Snort - 05. Snort 실습 I

정보보안(구버전)/Snort

Snort - 05. Snort 실습 I

김정우 강사(카카오톡 : kim10322) 2019. 3. 7. 19:08

Snort - 05. Snort 실습 I

1. Snort 룰 설정

1) ICMP, FTP, Telnet, HTTP에 대한 Snort 룰 설정

root@Snort:~# vi /etc/snort/rules/local.rules

# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $
# ----------------
# LOCAL RULES
# ----------------
# This file intentionally does not come with signatures. Put your local
# additions here.

# ICMP
alert icmp any any -> $HOME_NET any (msg:"## ICMP Echo ##"; itype:8; sid:1000001; rev:1;)
alert icmp $HOME_NET any -> any any (msg:"## ICMP Echo-Reply ##"; itype:0; sid:1000002; rev:1;)

# FTP
alert tcp any any -> $HOME_NET 21 (msg:"## FTP Request ##"; content:"USER"; sid:1000003; rev:1;)
alert tcp $HOME_NET 21 -> any any (msg:"## FTP Response ##"; content:"vsFTPd"; sid:1000004; rev:1;)

# TELNET
alert tcp any any -> $HOME_NET 23 (msg:"## Telnet Request ##"; sid:1000005; rev:1;)
alert tcp $HOME_NET 23 -> any any (msg:"## Telnet Response ##"; content:"login"; sid:1000006; rev:1;)

# Web
alert tcp any any -> $HOME_NET 80 (msg:"## HTTP Request ##"; sid:1000007; rev:1;)
alert tcp $HOME_NET 80 -> any any (msg:"## HTTP Response ##"; sid:1000008; rev:1;)

:wq!

2) snort 콘솔 디버깅 실시

root@Snort:~# service snort stop

root@Snort:~# snort -q -A console -b -c /etc/snort/snort.conf

2. Snort 테스트

1) Kali에서 타겟(192.168.20.204)으로 Ping 실시

root@kali:~# ping 192.168.20.204 -c 1
PING 192.168.20.204 (192.168.20.204) 56(84) bytes of data.
64 bytes from 192.168.20.204: icmp_seq=1 ttl=63 time=10.8 ms

--- 192.168.20.204 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 10.808/10.808/10.808/0.000 ms

2) Kali에서 타겟(192.168.20.204)으로 FTP 접속 실시

root@kali:~# ftp 192.168.20.204
Connected to 192.168.20.204.
220 (vsFTPd 2.3.4)
Name (192.168.20.204:root): msfadmin
331 Please specify the password.
Password: msfadmin
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp>
ftp> quit
221 Goodbye.

3) Kali에서 타겟(192.168.20.204)으로 Telnet 접속 실시

root@kali:~# telnet 192.168.20.204
Trying 192.168.20.204...
Connected to 192.168.20.204.
Escape character is '^]'.
                _                  _       _ _        _     _      ____
_ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
                            |_|

Warning: Never expose this VM to an untrusted network!

Contact: msfdev[at]metasploit.com

metasploitable login: msfadmin
Password: msfadmin
Last login: Tue Mar 6 03:44:32 EST 2018 on pts/1
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
No mail.
msfadmin@metasploitable:~$ exit
logout
Connection closed by foreign host.

4) Kali에서 타겟(192.168.20.204)으로 HTTP 접속 실시

root@kali:~# firefox http://192.168.20.204 &
[1] 2515

3. Snort 디버깅 확인

root@Snort:~# snort -q -A console -b -c /etc/snort/snort.conf
03/06-20:04:37.577534 [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
03/06-20:04:37.577534 [**] [1:1000001:1] ## ICMP Echo ## [**] [Priority: 0] {ICMP} 192.168.2.50 -> 192.168.20.204
03/06-20:04:37.577534 [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.2.50 -> 192.168.20.204
03/06-20:04:37.577784 [**] [1:1000002:1] ## ICMP Echo-Reply ## [**] [Priority: 0] {ICMP} 192.168.20.204 -> 192.168.2.50
03/06-20:04:45.174836 [**] [1:1000004:1] ## FTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:21 -> 192.168.2.50:44844
03/06-20:04:57.823860 [**] [1:1000003:1] ## FTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:44844 -> 192.168.20.204:21
03/06-20:05:10.412114 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:10.413062 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:10.413267 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:20.530200 [**] [1:716:13] INFO TELNET access [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.20.204:23 -> 192.168.2.50:32824
03/06-20:05:20.530715 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:20.531333 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:20.531628 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:20.537670 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:20.539350 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:20.539357 [**] [1:1000006:1] ## Telnet Response ## [**] [Priority: 0] {TCP} 192.168.20.204:23 -> 192.168.2.50:32824
03/06-20:05:20.581361 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:22.564314 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:22.565184 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:22.701055 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:22.701750 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.468507 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.469413 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.628569 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.629478 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.724411 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.725173 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.852398 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:23.853240 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.044943 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.045887 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.236851 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.237819 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.516994 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.518961 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:24.519740 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:25.284421 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:25.437103 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:25.684350 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:25.980031 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.084062 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.204037 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.396452 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.580029 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.851982 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.867132 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:26.867299 [**] [1:1000006:1] ## Telnet Response ## [**] [Priority: 0] {TCP} 192.168.20.204:23 -> 192.168.2.50:32824
03/06-20:05:26.867904 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.379824 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.380742 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.612310 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.613341 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.724034 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.724889 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.899960 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:27.900877 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:28.148636 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:28.149574 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:28.150450 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:05:28.152893 [**] [1:1000005:1] ## Telnet Request ## [**] [Priority: 0] {TCP} 192.168.2.50:32824 -> 192.168.20.204:23
03/06-20:06:43.885601 [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:43.885625 [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238
03/06-20:06:43.885826 [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:43.885932 [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:43.885999 [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238
03/06-20:06:43.895924 [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238
03/06-20:06:43.896184 [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:45.233927 [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:45.234257 [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238
03/06-20:06:45.234477 [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:55.249435 [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:06:55.249447 [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238
03/06-20:07:00.596894 [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238
03/06-20:07:00.597803 [**] [1:1000007:1] ## HTTP Request ## [**] [Priority: 0] {TCP} 192.168.2.50:43238 -> 192.168.20.204:80
03/06-20:07:00.597805 [**] [1:1000008:1] ## HTTP Response ## [**] [Priority: 0] {TCP} 192.168.20.204:80 -> 192.168.2.50:43238

(Ctrl+C)

4. Snort 룰 주석 처리

root@Snort:~# vi /etc/snort/rules/local.rules

~ 주석 처리 실시 ~

# ICMP
#alert icmp any any -> $HOME_NET any (msg:"## ICMP Echo ##"; itype:8; sid:1000001; rev:1;)
#alert icmp $HOME_NET any -> any any (msg:"## ICMP Echo-Reply ##"; itype:0; sid:1000002; rev:1;)

# FTP
#alert tcp any any -> $HOME_NET 21 (msg:"## FTP Request ##"; content:"USER"; sid:1000003; rev:1;)
#alert tcp $HOME_NET 21 -> any any (msg:"## FTP Response ##"; content:"vsFTPd"; sid:1000004; rev:1;)

# TELNET
#alert tcp any any -> $HOME_NET 23 (msg:"## Telnet Request ##"; sid:1000005; rev:1;)
#alert tcp $HOME_NET 23 -> any any (msg:"## Telnet Response ##"; content:"login"; sid:1000006; rev:1;)

# Web
#alert tcp any any -> $HOME_NET 80 (msg:"## HTTP Request ##"; sid:1000007; rev:1;)
#alert tcp $HOME_NET 80 -> any any (msg:"## HTTP Response ##"; sid:1000008; rev:1;)

:wq!

[참고] Action 명령어

alert - alert 발생 및 패켓 내용 기록
log - 패켓 내용 기록
pass - 패켓 무시
drop - 패켓 차단 및 로그 기록 (IPS 기능으로 사용됨, 단 인라인 구조가 되어야 한다. ----외부--FW---IPS---내부---)
reject - 패켓 차단 및 로그 기록(TCP - TCP RST 응답, UDP - ICMP Unreachable 응답)
sdrop - 패켓 차단 및 로그 기록 없음

[참고] 옵션 명령어

msg - msg:"메세지";
content - content:"문자열";
dsize - dsize:1000<>1500; 또는 dsize:0;
flags - flags:SA; 또는 flags:FPU

[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)

Snort - 5. Snort 실습 I https://youtu.be/9-6uuj1VQ2A

저작자표시 비영리 변경금지