정보보안(구버전)/Snort 2019. 3. 7. 19:08
Snort - 04. Snort 룰 구성 및 테스트
1. ICMP 룰 설정 및 Snort 테스트
4-0. ICMP Snort Rule 설정.txt
root@Snort:~# vi /etc/snort/rules/local.rules
|
# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $ alert icmp any any -> any any (msg:"ICMP ping test"; sid:1000001;)
:wq! |
root@Snort:~# snort -c /etc/snort/rules/local.rules
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/rules/local.rules"
Tagged Packet Limit: 256
Log directory = /var/log/snort
~ 중간 생략 ~
- Kali에서 메타 서버로 Ping 실시
root@kali:~# ping 192.168.20.204 -c 3
PING 192.168.20.204 (192.168.20.204) 56(84) bytes of data.
64 bytes from 192.168.20.204: icmp_seq=1 ttl=63 time=0.330 ms
64 bytes from 192.168.20.204: icmp_seq=2 ttl=63 time=0.349 ms
64 bytes from 192.168.20.204: icmp_seq=3 ttl=63 time=0.374 ms
--- 192.168.20.204 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2041ms
rtt min/avg/max/mdev = 0.330/0.351/0.374/0.018 ms
- Snort에서 스노트 로그 내용 확인
root@Snort:~# snort -c /etc/snort/rules/local.rules
Running in IDS mode
--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/rules/local.rules"
Tagged Packet Limit: 256
Log directory = /var/log/snort
(Ctrl+C)
root@Snort:~# more /var/log/snort/alert
[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
03/06-18:54:37.918357 192.168.2.50 -> 192.168.20.204
ICMP TTL:63 TOS:0x0 ID:12571 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:2733 Seq:1 ECHO
[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
03/06-18:54:37.918379 192.168.20.204 -> 192.168.2.50
ICMP TTL:64 TOS:0x0 ID:22694 IpLen:20 DgmLen:84
Type:0 Code:0 ID:2733 Seq:1 ECHO REPLY
[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
03/06-18:54:38.935661 192.168.2.50 -> 192.168.20.204
ICMP TTL:63 TOS:0x0 ID:12786 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:2733 Seq:2 ECHO
[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
03/06-18:54:38.935693 192.168.20.204 -> 192.168.2.50
ICMP TTL:64 TOS:0x0 ID:22695 IpLen:20 DgmLen:84
Type:0 Code:0 ID:2733 Seq:2 ECHO REPLY
[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
03/06-18:54:39.959598 192.168.2.50 -> 192.168.20.204
ICMP TTL:63 TOS:0x0 ID:12831 IpLen:20 DgmLen:84 DF
Type:8 Code:0 ID:2733 Seq:3 ECHO
[**] [1:1000001:0] ICMP ping test [**]
[Priority: 0]
03/06-18:54:39.959600 192.168.20.204 -> 192.168.2.50
ICMP TTL:64 TOS:0x0 ID:22696 IpLen:20 DgmLen:84
Type:0 Code:0 ID:2733 Seq:3 ECHO REPLY
root@Snort:~# vi /etc/snort/rules/local.rules
|
,v 1.11 2004/07/23 20:15:44 bmc Exp $ alert icmp any any -> any any (msg:"ICMP ping test"; sid:1000001;) <- 삭제
:wq! |
root@Snort:~# rm /var/log/snort/*
2. snort 동작 테스트
1) snort 콘솔 디버깅 실시
root@Snort:~# service snort stop
root@Snort:~# snort -q -A console -b -c /etc/snort/snort.conf
2) Kali에서 타겟(192.168.20.204)으로 Ping 실시
root@kali:~# ping 192.168.20.204 -c 5
PING 192.168.20.204 (192.168.20.204) 56(84) bytes of data.
64 bytes from 192.168.20.204: icmp_seq=1 ttl=63 time=5.73 ms
64 bytes from 192.168.20.204: icmp_seq=2 ttl=63 time=0.949 ms
64 bytes from 192.168.20.204: icmp_seq=3 ttl=63 time=0.957 ms
64 bytes from 192.168.20.204: icmp_seq=4 ttl=63 time=0.955 ms
64 bytes from 192.168.20.204: icmp_seq=5 ttl=63 time=0.725 ms
--- 192.168.20.204 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4008ms
rtt min/avg/max/mdev = 0.725/1.863/5.730/1.935 ms
3) snort 디버깅 확인
02/13-20:45:56.529758 [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:56.529758 [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:57.529409 [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:57.529409 [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:58.531467 [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:58.531467 [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:59.533406 [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:45:59.533406 [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:46:00.535311 [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:46:00.535311 [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
4) Kali에서 타겟(192.168.20.204)으로 Half-Open Scan 실시
root@kali:~# nmap -sS -p 80 192.168.20.204
Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-13 20:47 KST
Nmap scan report for 192.168.20.204
Host is up (0.0012s latency).
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
5) snort 디버깅 확인
02/13-20:48:15.612324 [**] [1:469:3] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:48:15.612324 [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
02/13-20:48:15.612330 [**] [1:453:5] ICMP Timestamp Request [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
6) snort 디버깅 중지
Ctrl+C (잘 안되면, Ctrl+Z, 그래도 안되면 터미널 하나 또 열어서 kill -9 프로세스 ID)
7) snort rules 내용 확인
root@Snort:~# fgrep 'ICMP PING *NIX' /etc/snort/rules/icmp-info.rules
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:366; rev:7;)
root@Snort:~# fgrep 'ICMP PING NMAP' /etc/snort/rules/icmp.rules
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:3;)
root@Snort:~# cat /etc/snort/snort.conf
root@Snort:~# ls /etc/snort/rules/
8) snort 'local.rules' 설정 및 snort 디버깅 실시
root@Snort:~# vi /etc/snort/rules/local.rules
|
# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $ alert tcp any any -> $HOME_NET 80 (msg: "Web Message Port 80"; sid:1000001; rev:1;)
:wq! |
root@Snort:~# snort -q -A console -b -c /etc/snort/snort.conf
9) Kali에서 타겟(192.168.20.204)으로 웹 접속 실시
root@kali:~# firefox http://192.168.20.204 &
10) snort 디버깅 확인
02/13-21:09:47.342068 [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.345173 [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.345337 [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.357971 [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.511764 [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.512653 [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.534465 [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
02/13-21:09:47.576112 [**] [1:1000001:1] Web Message Port 80 [**] [Priority: 0] {TCP} 192.168.2.50:58368 -> 192.168.20.204:80
(Ctrl+C)
11) snort 'local.rules' 설정 삭제
root@Snort:~# vi /etc/snort/rules/local.rules
|
# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $ alert tcp any any -> $HOME_NET 80 (msg: "Web Message Port 80"; sid:1000001; rev:1;) <- 삭제
:wq! |
[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)
Snort - 4. Snort 룰 구성 및 테스트 https://youtu.be/b5uWrpkgxqo
'정보보안(구버전) > Snort' 카테고리의 다른 글
| Snort - 06. Snort 실습 II (0) | 2019.03.07 |
|---|---|
| Snort - 05. Snort 실습 I (0) | 2019.03.07 |
| Snort - 03. Snort Rule 구조 (3) | 2019.03.07 |
| Snort - 02. Snort 설치 및 시작 (0) | 2019.03.07 |
| Snort - 01. Snort 실습 환경 구성 (0) | 2019.03.07 |
