Snort - 05. Snort 실습 I

Snort - 05. Snort 실습 I

 

 

 

1. Snort 룰 설정

 

 1) ICMP, FTP, Telnet, HTTP에 대한 Snort 룰 설정

 

5-0. Snort 실습 I 설정.txt

 

root@Snort:~# vi /etc/snort/rules/local.rules

# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $ # ---------------- # LOCAL RULES # ---------------- # This file intentionally does not come with signatures.  Put your local # additions here.   # ICMP alert icmp any any -> $HOME_NET any (msg:"## ICMP Echo ##"; itype:8; sid:1000001; rev:1;) alert icmp $HOME_NET any -> any any (msg:"## ICMP Echo-Reply ##"; itype:0; sid:1000002; rev:1;)   # FTP alert tcp any any -> $HOME_NET 21 (msg:"## FTP Request ##"; content:"USER"; sid:1000003; rev:1;) alert tcp $HOME_NET 21 -> any any (msg:"## FTP Response ##"; content:"vsFTPd"; sid:1000004; rev:1;)   # TELNET alert tcp any any -> $HOME_NET 23 (msg:"## Telnet Request ##"; sid:1000005; rev:1;) alert tcp $HOME_NET 23 -> any any (msg:"## Telnet Response ##"; content:"login"; sid:1000006; rev:1;)   # Web alert tcp any any -> $HOME_NET 80 (msg:"## HTTP Request ##"; sid:1000007; rev:1;) alert tcp $HOME_NET 80 -> any any (msg:"## HTTP Response ##"; sid:1000008; rev:1;)   :wq!

 

 

 2) snort 콘솔 디버깅 실시

 

root@Snort:~# service snort stop

root@Snort:~# snort -q -A console -b -c /etc/snort/snort.conf

 

 

 

2. Snort 테스트

 

 1) Kali에서 타겟(192.168.20.204)으로 Ping 실시

 

root@kali:~# ping 192.168.20.204 -c 1
PING 192.168.20.204 (192.168.20.204) 56(84) bytes of data.
64 bytes from 192.168.20.204: icmp_seq=1 ttl=63 time=10.8 ms

--- 192.168.20.204 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 10.808/10.808/10.808/0.000 ms

 

 

 2) Kali에서 타겟(192.168.20.204)으로 FTP 접속 실시

root@kali:~# ftp 192.168.20.204
Connected to 192.168.20.204.
220 (vsFTPd 2.3.4)
Name (192.168.20.204:root): msfadmin
331 Please specify the password.
Password: msfadmin
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp>
ftp> quit
221 Goodbye.

 

 

 3) Kali에서 타겟(192.168.20.204)으로 Telnet 접속 실시

root@kali:~# telnet 192.168.20.204
Trying 192.168.20.204...
Connected to 192.168.20.204.
Escape character is '^]'.
                _                  _       _ _        _     _      ____ 
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
                            |_|                                         

Warning: Never expose this VM to an untrusted network!

Contact: msfdev[at]metasploit.com

Login with msfadmin/msfadmin to get started

metasploitable login: msfadmin
Password: msfadmin
Last login: Tue Mar  6 03:44:32 EST 2018 on pts/1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
msfadmin@metasploitable:~$ exit
logout
Connection closed by foreign host.

 

 

 4) Kali에서 타겟(192.168.20.204)으로 HTTP 접속 실시

root@kali:~# firefox http://192.168.20.204 &
[1] 2515

 

 

 

3. Snort 디버깅 확인 

 

root@Snort:~# snort -q -A console -b -c /etc/snort/snort.conf
03/06-20:04:37.577534  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
03/06-20:04:37.577534  [**] [1:1000001:1] ## ICMP Echo ## [**] [Priority: 0] {ICMP} 192.168.2.50 -> 192.168.20.204
03/06-20:04:37.577534  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
03/06-20:04:37.577784  [**] [1:1000002:1] ## ICMP Echo-Reply ## [**] [Priority: 0] {ICMP} 192.168.20.204 -> 192.168.2.50
03/06-20:04:45.174836  [**] [1:1000004:1] ## FTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:21 -> 192.168.2.50:44844
03/06-20:04:57.823860  [**] [1:1000003:1] ## FTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:44844 -> 192.168.20.204:21
03/06-20:05:10.412114  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:10.413062  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:10.413267  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:20.530200  [**] [1:716:13] INFO TELNET access [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.20.204:23 -> 192.168.2.50:32824
03/06-20:05:20.530715  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:20.531333  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:20.531628  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:20.537670  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:20.539350  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:20.539357  [**] [1:1000006:1] ## Telnet Response ## [**] [Priority: 0] {TCP} 192.168.20.204:23 -> 192.168.2.50:32824
03/06-20:05:20.581361  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:22.564314  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:22.565184  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:22.701055  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:22.701750  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.468507  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.469413  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.628569  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.629478  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.724411  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.725173  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.852398  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.853240  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.044943  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.045887  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.236851  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.237819  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.516994  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.518961  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.519740  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:25.284421  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:25.437103  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:25.684350  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:25.980031  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.084062  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.204037  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.396452  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.580029  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.851982  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.867132  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.867299  [**] [1:1000006:1] ## Telnet Response ## [**] [Priority: 0] {TCP} 192.168.20.204:23 -> 192.168.2.50:32824
03/06-20:05:26.867904  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.379824  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.380742  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.612310  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.613341  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.724034  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.724889  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.899960  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.900877  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:28.148636  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:28.149574  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:28.150450  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:28.152893  [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:06:43.885601  [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:43.885625  [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238
03/06-20:06:43.885826  [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:43.885932  [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:43.885999  [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238
03/06-20:06:43.895924  [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238
03/06-20:06:43.896184  [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:45.233927  [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:45.234257  [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238
03/06-20:06:45.234477  [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:55.249435  [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:55.249447  [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238
03/06-20:07:00.596894  [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238
03/06-20:07:00.597803  [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:07:00.597805  [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238

(Ctrl+C)

 

 

4. Snort 룰 주석 처리

 

root@Snort:~# vi /etc/snort/rules/local.rules

~ 주석 처리 실시 ~   # ICMP #alert icmp any any -> $HOME_NET any (msg:"## ICMP Echo ##"; itype:8; sid:1000001; rev:1;) #alert icmp $HOME_NET any -> any any (msg:"## ICMP Echo-Reply ##"; itype:0; sid:1000002; rev:1;)   # FTP #alert tcp any any -> $HOME_NET 21 (msg:"## FTP Request ##"; content:"USER"; sid:1000003; rev:1;) #alert tcp $HOME_NET 21 -> any any (msg:"## FTP Response ##"; content:"vsFTPd"; sid:1000004; rev:1;)   # TELNET #alert tcp any any -> $HOME_NET 23 (msg:"## Telnet Request ##"; sid:1000005; rev:1;) #alert tcp $HOME_NET 23 -> any any (msg:"## Telnet Response ##"; content:"login"; sid:1000006; rev:1;)   # Web #alert tcp any any -> $HOME_NET 80 (msg:"## HTTP Request ##"; sid:1000007; rev:1;) #alert tcp $HOME_NET 80 -> any any (msg:"## HTTP Response ##"; sid:1000008; rev:1;)    :wq!

                                                                                                    

 

[참고] Action 명령어

 

alert - alert 발생 및 패켓 내용 기록
log  - 패켓 내용 기록
pass - 패켓 무시
drop - 패켓 차단 및 로그 기록 (IPS 기능으로 사용됨, 단 인라인 구조가 되어야 한다.  ----외부--FW---IPS---내부---)
reject - 패켓 차단 및 로그 기록(TCP - TCP RST 응답, UDP - ICMP Unreachable 응답)
sdrop - 패켓 차단 및 로그 기록 없음
 

 

[참고] 옵션 명령어

 

msg - msg:"메세지";
content - content:"문자열";
dsize - dsize:1000<>1500;  또는 dsize:0;
flags - flags:SA; 또는 flags:FPU

 

 

[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)

 

Snort - 5. Snort 실습 I   https://youtu.be/9-6uuj1VQ2A