정보보안(구버전)/Snort 2019. 3. 7. 19:09

Snort - 06. Snort 실습 II

 

 

1. Snort 룰 설정

 

1) NMAP XMAS 스캔, ICMP Flooding, Ping of Death, Web 공격에 대한 Snort 룰 설정

 

6-0. Snort 실습 II 설정.txt

 

root@Snort:~# vi /etc/snort/rules/local.rules

~ 중간 생략 ~

 

# NMAP XMAS Scan
alert tcp any any -> $HOME_NET any (msg:"## NMAP XMAS ##"; flags:FPU; sid:1000009; rev:1;)

 

# ICMP Flooding
alert icmp any any -> $HOME_NET any (msg:"## ICMP Flooding ##"; threshold:type both, track by_src, count 20, seconds 5; sid:1000010; rev:1;)

 

# Ping of Death
alert icmp any any -> $HOME_NET any (msg:"## Ping od Death ##"; content:"|5858585858|"; sid:1000011; rev:1;)

 

# Web Attack
alert tcp any any -> $HOME_NET 80 (msg:"## Web Attack ##"; content:"GET /cmd.exe"; nocase; sid:1000012; rev:1;) 

 

:wq!

 

 

 2) snort 콘솔 디버깅 실시

 

root@Snort:~# service snort stop

root@Snort:~# snort -q -A console -b -c /etc/snort/snort.conf
 

 

 

2. Snort 테스트

 

 1) Kali에서 타겟(192.168.20.204)으로 NMAP XMAS 스캔 실시

 

root@kali:~# nmap -sX -p 21 192.168.20.204

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-06 20:58 KST
Nmap scan report for 192.168.20.204
Host is up (0.0023s latency).

PORT   STATE         SERVICE
21/tcp open|filtered ftp

Nmap done: 1 IP address (1 host up) scanned in 0.72 seconds

 

 

2) Kali에서 타겟(192.168.20.204)으로 ICMP Flooding 실시

 

root@kali:~# hping3 -1 192.168.20.204 --flood
HPING 192.168.20.204 (eth0 192.168.20.204): icmp mode set, 28 headers + 0 data bytes
hping in flood mode, no replies will be shown
(Ctrl+C)
--- 192.168.20.204 hping statistic ---
53310 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

 

 

2) Kali에서 타겟(192.168.20.204)으로 Ping of Death 실시


root@kali:~# hping3 -1 --rand-source 192.168.20.204 -d 50 --flood
HPING 192.168.20.204 (eth0 192.168.20.204): icmp mode set, 28 headers + 50 data bytes
hping in flood mode, no replies will be shown
(Ctrl+C)
--- 192.168.20.204 hping statistic ---
32036 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

 

3) Kali에서 타겟(192.168.20.204)으로 WAF 스캔 실시

 

root@kali:~# wafw00f http://192.168.20.204

 

                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
      | V V // o // _/ | V V // 0 // 0 // _/
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/
                                <
                                 ...'

    WAFW00F - Web Application Firewall Detection Tool

    By Sandro Gauci && Wendel G. Henrique

Checking http://192.168.20.204
Generic Detection results:
No WAF detected by the generic detection
Number of requests: 13
root@kali:~#

 

 

 

3. Snort 디버깅 확인 

 

root@Snort:~# snort -q -A console -b -c /etc/snort/snort.conf

 

내용 확인

 

(Ctrl+C)

 

 

[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)

 

Snort - 6. Snort 실습 II   https://youtu.be/BOCQVMYJoCI

Posted by 김정우 강사(카카오톡 : kim10322)
,


Q