TEL

Size: px

Start display at page:

Download "TEL"

Naomi Parrish
5 years ago
Views:

1 Snort TEL ccsu@mail.stut.edu.tw m @ 3.stut.edu.tw paper, we use Open Source like Snort[10] to construct the Intrusion Detection System (IDS). Snort system will produce the virus log file including source-ip, source-port, whenever the intruder come (worm)[5] in. In the mean time, we can use flow management CodeRed program to keep from the virus. That is, we kick out Nimda the virus before it blow out the network bandwidth. Keywords: Intrusion Detection System Internet Worm Information Security Open Source Snort[10] (Intrusion Detection System IDS) Snort Snort log (source_ip) (soruce_port) log (firewall) (rule) (rule) Abstract (IDS) The more popular the Internet becomes, the more convenient it brings. But behinds that there IDS exists some dangerous destructions such as hacker computer virus and other attacking event. The malicious worm is one of the major damage in (IDS) (firewall) network security issue currently, such as CodeRed (IDS) Nimda. The worm can attack a large number of computers via network in very short time, espically (IDS) distributed damage via the network services. In this 334

2 Snort IDS [1] (Intrusion Detection System IDS ) (flexible rule based language) snort HTTP TCP [2] FLEXRESP Snort ( / Snort ) syslog IDS Snort 1. Snort 2. Snort 爲 3. Snort URL Unicode IIS Unicode snort libpcap( org )[8] 1 (sensor) snort ( buffer overflows stealth port scans CGI attacks SMB probes OS fingerprinting attempts ) Snort 335

3 (worm) PentiumIII-500 CPU 256MB RAM 1 IDE CodeRed Nimda Klez 40GB 10/100M bps (worm) Linux Red Hat [3] IDE 13GB 10/100M bps Microsoft Windows 2000PC 2 ( Switch Router) IP (IDS) Snort PC PC PentiumIII-500 CPU 256MB RAM 1 PC 3 ( Router) IP IP 2 4 Cisco 2600 (Router) 100M Hub PC 3 3 Snort Pattern Rule( Pattern ) ( ) [4] IP ( ) Router IP (Router ) ( ) 336

4 (4) Snort Snort log script Router IP (5) IP (6) Router IP Snort Rule 4 alert tcp $EXTERNAL_NET any->$smtp 25 (msg VIRUS Klez Incoming ;flags:a+;dsize:>120; Snort content: MIME ;content: VGhpcybwcm9 ;classtype PHP[9] MySQL[11] phpmyadmin[12] :misc-activity;sid:1800;rev:1;) Linux Rule 5 25 MIME VGhpcybwcm 9 byte 120 Klez Snort Rule Klez Snort Log Klez Log 09/29-19:49: :4:80:1C:C8:0 -> 0:2:B3:AC:A8:E1 type:0x800 len:0x5ea :1102 -> :25 TCP TTL:126 TOS:0x0 ID:22787 IpLen:20 DgmLen:1500 DF Log 5 IP IP (1) Snort Snort Port 25 Pattern Rule Log (2) Snort log Script expect Script Router (3) ( Router IP (deny) ) Script IP Router 68 Bytes 337

5 #!/usr/bin/expect f spawn telnet xxx expect "Password:" send "xxxxxxxx\r" send "enable\r" expect "Password:" send "xxxxxxx\r" expect "#" send "conf t\r" expect "#" send "access-list 111 deny ip host any \r" expect # send exit Hub Switch Hub (Cisco 3524) (4802) BigIron Snort mirror (4802) (Cisco 3524) IP telnet Router enable conf Router IP access-list 111 deny ip host l.40 any \r exit Router IP Router log Router IP IP access-list 111 deny ip host l.40 any \r no access-list 111 deny ip host l.40 any \r (worm) IP IP( ) 7 IP 8 IP 9 Snort ( 6 IP Snort ) 6 BigIron 6 338

(virus) (worm) (applets) 7 IP 1. March 2002 Vol.8 NO.2 P.8-20 2. (2002), Stephen Northcutt & Judy Novak, 2002 2 8,, 3.

Global Security survey: virus attack, http://www.informationweek.com/743/sec urity.htm 7.

An 9 Environment for Controlled Worm Replication and Analysis, IBM TJ Watson Research Center. http://www.research.ibm.

6 (virus) (worm) (applets) 7 IP 1. March 2002 Vol.8 NO.2 P (2002), Stephen Northcutt & Judy Novak, ,, 3. NetFlow Code Red Worm TANET 2001 P TANET 2001 P A. Larson. Global Security survey: virus attack, urity.htm 7. Ian Whalley, Bill Arnold, David Chess, John Morar, Alla Segal, Morton Swimmer. An 9 Environment for Controlled Worm Replication and Analysis, IBM TJ Watson Research Center. /VB2000INW.htm 8. libpcap Website 9. PHP Website IP 10. Snort Website MySQL Website 12.phpMyAdmin Website 339

7 Snort Klez Log 09/29-19:49: :4:80:1C:C8:0 -> 0:2:B3:AC:A8:E1 type:0x800 len:0x5ea :1102 -> :25 TCP TTL:126 TOS:0x0 ID:22787 IpLen:20 DgmLen:1500 DF 09/29-22:07: :4:80:1C:C8:0 -> 0:2:B3:AC:A8:E1 type:0x800 len:0x5ea :2556 -> :25 TCP TTL:126 TOS:0x0 ID:46353 IpLen:20 DgmLen:1500 DF 09/30-00:12: :4:80:1C:C8:0 -> 0:2:B3:AC:A7:39 type:0x800 len:0x5ea :2521 -> :25 TCP TTL:126 TOS:0x0 ID:60835 IpLen:20 DgmLen:1500 DF VIRUS Klez Incoming [**] 09/30-08:14: :4:80:1C:C8:0 -> 0:E0:18:0:80:A6 type:0x800 len:0x5ea :1116 -> :25 TCP TTL:126 TOS:0x0 ID:54023 IpLen:20 DgmLen:1500 DF 09/30-16:22: :4:80:1C:C8:0 -> 0:2:B3:AC:A7:39 type:0x800 len:0x5ea :1317 -> :25 TCP TTL:126 TOS:0x0 ID:22901 IpLen:20 DgmLen:1500 DF 09/30-16:55: :4:80:1C:C8:0 -> 0:2:B3:AC:A7:39 type:0x800 len:0x5ea :2831 -> :25 TCP TTL:126 TOS:0x0 ID:30077 IpLen:20 DgmLen:1500 DF 09/29-20:53: :4:80:1C:C8:0 -> 0:2:B3:AC:A8:E1 type:0x800 len:0x5ea :1068 -> :25 TCP TTL:126 TOS:0x0 ID:1793 IpLen:20 DgmLen:1500 DF 09/30-18:21: :4:80:1C:C8:0 -> 0:2:B3:AC:A7:39 type:0x800 len:0x5ea :1118 -> :25 TCP TTL:126 TOS:0x0 ID:18181 IpLen:20 DgmLen:1500 DF 09/30-17:30: :4:80:1C:C8:0 -> 0:E0:18:0:80:A6 type:0x800 len:0x5ea :1061 -> :25 TCP TTL:126 TOS:0x0 ID:53761 IpLen:20 DgmLen:1500 DF =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 340

Chapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)

Chapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu) SeoulTech UCS Lab Chapter 7 Network Intrusion Detection and Analysis 2015. 11. 3 (Daming Wu) Email: wdm1517@gmail.com Copyright c 2015 by USC Lab All Rights Reserved. Table of Contents 7.1 Why Investigate