static flushpoints (0) Nov 27 01:05:00 boris snort[28213]: Stream4_reassemble config: Nov 27 01:05:00 boris snort[28213]: Server reassembly: INACTIVE Nov 27 01:05:00 boris snort[28213]: Client reassembly: ACTIVE Nov 27 01:05:00 boris snort[28213]: Reassembler alerts: ACTIVE Nov 27 01:05:00 boris snort[28213]: Zero out flushed packets: INACTIVE Nov 27 01:05:00 boris snort[28213]: Flush stream on alert: INACTIVE Nov 27 01:05:00 boris snort[28213]: flush_data_diff_size: 500 Nov 27 01:05:00 boris snort[28213]: Reassembler Packet Preferance : Favor Old Nov 27 01:05:00 boris snort[28213]: Packet Sequence Overlap Limit: -1 Nov 27 01:05:00 boris snort[28213]: Flush behavior: Small (<255 bytes) Nov 27 01:05:00 boris snort[28213]: Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 Nov 27 01:05:00 boris snort[28213]: Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521 3306 Nov 27 01:05:00 boris snort[28213]: HttpInspect Config: Nov 27 01:05:00 boris snort[28213]: GLOBAL CONFIG Nov 27 01:05:00 boris snort[28213]: Max Pipeline Requests: 0 Nov 27 01:05:00 boris snort[28213]: Inspection Type: STATELESS Nov 27 01:05:00 boris snort[28213]: Detect Proxy Usage: NO Nov 27 01:05:00 boris snort[28213]: IIS Unicode Map Filename: /usr/local/snort/etc/unicode.map Nov 27 01:05:00 boris snort[28213]: IIS Unicode Map Codepage: 1252 Nov 27 01:05:00 boris snort[28213]: DEFAULT SERVER CONFIG: Nov 27 01:05:00 boris snort[28213]: Ports: 80 8080 8180 Nov 27 01:05:00 boris snort[28213]: Flow Depth: 300 Nov 27 01:05:00 boris snort[28213]: Max Chunk Length: 500000 Nov 27 01:05:00 boris snort[28213]: Inspect Pipeline Requests: YES Nov 27 01:05:00 boris snort[28213]: URI Discovery Strict Mode: NO Nov 27 01:05:00 boris snort[28213]: Allow Proxy Usage: NO Nov 27 01:05:00 boris snort[28213]: Disable Alerting: NO Nov 27 01:05:00 boris snort[28213]: Oversize Dir Length: 500 Nov 27 01:05:00 boris snort[28213]: Only inspect URI: NO Nov 27 01:05:00 boris snort[28213]: Ascii: YES alert: NO Nov 27 01:05:00 boris snort[28213]: Double Decoding: YES alert: YES Nov 27 01:05:00 boris snort[28213]: %U Encoding: YES alert: YES Nov 27 01:05:00 boris snort[28213]: Bare Byte: YES alert: YES Nov 27 01:05:00 boris snort[28213]: Base36: OFF Nov 27 01:05:00 boris snort[28213]: UTF 8: OFF Nov 27 01:05:00 boris snort[28213]: IIS Unicode: YES alert: YES Nov 27 01:05:00 boris snort[28213]: Multiple Slash: YES alert: NO Nov 27 01:05:00 boris snort[28213]: IIS Backslash: YES alert: NO Nov 27 01:05:00 boris snort[28213]: Directory Traversal: YES alert: NO Nov 27 01:05:00 boris snort[28213]: Web Root Traversal: YES alert: YES Nov 27 01:05:00 boris snort[28213]: Apache WhiteSpace: YES alert: NO Nov 27 01:05:00 boris snort[28213]: IIS Delimiter: YES alert: NO Nov 27 01:05:00 boris snort[28213]: IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Nov 27 01:05:00 boris snort[28213]: Non-RFC Compliant Characters: NONE Nov 27 01:05:00 boris snort[28213]: rpc_decode arguments: Nov 27 01:05:00 boris snort[28213]: Ports to decode RPC on: 111 32771 Nov 27 01:05:00 boris snort[28213]: alert_fragments: INACTIVE Nov 27 01:05:00 boris snort[28213]: alert_large_fragments: ACTIVE Nov 27 01:05:00 boris snort[28213]: alert_incomplete: ACTIVE Nov 27 01:05:00 boris snort[28213]: alert_multiple_requests: ACTIVE Nov 27 01:05:00 boris snort[28213]: telnet_decode arguments: Nov 27 01:05:00 boris snort[28213]: Ports to decode telnet on: 21 23 25 119 Nov 27 01:05:00 boris snort[28213]: Portscan Detection Config: Nov 27 01:05:00 boris snort[28213]: Detect Protocols: TCP UDP ICMP IP Nov 27 01:05:00 boris snort[28213]: Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Nov 27 01:05:00 boris snort[28213]: Sensitivity Level: Low Nov 27 01:05:00 boris snort[28213]: Memcap (in bytes): 10000000 Nov 27 01:05:00 boris snort[28213]: Number of Nodes: 36900 Nov 27 01:05:00 boris snort[28213]: Nov 27 01:05:00 boris snort[28213]: X-Link2State Config: Nov 27 01:05:00 boris snort[28213]: Ports: 25 691 Nov 27 01:05:02 boris snort[28213]: Warning: flowbits key 'http.jpeg' is checked but not ever set. Nov 27 01:05:02 boris snort[28213]: Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set. Nov 27 01:05:02 boris snort[28213]: Warning: flowbits key 'dce.bind.veritas' is set but not ever checked. Nov 27 01:05:02 boris snort[28213]: Warning: flowbits key 'smb.tree.create.llsrpc' is set but not ever checked. Nov 27 01:05:02 boris snort[28213]: Nov 27 01:05:02 boris snort[28213]: +-----------------------[thresholding-config]---------------------------------- Nov 27 01:05:02 boris snort[28213]: | memory-cap : 1048576 bytes Nov 27 01:05:02 boris snort[28213]: +-----------------------[thresholding-global]---------------------------------- Nov 27 01:05:02 boris snort[28213]: | none Nov 27 01:05:02 boris snort[28213]: +-----------------------[thresholding-local]----------------------------------- Nov 27 01:05:02 boris snort[28213]: | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds=10 Nov 27 01:05:02 boris snort[28213]: | gen-id=1 sig-id=2495 type=Both tracking=dst count=20 seconds=60 Nov 27 01:05:02 boris snort[28213]: | gen-id=1 sig-id=2924 type=Threshold tracking=dst count=10 seconds=60 Nov 27 01:05:02 boris snort[28213]: | gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds=60 Nov 27 01:05:02 boris snort[28213]: | gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds=2 Nov 27 01:05:02 boris snort[28213]: | gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds=2 Nov 27 01:05:02 boris snort[28213]: | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds=60 Nov 27 01:05:02 boris snort[28213]: | gen-id=1 sig-id=2496 type=Both tracking=dst count=20 seconds=60 Nov 27 01:05:02 boris snort[28213]: | gen-id=1 sig-id=1991 type=Limit tracking=src count=1 seconds=60 Nov 27 01:05:02 boris snort[28213]: | gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds=2 Nov 27 01:05:02 boris snort[28213]: | gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds=2 Nov 27 01:05:02 boris snort[28213]: | gen-id=1 sig-id=2494 type=Both tracking=dst count=20 seconds=60 Nov 27 01:05:02 boris snort[28213]: | gen-id=1 sig-id=2923 type=Threshold tracking=dst count=10 seconds=60 Nov 27 01:05:02 boris snort[28213]: +-----------------------[suppression]------------------------------------------ Nov 27 01:05:02 boris snort[28213]: | none Nov 27 01:05:02 boris snort[28213]: ------------------------------------------------------------------------------- Nov 27 01:05:02 boris snort[28213]: Rule application order: ->activation->dynamic->drop->alert->pass->log Nov 27 01:05:02 boris snort[28213]: Log directory = /var/log/snort Nov 27 01:05:04 boris snort[28213]: Snort initialization completed successfully (pid=28213)