모의 해킹/Snort 2018.02.13 21:25

@ Snort

 

1. snort 설치 & 정보 확인 & snort 시작

 

 

1) snort 설치

 

root@Snort:~# apt-get -y install snort snort-common snort-common-libraries snort-doc snort-rules-default

 


2) snort 패키지 확인

 

root@Snort:~# dpkg -l | grep snort
ii  snort                                     2.9.7.0-5                            amd64        flexible Network Intrusion Detection System
ii  snort-common                          2.9.7.0-5                            all          flexible Network Intrusion Detection System - common files
ii  snort-common-libraries                2.9.7.0-5                            amd64        flexible Network Intrusion Detection System - libraries
ii  snort-doc                                 2.9.7.0-5                            all          flexible Network Intrusion Detection System - documentation
ii  snort-rules-default                      2.9.7.0-5                            all          flexible Network Intrusion Detection System - ruleset

 


3) 'snort.debian.conf' 파일 내용 확인

 

root@Snort:~# ls /etc/snort
classification.config  reference.config  snort.debian.conf
community-sid-msg.map  rules             threshold.conf
gen-msg.map            snort.conf        unicode.map

root@Snort:~# cat /etc/snort/snort.debian.conf
# snort.debian.config (Debian Snort configuration file)
#
# This file was generated by the post-installation script of the snort
# package using values from the debconf database.
#
# It is used for options that are changed by Debian to leave
# the original configuration files untouched.
#
# This file is automatically updated on upgrades of the snort package
# *only* if it has not been modified since the last upgrade of that package.
#
# If you have edited this file but would like it to be automatically updated
# again, run the following command as root:
#   dpkg-reconfigure snort

DEBIAN_SNORT_STARTUP="boot"
DEBIAN_SNORT_HOME_NET="192.168.20.0/24"
DEBIAN_SNORT_OPTIONS=""
DEBIAN_SNORT_INTERFACE="eth0"
DEBIAN_SNORT_SEND_STATS="true"
DEBIAN_SNORT_STATS_RCPT="root"
DEBIAN_SNORT_STATS_THRESHOLD="1"

 


4) 'snort' 파일 내용 확인

 

root@Snort:~# ls -l /etc/default/snort
-rw-r--r-- 1 root root 1164  6월 30  2015 /etc/default/snort

 

root@Snort:~# cat /etc/default/snort
# Parameters for the daemon
# Add any additional parameteres here.
PARAMS="-m 027 -D -d "
#
# Snort user
# This user will be used to launch snort. Notice that the
# preinst script of the package might do changes to the user
# (home directory, User Name) when the package is upgraded or
# reinstalled.  So, do *not* change this to 'root' or to any other user
# unless you are sure there is no problem with those changes being introduced.
#
SNORTUSER="snort"
#
# Logging directory
# Snort logs will be dropped here and this will be the home
# directory for the SNORTUSER. If you change this value you should
# change the /etc/logrotate.d/snort definition too, otherwise logs
# will not be rotated properly.
#
LOGDIR="/var/log/snort"
#
# Snort group
# This is the group that the snort user will be added to.
#
SNORTGROUP="snort"
#
# Allow Snort's init.d script to work if the configured interfaces
# are not available. Set this to yes if you configure Snort with
# multiple interfaces but some might not be available on boot
# (e.g. wireless interfaces)
#
# Note: In order for this to work the 'iproute' package needs to
# be installed.
ALLOW_UNAVAILABLE="no"

 


5) 'snort.conf' 파일 내용 변경

 

root@Snort:~# vi /etc/snort/snort.conf

~ 중간 생략 ~

###################################################
# Step #1: Set the network variables.  For more information, see README.variables
###################################################

# Setup the network addresses you are protecting
#
# Note to Debian users: this value is overriden when starting
# up the Snort daemon through the init.d script by the
# value of DEBIAN_SNORT_HOME_NET s defined in the
# /etc/snort/snort.debian.conf configuration file
#
ipvar HOME_NET any  <- ipvar HOME_NET 192.168.20.0/24 변경

# Set up the external network addresses. Leave as "any" in most situations
ipvar EXTERNAL_NET any

~ 중간 생략 ~

:wq!

 


6) snort 시작

 

root@Snort:~# service snort start


root@Snort:~# service snort status
● snort.service - LSB: Lightweight network intrusion detection system
   Loaded: loaded (/etc/init.d/snort; generated; vendor preset: disabled)
   Active: active (running) since Tue 2018-02-13 20:42:43 KST; 10s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1491 ExecStart=/etc/init.d/snort start (code=exited, status=0/SUCCESS
    Tasks: 2 (limit: 4915)
   CGroup: /system.slice/snort.service
           └─1536 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g sno

 2월 13 20:42:43 Snort snort[1536]:            Preprocessor Object: SF_SDF  Vers
 2월 13 20:42:43 Snort snort[1536]:            Preprocessor Object: SF_DNS  Vers
 2월 13 20:42:43 Snort snort[1536]:            Preprocessor Object: SF_SIP  Vers
 2월 13 20:42:43 Snort snort[1536]:            Preprocessor Object: SF_GTP  Vers
 2월 13 20:42:43 Snort snort[1536]:            Preprocessor Object: SF_SSLPP  Ve
 2월 13 20:42:43 Snort snort[1536]:            Preprocessor Object: SF_SSH  Vers
 2월 13 20:42:43 Snort snort[1536]:            Preprocessor Object: SF_DNP3  Ver
 2월 13 20:42:43 Snort snort[1536]:            Preprocessor Object: SF_MODBUS  V
 2월 13 20:42:43 Snort snort[1536]:            Preprocessor Object: SF_IMAP  Ver
 2월 13 20:42:43 Snort snort[1536]: Commencing packet processing (pid=1536)
lines 1-19/19 (END) q

root@Snort:~#

 

 


2. snort 동작 테스트

 

 1) snort 콘솔 디버깅 실시

 

root@Snort:~# service snort stop
root@Snort:~# snort -q -A console -b -c /etc/snort/snort.conf

 

 

 2) Kali에서 타겟(192.168.20.204)로 Ping 실시

 

root@kali:~# ping 192.168.20.204 -c 5
PING 192.168.20.204 (192.168.20.204) 56(84) bytes of data.
64 bytes from 192.168.20.204: icmp_seq=1 ttl=63 time=5.73 ms
64 bytes from 192.168.20.204: icmp_seq=2 ttl=63 time=0.949 ms
64 bytes from 192.168.20.204: icmp_seq=3 ttl=63 time=0.957 ms
64 bytes from 192.168.20.204: icmp_seq=4 ttl=63 time=0.955 ms
64 bytes from 192.168.20.204: icmp_seq=5 ttl=63 time=0.725 ms

--- 192.168.20.204 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4008ms
rtt min/avg/max/mdev = 0.725/1.863/5.730/1.935 ms

 

 

 3) snort 디버깅 확인 

 

02/13-20:45:56.529758  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:56.529758  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:57.529409  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:57.529409  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:58.531467  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:58.531467  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:59.533406  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:59.533406  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:46:00.535311  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:46:00.535311  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204

 


 4) Kali에서 타겟(192.168.20.204)으로 Half-Open Scan 실시

 

root@kali:~# nmap -sS -p 80 192.168.20.204

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-13 20:47 KST
Nmap scan report for 192.168.20.204
Host is up (0.0012s latency).

PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

 


 5) snort 디버깅 확인 

 

02/13-20:48:15.612324  [**] [1:469:3] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:48:15.612324  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:48:15.612330  [**] [1:453:5] ICMP Timestamp Request [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204

 


 6) snort 디버깅 중지

 

Ctrl+C

 


 7) snort rules 내용 확인

 

root@Snort:~# fgrep 'ICMP PING *NIX' /etc/snort/rules/icmp-info.rules
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:366; rev:7;)

root@Snort:~# fgrep 'ICMP PING NMAP' /etc/snort/rules/icmp.rules
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:3;)

root@Snort:~# cat /etc/snort/snort.conf

root@Snort:~# ls /etc/snort/rules/

 


 8) snort 'local.rules' 설정 및 snort 디버깅 실시

 

root@Snort:~# vi /etc/snort/rules/local.rules
# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $
# ----------------
# LOCAL RULES
# ----------------
# This file intentionally does not come with signatures.  Put your local
# additions here.

alert tcp any any -> $HOME_NET 80 (msg: "Web Message Port 80"; sid:1000001; rev:1;)

:wq!

root@Snort:~# snort -q -A console -b -c /etc/snort/snort.conf

 


 9) Kali에서 타겟(192.168.20.204)으로 웹 접속 실시

 

root@kali:~# firefox http://192.168.20.204 &

 


 10) snort 디버깅 확인

 

02/13-21:09:47.342068  [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.345173  [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.345337  [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.357971  [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.511764  [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.512653  [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.534465  [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.576112  [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
^C*** Caught Int-Signal

 


 11) snort 'local.rules' 설정 내용 삭제

 

root@Snort:~# vi /etc/snort/rules/local.rules
# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $
# ----------------
# LOCAL RULES
# ----------------
# This file intentionally does not come with signatures.  Put your local
# additions here.

alert tcp any any -> $HOME_NET 80 (msg: "Web Message Port 80"; sid:1000001; rev:1;)  <- 삭제

:wq!

 

 

 

2. snort 예제

 

Ex1) ICMP 룰 생성

 

만드는중...언젠간...

'모의 해킹 > Snort' 카테고리의 다른 글

1. snort  (0) 2018.02.13

Posted by 교육 문의 : 010-9902-9710(김정우 강사)


Q