· KLDP.org · KLDP.net · KLDP Wiki · KLDP BBS ·
Docbook Sgml/Snort-Statistics-HOWTO

Snort-Setup for Statistics HOWTO

Snort-Setup for Statistics HOWTO

PoppiSandro

        
        

¼­Á¤·æ

¼ÛÀç¼÷

ÀÌ HOWTO ´Â Åë°è µµ±¸ÀÎ ACID (Analysis Consol for Intrusion Databases) ¿Í SnortSnarf ¿Í ÇÔ²² »ç¿ëµÇ´Â Snort ¹öÀü 1.8.3 ÀÇ ¼³Á¤ ¹æ¹ýÀ» ±â¼úÇÑ´Ù. ¶ÇÇÑ snort ¿¡¼­ ¹ö·ÁÁö´Â ÆÐŶÀÌ ÀÖ´ÂÁö¿Í °°ÀÌ ´Ù¼ÒÀÇ ³»ºÎ Åë°è ÀڷḦ ¾ò´Â ¹æ¹ýÀÌ ¼³¸íµÇ¾î ÀÖ´Ù.

Ãß°¡ÀûÀ¸·Î Max Vision ÀÇ ±ÔÄ¢À» ÀÚµ¿ÀûÀ¸·Î °»½ÅÇÏ´Â ¹æ¹ýÀÌ ±â¼úµÇ¾î ÀÖÀ¸¸ç À¯¿ëÇÑ ¾à°£ÀÇ ½ºÅ©¸³Æ®¿Í swatch µ¥¸ð ¼³Á¤ÀÌ Æ÷ÇԵǾî ÀÖ´Ù.

고친 과정
고침 1.02002-01-01고친이 sp
- ÃÖÃÊ ¹ßÇ¥ ¹öÀü - Snort ¹öÀü 1.8.3 À» »ç¿ëÇÏ¿´´Ù - www.snort.org ¿¡ ÀÖ´Â RPM À» »ç¿ëÇÏ¿´´Ù - ÀúÀÚÀÇ snortd initscript ¿¡ ´ëÇÑ ¸µÅ©¸¦ Ãß°¡ÇÏ¿´´Ù - ÀÚµ¿ ±ÔÄ¢ °»½Å¿¡ ´ëÇÑ °æ°í¸¦ Ãß°¡ÇÏ¿´´Ù - IDSPM ¿¡ ´ëÇÑ ÈùÆ®¸¦ Ãß°¡ÇÏ¿´´Ù - snort.org ÀÇ RPM À» ¹Ý¿µÇϱâ À§ÇØ /etc/snort ¿¡ ´ëÇÑ ±ÔÄ¢ ÆÄÀÏÀ» º¯°æÇÏ¿´´Ù - as allways: ¸î¸î ºÎºÐÀ» ¸íÈ®È÷ ¼³¸íÇÏ¿´´Ù
고침 0.052001-11-14고친이 sp
- ¹®¼­À̸§À» Snort-Setup for Statistics HOWTO ·Î º¯°æÇÏ¿´´Ù - Greg Sarsons ¿¡ °í¹«µÇ¾î ªÀº Åë°è ½ºÅ©¸³Æ®¸¦ Ãß°¡ÇÏ¿´´Ù - ¸î¸î ºÎºÐÀ» ¸íÈ®È÷ ¼³¸íÇÏ¿´°í ¾à°£ÀÇ ¿ÀŸ¸¦ ¼öÁ¤ÇÏ¿´´Ù
고침 0.042001-09-29고친이 sp
- Greg Sarsons À¸·ÎºÎÅÍ Á¦¾ÈµÈ "snort ³»ºÎ Åë°èÀÚ·á" ÀýÀ» Ãß°¡ÇÏ¿´´Ù - Greg Sarsons ÀÌ Á¦°øÇÑ ÂªÀº Åë°è ½ºÅ©¸³Æ®¸¦ Ãß°¡ÇÏ¿´Áö¸¸ ´õ¿í ÀϹÝÀûÀÎ ¹öÀüÀ» À§ÇØ ÁÖ¼®Ã³¸®ÇÏ¿´´Ù
고침 0.032001-09-19고친이 sp
- swatch.conf ¿¡ throttle ¿É¼ÇÀ» Ãß°¡ÇÏ¿´´Ù - ACID ¹öÀüÀ» 0.9.6b15 ·Î º¯°æÇÏ¿´´Ù - ACID Àý¿¡ ¾à°£ÀÇ ÁÖ¼®À» Ãß°¡ÇÏ¿´´Ù - MD5 üũ¼¶À» Ãß°¡ÇÏ¿´Áö¸¸ ÁÖ¼®Ã³¸®ÇÏ¿´´Ù
고침 0.022001-09-16고친이 sp
Greg Sarsons À¸·ÎºÎÅÍ Á¦¾ÈµÈ ¾à°£ÀÇ ¼³¸í
고침 0.012001-09-04고친이 sp
ÃÖÃÊ ¹öÀü

1. ¼Ò°³

ÀÌ ¹®¼­´Â IDS (ħÀÔ Å½Áö ½Ã½ºÅÛ, Intrusion Detection System) ¸¦ ±¸ÇöÇÏ·Á´Â »ç¶÷µé¿¡°Ô µµ¿òÀ» ÁÖ±âÀ§ÇØ Snort ¿Í ¸î¸î Åë°è µµ±¸¸¦ »ç¿ëÇÏ¿© IDS ¼¾¼­¸¦ ¸¸µé¾úÀ» ¶§ ÀÛ¼ºµÇ¾ú´Ù. Àû¾îµµ ÀÌ ¹®¼­ÀÇ ³»¿ëÁß Çϳª¶óµµ µµ¿òÀÌ µÉ ¼ö ÀÖ´Ù¸é ÀÌ ¹®¼­¸¦ ÀÛ¼ºÇÑ °¡Ä¡°¡ ÀÖÀ» °ÍÀÌ´Ù.

Snort ´Â ¿©·¯ À¯´Ð½º Ç÷§Æû¿¡¼­ »ç¿ëÇÒ ¼ö ÀÖ´Â ¿ì¼öÇÑ NIDS (Network IDS, ³×Æ®¿öÅ© ħÀÔ Å½Áö ½Ã½ºÅÛ) ÀÌ´Ù. Snort ȨÆäÀÌÁö´Â http://www.snort.org/ ·Î ÀÌ ¹®¼­¿¡¼­ ±â¼úµÈ ¹öÀüÀº ¹®¼­ ÀÛ¼º½ÃÁ¡ÀÇ ÇöÀç ¹öÀüÀÎ 1.8.3 ÀÌ´Ù.

ÀÌ ¹®¼­¿¡ ±â¼úÇÒ Åë°è µµ±¸´Â snort ¿¡ ´ëÇÑ µ¥ÀÌŸº£À̽º ºÐ¼® µµ±¸ÀÎ ACID ¿Í snort ·Î±×¿¡ ´ëÇÑ Åë°è µµ±¸ÀÎ SnortSnarf ·Î °¢°¢ http://www.cert.org/kb/acid/ ¿Í http:/ /www.silicondefense.com/software/snortsnaft/index.htm ¿¡¼­ ´Ù¿î·Îµå¹ÞÀ» ¼ö ÀÖ´Ù.

ACID ¿¡ ´ëÇؼ­´Â Ãß°¡ÀûÀÎ Áö¿ø ÆÐÅ°ÁöµéÀÌ ÇÊ¿äÇѵ¥ À̵éÀº apache (http://www.apache.org/) ¿Í °°Àº À¥ ¼­¹ö, PHP ¿¡¼­ ±×·¡ÇÁ »ý¼º¿¡ »ç¿ëµÇ´Â PHPlot ( http://www.phplot.com/) ¿Í PHP ¿Í ÇÔ²² µ¥ÀÌŸº£À̽º ¿¬°á¿¡ »ç¿ëµÇ´Â ADODB (http://php.weblogs.com/ADODB/) ÀÌ´Ù.

¶ÇÇÑ ÀÌ ¹®¼­´Â ACID ¿¡ ´ëÇØ ¾î¶² Ãß°¡ÀûÀÎ ¼ÒÇÁÆ®¿þ¾î°¡ ÇÊ¿äÇÑÁö ±×¸®°í snortd initscript ¹× swatch ( http://www.stanford.edu/~atkins/swatch) ¿¡ ´ëÇÑ °£·«ÇÑ ºÎºÐÀ» Æ÷ÇÔÇÏ¿© ÀúÀÚ°¡ »ç¿ëÇÑ ¸î¸î ½ºÅ©¸³Æ®¿Í ÇÔ²² ÆÞ·Î ÀÛ¼ºµÈ ·Î±× ÆÄÀÏ °¨½Ã ½ºÅ©¸³Æ®¸¦ ¾î¶»°Ô ¼³Á¤ÇÏ´ÂÁö¸¦ ±â¼úÇÑ´Ù. ÀúÀÚ´Â swatch RPM À» ÀÛ¼ºÇßÀ¸¸ç ÀÌ´Â http://www.lug-burghausen.org/projects/Snort-Statistics/swatch-3.0.2-1.noarch.rpm ¿¡¼­ ãÀ» ¼ö ÀÖ´Ù.

ÇÑ°³ ÀÌ»óÀÇ snort ¼¾¼­¸¦ º¸À¯Çϴµ¥ °ü½ÉÀÌ ÀÖ´Â »ç¶÷µéÀº http://www.activeworx.com/ ¿¡¼­ IDSPM (IDS Policy Manager) ¸¦ Á¶»çÇØ º¸±æ ¹Ù¶õ´Ù. ÀÌ´Â »õ·Î¿î ±ÔÄ¢À» ±âÁ¸ ±ÔÄ¢À¸·Î º´ÇÕ½ÃÅ´Àº ¹°·Ð »óÀÌÇÑ Á¤Ã¥À» °®´Â ¿©·¯ ¼¾¼­µéÀ» À¯ÁöÇϱâ À§ÇÑ ¾ÖÇø®ÄÉÀ̼ÇÀÌ´Ù. ´ÜÁö "³­Ã³ÇÑ" °ÍÀº W2K/XP Ç÷§Æû¿¡ ÀÛµ¿ÇÏ¸ç ¿ÀÇ ¼Ò½º°¡ ¾Æ´Ï¶ó´Â °ÍÀÌ´Ù.


1.1. ÀúÀÛ±Ç Á¤º¸

This document is copyrighted (c) 2001, 2002 Sandro Poppi and is distributed under the terms of the Linux Documentation Project (LDP) license, stated below.

Unless otherwise stated, Linux HOWTO documents are copyrighted by their respective authors. Linux HOWTO documents may be reproduced and distributed in whole or in part, in any medium physical or electronic, as long as this copyright notice is retained on all copies. Commercial redistribution is allowed and encouraged; however, the author would like to be notified of any such distributions.

All translations, derivative works, or aggregate works incorporating any Linux HOWTO documents must be covered under this copyright notice. That is, you may not produce a derivative work from a HOWTO and impose additional restrictions on its distribution. Exceptions to these rules may be granted under certain conditions; please contact the Linux HOWTO coordinator at the address given below.

¿ä¾àÇؼ­ ¸»Çϸé ÀúÀÚ´Â °¡´ÉÇÑ ¸¹Àº ä³ÎÀ» ÅëÇØ ÀÌ Á¤º¸°¡ À¯Æ÷µÇ±â¸¦ ¹Ù¶õ´Ù. ±×·¯³ª ÀÌ HOWTO ¹®¼­ÀÇ ÀúÀÛ±ÇÀÌ À¯ÁöµÇ±æ ¹Ù¶ó¸ç ÀÌ ¹®¼­¸¦ Àç¹èÆ÷ÇÏ·Á´Â ¸ðµç °èȹÀ» Å뺸¹Þ°í ½Í´Ù.

Áú¹®ÀÌ ÀÖ´Ù¸é ·Î ¿¬¶ôÇϱ⠹ٶõ´Ù.


1.2. ºÎÀÎ

No liability for the contents of this documents can be accepted. Use the concepts, examples and other content at your own risk. As this is a new edition of this document, there may be errors and inaccuracies, that may of course be damaging to your system. Proceed with caution, and although this is highly unlikely, the author(s) do not take any responsibility for that.

All copyrights are held by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark.

Naming of particular products or brands should not be seen as endorsements.

You are strongly recommended to take a backup of your system before major installation and backups at regular intervals.


1.3. ½Å±Ô ¹öÀü

ÀÌ ¹®¼­´Â ÃÖÃÊ ¹öÀüÀÌ´Ù.

ÀÌ HOWTO ¹®¼­ÀÇ ¸ÞÀÎ »çÀÌÆ®´Â http://www.lug-burghausen.org/projects/Snort-Statistics/ ÀÌ´Ù.

¹Ì·¯ »çÀÌÆ®µé·Î´Â Linux Documentation Project ¶Ç´Â Snort ÀÌ ÀÖ´Ù.

ÀÌ HOWTO ¹®¼­ÀÇ ÃֽŠ¹öÀüÀº ´Ã ¸ÞÀÎ »çÀÌÆ®¿¡¼­ ´Ù¾çÇÑ Æ÷¸ËÀ¸·Î ¾òÀ» ¼ö ÀÖ´Ù:


1.4. °¨»ç

´ÙÀ½ÀÇ »ç¶÷À» Æ÷ÇÔÇÏ¿© ¸¹Àº »ç¶÷µé¿¡°Ô °¨»çµå¸°´Ù.

If I missed someone it was not because of not honoring her or his work!


1.5. Çǵå¹é

ÀÌ ¹®¼­¿¡ ´ëÇÑ Çǵå¹éÀº ¾ðÁ¦³ª ȯ¿µÇÑ´Ù. ¿©·¯ºÐÀÇ Á¦¾È°ú Á¤º¸°¡ ¾ø¾ú´Ù¸é ÀÌ ¹®¼­´Â Á¸ÀçÇÏÁö ¾ÊÀ» °ÍÀÌ´Ù. Ãß°¡»çÇ×, °ßÇØ ¹× ºñÆòÀ» ´ÙÀ½ À̸ÞÀÏ ÁÖ¼Ò : ·Î º¸³»Áֱ⠹ٶõ´Ù.


2. ¹®¼­ ±¸Á¶

ÀÌ ¹®¼­´Â snort ¹öÀü 1.8.3, MySQL µ¥ÀÌŸº£À̽º¿Í ±× Áö¿ø ÆÐÅ°Áö PHPlot ¿Í ADODB ¿Í ÇÔ²² snort ÀÇ ½Ç½Ã°£ Åë°è ÀڷḦ À§ÇÑ À¥ ±â¹Ý ÇÁ·ÐÆ®¿£µåÀÎ ACID, snort ·Î±×ÆÄÀÏ ºÐ¼®À» À§ÇÑ À¥ ÇÁ·ÐÆ®¿£µå¸¦ °®´Â Åë°è µµ±¸ SnortSnarf, Max Vision ÀÇ http://www.whitehats.com/ »çÀÌÆ®·ÎºÎÅÍ ´Ã ½ÇÁ¦ ±ÔÄ¢µéÀ» ¾ò±â À§ÇÑ arachnids_upd ¿Í snort °¡ Á¤ÁöÇßÀ» ¶§ snort ¿¡·¯¸¦ º¸°íÇÏ´Â Áö¸¦ °Ë»çÇÏ´Â µ¥ »ç¿ëÇÏ´Â ¿¹Á¦ swatch ¼³Á¤ÀÇ ¼³Ä¡ ¹× ¼³Á¤ ¹æ¹ý¿¡ ´ëÇÑ ´Ü°èº° °¡À̵åÀÌ´Ù.


3. ±â¼úÀûÀÎ °³¿ä

Snort ´Â ³×Æ®¿öÅ© ħÀÔ Å½Áö ½Ã½ºÅÛ (Network Intrusion Detection System, NIDS) À¸·Î ¿ÀÇ ¼Ò½ºÀÌ¸ç ¸¶ÀÌÅ©·Î ¼ÒÆ®ÇÁ»Ó¸¸ ¾Æ´Ï¶ó ´Ù¾çÇÑ À¯´Ð½º Ç÷§Æû¿¡¼­ »ç¿ëÇÒ ¼ö ÀÖ´Ù.

NIDS ´Â È£½ºÆ® ±â¹Ý IDS °¡ ´ÜÁö IDS °¡ ½ÇÇàµÇ°í Àִ ȣ½ºÆ®¸¸À» °¨½ÃÇÏ´Â °Í°ú´Â ´Þ¸® Àüü ³×Æ®¿öÅ© ¼¼±×¸ÕÆ®¸¦ °¨½ÃÇÑ´Ù.

NIDS ´Â ´ëºÎºÐ ¹æÈ­º®°ú ÇÔ²² »ç¿ëµÇ±â ¶§¹®¿¡ °ø°Ý ÀÚü¿¡ Ãë¾àÇÏÁö ¾Ê¾Æ¾ß ÇÏ´Â °ÍÀÌ ÇʼöÀûÀÌ´Ù. µû¶ó¼­ snort ¿Í ¹ÙÀεåµÇ¾î »ç¿ëµÇ´Â ¸ðµç ÀÎÅÍÆäÀ̽ºµéÀº ip ÁÖ¼Ò¾øÀÌ ¼³Ä¡µÇ¾î¾ß ÇÑ´Ù. ±×·¯³ª, ÀÌ´Â ¸ðµç ¼³Á¤¿¡¼­ °¡´ÉÇÑ °ÍÀÌ ¾Æ´Ï±â ¶§¹®¿¡, ¿¹¸¦µé¾î snort ¸¦ isdn ÀÎÅÍÆäÀ̽º ippp0 ¿¡ ¹ÙÀεåÇÏ·Á´Â °æ¿ì snort ¿¡ ´ëÇØ µ¶¸³ÀûÀÎ ÄÄÇ»Å͸¦ »ç¿ëÇØ À̸¦ ´ÙÀ̾ó¾÷ ¿¬°á¿¡ ´ëÇÑ ¹æÈ­º® ¹× ¶ó¿ìÅÍ·Î ¼³Ä¡ÇÏ´Â °ÍÀ» °í·ÁÇØ¾ß ÇÑ´Ù.

ÀÌ ÁÖÁ¦¿¡ ´ëÇÑ ´õ¿í ÀÚ¼¼ÇÑ Á¤º¸´Â Firewall-HOWTO ¶Ç´Â ÀúÀÚÀÇ Firewalling+Masquerading+Diald+dynamic IP-HOWTO ¸¦ º¸¶ó.

Snort ´Â ÇÑ°³ ÀÌ»óÀÇ ³×Æ®¿öÅ© ¼¼±×¸ÕÆ®¸¦ °¨½ÃÇϴµ¥ »ç¿ëµÉ ¼ö ÀÖÀ¸¸ç ÀÌ´Â µÚ¿¡ ³íÀÇµÉ °ÍÀÌ´Ù.

Snort ´Â ³×Æ®¿öÅ© °ü·Ã ¹®Á¦¸¦ ÇØ°áÇϱâ À§ÇØ ½º´ÏÆÛ (sniffer, ŽÁö±â) ·Îµµ »ç¿ëÇÒ ¼ö ÀÖÁö¸¸ ÀÌ´Â ÀÌ ¹®¼­ÀÇ ÁÖÁ¦°¡ ¾Æ´Ï´Ù.

ACID (Analysis Console for Intrusion Databases) ´Â AIR-CERT ÇÁ·ÎÁ§Æ®ÀÇ ÀϺκÐÀ¸·Î PHP ¿¡¼­ ±×·¡ÇÁ »ý¼ºÀ» À§ÇÑ ¶óÀ̺귯¸®ÀÎ PHPlot ¿Í PHP ¿Í MySQL ¹× PostgreSQL °ú °°Àº ¿©·¯ µ¥ÀÌŸº£À̽º ½Ã½ºÅÛÀ» °áÇÕÇϱâ À§ÇÑ Ãß»ó ¶óÀ̺귯¸®ÀÎ ADODB ¸¦ ÀÌ¿ëÇÑ´Ù. ACID ȨÆäÀÌÁöÀÇ ³»¿ëÀÌ´Ù:

"ACID ´Â ħÀÔ Å½Áö ½Ã½ºÅÛ°ú ¹æÈ­º®°ú °°Àº º¸¾È °ü·Ã ¼ÒÇÁÆ®¿þ¾î¿¡ ÀÇÇØ »ý¼ºµÈ º¸¾È »ç°Ç °ü·Ã µ¥ÀÌŸº£À̽º °Ë»ö ¹× 󸮸¦ À§ÇÑ PHP ±â¹Ý ºÐ¼® ¿£ÁøÀÌ´Ù."

Max Vision ÀÇ IDS ±ÔÄ¢ (ÀÌ´Â ´Ù¿î·ÎµåÇÒ ¼ö ÀÖ´Â ÆÄÀϸíÀ¸·Î vision.rules) ÀÌ snort ¿¡ ³»ÀåµÇ¾î ÀÖ´Â ±ÔÄ¢µéÀ» ¿Ïº®ÇÏ°Ô Çϱâ À§ÇØ »ç¿ëµÈ´Ù.

arachnids_upd ´Â ÀÛÁö¸¸ ÈǸ¢ÇÑ ÆÞ ½ºÅ©¸³Æ®·Î wget¸¦ »ç¿ëÇØ ÇöÀçÀÇ vision.rules À» ´Ù¿î·ÎµåÇÏ°í ¾Æ½ºÅ° ÆÄÀϳ»ÀÇ ±ÔÄ¢µéÀ» ¼±ÅÃÀûÀ¸·Î »èÁ¦ÇÑ´Ù.


4. ¼³Á¤

ÀÌ ÀåÀº snort ¿Í °¢Á¾ µµ±¸µéÀÇ ¼³Ä¡ ¹× ½ÇÇàÀ» À§ÇÑ ¿©·¯ ŽºÅ©¸¦ ±â¼úÇÑ´Ù.

ÀúÀÚ´Â ·¹µåÇÞ ¸®´ª½º 7.x À» »ç¿ëÇÏ°í Àֱ⠶§¹®¿¡ ¸ðµç ÁÖ¾îÁø °æ·ÎÀ̸§ ¹× ¼³Á¤ ¿É¼ÇÀº °á±¹ ·¹µåÇÞ¿¡ ƯÁ¤ÀûÀÎ °ÍÀÌ´Ù. ±×·¯³ª ´Ù¸¥ ¹èÆ÷ÆÇ¿¡ ÀÌ ¹®¼­ÀÇ ³»¿ëÀ» Àû¿ëÇÒ ¶§ Å« ¹®Á¦´Â ¾øÀ» °ÍÀÌ´Ù.


4.1. Snort ¼³Á¤Çϱâ

ÇöÀçÀÇ Å¸¸£º¼À» http://www.snort.org/ ¿¡¼­ ¾ò¾î ½º½º·Î ÄÄÆÄÀÏÇϰųª ¶Ç´Â ¹èÆ÷Ædz»ÀÇ ¹ÙÀ̳ʸ®¸¦ »ç¿ëÇØ snort ¸¦ ¼³Ä¡ÇÒ ¼ö ÀÖ´Ù.

¹öÀü 1.8.3 ÀÇ °æ¿ì RPM ±â¹Ý ¸®´ª½º ¹èÆ÷ÆÇ, FreeBSD, ¼Ö¶ó¸®½º ¹× À©µµ¿ì Ç÷§Æû¿¡ ´ëÇØ www.snort.org ¿¡¼­ ¹Ì¸® ÄÄÆÄÀÏµÈ ¹ÙÀ̳ʸ®¸¦ ¾òÀ» ¼ö ÀÖ´Ù.

ÀúÀÚ´Â RPM À» ´õÀÌ»ó À¯Áöº¸¼öÇÏ°í ÀÖÁö ¾ÊÁö¸¸ (¹öÀüÀÌ ¹Ù²ð¶§ ¸¶´Ù ÀÛ¾÷À» ÇØ¾ß Çϱ⠶§¹®¿¡) http://www.lug-burghausen.org/projects/Snort-Statistics/snortd.multi ¿¡¼­ snort.multi initscript ¸¦ Á¦°øÇÒ °ÍÀÌ´Ù.

MySQL À» Áö¿øÇÏ´Â (PostgreSQL Àº Áö¿øÇÏÁö ¾Ê´Â) ÀúÀÚÀÇ 1.8.1 RPM Àº http://www.lug-burghausen.org/projects/Snort-Statistics/snort-1.8.1-4.i386.rpm ¿¡¼­ ¾òÀ» ¼ö ÀÖ´Ù. PostgreSQL À» Áö¿øÇÏ´Â ¹öÀüÀ» ¸¸µé±â À§Çؼ­´Â ¼Ò½º RPM À» ´Ù¿î·ÎµåÇÑ ÈÄ spec ÆÄÀÏÀ» ÆíÁýÇØ À籸ÃàÇضó. RPM ÀÛ¼º¿¡ Àͼ÷ÇÏÁö ¾Ê´Ù¸é RPM-HOWTO ¶Ç´Â RPM ¿¡ ´ëÇÑ ¸¹Àº ÁÁÀº ÀÚ·á¿Í ÇÔ²² RPM ¿¡ ´ëÇØ ´Ù¿î·ÎµåÇÒ ¼ö Àִ å Maximun RPM ÀÌ ÀÖ´Â http://www.rpm.org/ À» º¸¾Æ¾ß ÇÑ´Ù.


4.1.1. /etc/snort/snort.conf

RPM À» ¼³Ä¡ÇÑ ÈÄ ¿ä±¸¿¡ ¸Â°Ô /etc/snort/snort.conf ¸¦ ÆíÁýÇØ¾ß ÇÑ´Ù. Martin Roesch ´Â snort Ÿ¸£º¼°ú RPM ¿¡ Æ÷ÇԵǾî ÀÖ´Â Snort »ç¿ëÀÚ ¸Þ´º¾óÀ» PDF ¹öÀüÀ¸·Î ÀÛ¼ºÇÏ¿´´Âµ¥ ÀÌ ¹®¼­¿¡¼­´Â ¼³Á¤¿¡ ÇÊ¿äÇÑ ¿É¼Çµé¸¸À» ´Ù·ê °ÍÀ̱⠶§¹®¿¡ »ç¿ëÇÒ ¼ö ÀÖ´Â ´Ù¸¥ ¿É¼Çµé¿¡ ´ëÇؼ­´Â ¸Þ´º¾óÀ» º¸¾Æ¾ß ÇÑ´Ù.

¶ÇÇÑ Å¸¸£º¼/RPM ¿¡ ÀÖ´Â ¿¹Á¦ /etc/snort/snort.conf ÆÄÀÏ¿¡ ¼¼ºÎÀûÀÎ ¼³¸íÀÌ Àֱ⠶§¹®¿¡ ½ÃÀÛÇϴµ¥ ÀÖ¾î ÁÁÀº Ãâ¹ßÁ¡ÀÌ µÉ °ÍÀÌ´Ù.


4.1.1.1. Snort º¯¼ö

¿ì¼± ³×Æ®¿öÅ© À§»óÀ» ¹Ý¿µÇϱâ À§ÇØ HOME_NET, EXTERNAL_NET °ú DNS_SERVERS ¿Í °°Àº º¯¼öµéÀ» Á¤ÀÇÇØ¾ß ÇÑ´Ù. Á¤È®ÇÑ ÁÖ¼Ò¸¦ »ç¿ëÇß´ÂÁö È®ÀÎÇضó ±×·¸Áö ¾ÊÀº °æ¿ì ºÒ°¡»çÀÇÇÑ ¶Ç´Â ´õ¿í ³ª»Ú°Ô´Â ¾î¶°ÇÑ °æº¸µµ ¾òÀ» ¼ö ¾øÀ» °ÍÀÌ´Ù.

º¹ÀâÇÑ È¯°æ¿¡¼­ snort ¸¦ »ç¿ëÇÒ ¶§, °¡·É ÇÑ°³ÀÇ ¼¾¼­·Î ´Ù¼öÀÇ ÀÎÅÍÆäÀ̽º¸¦ °¨½ÃÇÒ ¶§ HOME_NET °ú EXTERNAL_NET Àº Á¤ÀÇÇϱ⠾î·Æ°Å³ª ¶Ç´Â ¸Å¿ì ±ä ¸®½ºÆ®·Î Á¤ÀÇµÉ ¼ö Àִµ¥ ÀÌ °æ¿ì µÎ º¯¼ö¸¦ any ·Î Á¤ÀÇÇÒ ¼ö ÀÖ´Ù. Ä¿´Ù¶õ ³»ºÎ ³×Æ®¿öÅ©¿¡ ¾ÆÁÖ ¸¹Àº ³×Æ®¿öÅ© ¹üÀ§¸¦ ³ÖÁö ¾Ê±â À§Çؼ­´Â ¾î¶² Á¾·ùÀÇ ¹Ì¸® ÇÊÅ͸µµÈ °ÍÀ» ¾ø¾Ö¾ß ÇÑ´Ù. ±×¸®°í °¢ ÆÐŶ¿¡ ´ëÇØ ¸Å¿ì ¸¹Àº ÁÖ¼Ò¸¦ ÅëÇØ snort ¸¦ ½ÇÇà½Ãų ¶§ ¼º´É¿¡ ´ëÇÑ ¿µÇâÀ» ÃÖ¼ÒÈ­½ÃÄÑ¾ß ÇÑ´Ù.

¸î¸îÀÇ ´Ù·ç±â Èûµç À߸øµÈ Æ÷Æ®½ºÄµ ¸Þ½ÃÁö¸¦ ¾ø¾Ö±â À§Çؼ­´Â º¯¼ö DNS_SERVERS ¸¦ snort ÀÇ Æ÷Æ®½ºÄµ ¸ðµâÀ» À¯¹ßÇÏ´Â ³×Æ®¿öÅ© °ü¸® ½ºÅ×À̼ǰú °°Àº ´Ù¸¥ ³ëµåµé»Ó¸¸ÀÌ ¾Æ´Ï¶ó ¸ðµç dns ¼­¹öµéÀÇ ip ÁÖ¼Ò¸¦ º¸À¯Çϵµ·Ï Á¤ÀÇÇØ¾ß ÇÑ´Ù. ÀÌ´Â ÇöÀç ÁøÇàÁßÀÎ ÀÛ¾÷ÀÌ´Ù.

¶ÇÇÑ °¢ÀÚ ±ÔÄ¢¿¡¼­ ¾ð±ÞµÉ ¼ö ÀÖ´Â ÀڽŸ¸ÀÇ º¯¼öµéÀ» Á¤ÀÇÇÒ ¼ö ÀÖ´Ù. ÀÌ´Â À¯¿ëÇѵ¥ ¿¹¸¦µé¾î ÀÚ½ÅÀÇ È¯°æ¿¡ ÀûÇÕÇÏ°Ô pass rules¸¦ »ç¿ëÇÒ ¼ö ÀÖ´Ù.

¸ðµç ´Ù¸¥ º¯¼öµéÀ» ÀûÀýÇÑ °ª ¶Ç´Â /etc/snort/snort.conf ¿¡ Á¤ÀǵǾî ÀÖ´Â $HOME_NET À¸·Î Á¤ÀÇÇضó.

      var HOME_NET any
      var EXTERNAL_NET any
      # DNS_SERVERS ´Â Æ÷Æ®½ºÄµ½Ã ¹«½ÃµÇ¾îÁö´Â DNS ¶Ç´Â ³×Æ®¿öÅ© °ü¸® ½ºÅ×À̼ǰú °°Àº noisy ÄÄÇ»Å͵éÀÇ ÁÖ¼ÒµéÀÌ´Ù. 
      var DNS_SERVERS [1.1.1.1/32,2.2.2.2/32]
      var SMTP_SERVERS $HOME_NET
      ...
     


4.1.1.2. Snort Àü󸮱â

´ÙÀ½Àº »ç¿ëµÇ´Â Àü󸮱âµéÀ» ¼³Á¤ÇØ¾ß ÇÑ´Ù. ´õ¿í ¸¹Àº Àü󸮱⸦ »ç¿ëÇÒ ¼ö·Ï ´õ¿í ¸¹Àº °æº¸¸¦ À¯¹ß½Ãų ¼ö ÀÖÁö¸¸ ¼º´ÉÀÌ ÀúÇϵȴÙ. µû¶ó¼­ Àü󸮱⸦ ¼±ÅÃÇϴµ¥ ÁÖÀÇÇضó.

¾î¶² Àü󸮱âµéÀº ¹Ý´ëµÇ°í Àֱ⶧¹®¿¡ ¶ÇÇÑ Marty ÀÇ Snort »ç¿ëÀÚ ¸Þ´º¾óÀ» º¸¾Æ¾ß Çϴµ¥, À̵鿡 ´ëÇؼ­´Â »õ·Ó°Ô µµÀÔµÈ °ÍµéÀ» »ç¿ëÇØ¾ß ÇÑ´Ù.

Àü󸮱â minfrag ¿Í stream Àº stream4 ·Î Àü󸮱â defrag ´Â frag2 À¸·Î ´ëüµÇ¾ú´Ù.

frag2 ´Â snort v1.8 ¿¡ µµÀÔµÈ »õ·Î¿î IP defragmentation (´ÜÆíÈ­µÈ Á¶°¢µéÀ» ¿¬¼ÓÀûÀÎ Á¶°¢À¸·Î ¸¸µé¾îÁÜ) 󸮱â·Î defrag/minfrag º¸´Ù ´õ¿í ¸Þ¸ð¸® È¿À²ÀûÀÌ´Ù.

Snort »ç¿ëÀÚ ¸Þ´º¾ó·ÎºÎÅÍ: Stream4 ¸ðµâÀº snort ¿¡ TCP ½ºÆ®¸² ÀçÁ¶ÇÕ ¹× »óÅ¿¡ ´ëÇÑ ºÐ¼® (stateful analysis) ´É·ÂÀ» Á¦°øÇÑ´Ù. Snort ´Â °ß°íÇÑ ½ºÆ®¸² ÀçÁ¶ÇÕ ´É·Â¿¡ ÀÇÇØ "»óÅ°¡ ¾ø´Â (stateless)" °ø°ÝµéÀ» ¹«½ÃÇÑ´Ù. Stream4 ¸ðµâÀº ¶ÇÇÑ »ç¿ëÀڵ鿡°Ô 256 °³ ÀÌ»óÀÇ µ¿½ÃÀûÀÎ TCP ½ºÆ®¸²À» ÃßÀûÇÒ ¼ö ÀÖµµ·Ï ÇÑ´Ù. Stream4 ´Â 64,000 °³ ÀÌ»óÀÇ TCP Á¢¼ÓÀ» ´Ù·ç±â À§ÇØ È®ÀåµÉ ¼ö ÀÖ¾î¾ß ÇÑ´Ù.

Stream4 ¸ðµâÀº stream4 ¿Í stream4_reassemble 2 °³ÀÇ Àü󸮱â·Î ÀÌ·ç¾îÁ® Àִµ¥ µÑ ¸ðµÎ »ç¿ëµÇ¾î¾ß ÇÑ´Ù.

µÎ Àü󸮱⿡ ´ëÇؼ­´Â ¿©·¯°¡Áö ¿É¼ÇÀÌ ÀÖÁö¸¸ stream4 ¿¡ ´ëÇؼ­´Â Æ÷Æ®½ºÄµ À̺¥Æ®½Ã °æº¸¸¦ ÁÖ±â À§ÇÑ detect_scans °ú °ø°ÝÀûÀÎ RST ÆÐŶ, SYN ÆÐŶ¿¡ µ¥ÀÌŸ°¡ ÀÖ°í À©µµ¿ì ½ÃÄö½º ³Ñ¹öÀÇ ¹üÀ§¸¦ ³Ñ¾î¼­´Â °Í°ú °°ÀÌ ½ºÆ®¸² À̺¥Æ®°¡ ÀϾ ¶§ ¾Ë¸®±â À§ÇØ detect_state_problems ¿É¼Ç¸¸À» »ç¿ëÇÒ °ÍÀÌ´Ù.

stream4_reassemble ¿¡ ´ëÇؼ­´Â ÀçÁ¶ÇÕÀÌ ´ÜÁö ¾à°£ÀÇ ¹Ì¸® Á¤ÀÇµÈ Æ÷Æ®´ë½Å ¸ðµç Æ÷Æ®¸¦ °¨½ÃÇϵµ·Ï ÇÏ´Â ports all ¿É¼ÇÀ» »ç¿ëÇÑ´Ù. ¼ÖÁ÷È÷ ÀÌ´Â ÀÏÁ¾ÀÇ ÆíÁýÁõÀ¸·Î snort ¼¾¼­ÀÇ cpu ÀÌ¿ë»óȲ¿¡ ¿µÇâÀ» ³¢Ä£´Ù. ±×·¯³ª ÀúÀÚ´Â Æò±ÕÀûÀ¸·Î ³·Àº ÀÌ¿ë»óȲÀ» °®´Â ÆæƼ¾ö III 800 MHz ÄÄÇ»ÅÍ°¡ ¼¼°³ÀÇ 100Mbit/s full duplex line ¿¡¼­ °¨½ÃÇÏ´Â °æ¿ì ¾î¶°ÇÑ ³ª»Û °á°úµµ ¾òÁö ¾Ê¾Ò±â ¶§¹®¿¡ ÀÌ ¿É¼ÇÀÌ ´õ¿í ÁÁÀº ÇØ°á ¹æ¹ýÀ̶ó°í »ý°¢ÇÑ´Ù.

µÎ°³ÀÇ ´Ù¸¥ Àü󸮱âµéÀº portscan ¿Í portscan-ignorehosts ·Î °¢°¢ Æ÷Æ®½ºÄµ ŽÁö ´ã´ç ¹× Æ÷Æ®½ºÄµ ŽÁö°¡ ¹«½ÃµÇ´Â È£½ºÆ®µéÀÌ´Ù.

0.0.0.0/0 ÇüŸ¦ »ç¿ëÇÏ¿© portscanÀÌ ¸ðµç ³×Æ®¿öÅ©¸¦ ã±â À§Çؼ­ Á¢±ÙµÇ¾îÁö´Â Æ÷Æ® ³Ñ¹öÀÇ ¼ö¸¦ ¼³Á¤ÇÏ°í ÃÊ´ç ŽÁö ±â°£À» Á¤ÀÇÇ϶ó. Ãß°¡ÀûÀ¸·Î Æ÷Æ®½ºÄµ ·Î±× ÆÄÀÏ¿¡ ´ëÇÑ Àý´ë °æ·Î¸¦ Á¦°øÇØ¾ß ÇÑ´Ù.

portscan-ignorehosts ¸¦ ÀÌ¿ëÇØ ³×ÀÓ ¼­¹ö ¹× ³×Æ®¿öÅ© °ü¸® ½ºÅ×À̼ǰú °°ÀÌ ³Ê¹« ¸¹ÀÌ ¸»Çϸç Æ÷Æ®½ºÄµ ŽÁö¸¦ À¯¹ßÇϴ ȣ½ºÆ®·ÎºÎÅÍÀÇ ¾î¶² ¼ö»óÇÑ °æº¸¸¦ Á¦°ÅÇÑ´Ù (À§ÀÇ º¯¼ö DNS_SERVERS ¸¦ º¸¶ó).

Marty ÀÇ »ç¿ëÀÚ ¸Þ´º¾ó¿¡ ¾ð±ÞµÇ¾îÀÖÁö ¾ÊÁö¸¸ ¿©±â¼­ »ç¿ëÇÒ ¾î¶² Àü󸮱âµéÀÌ ÀÖ´Ù. unidecode ´Â http_decode ¸¦ ´ëüÇϴµ¥ http ¹× UNICODE °ø°ÝÀ» Á¤±ÔÈ­ÇÑ´Ù (Ç¥ÁØÀûÀÎ »óȲÀ¸·Î Çؼ®ÇÑ´Ù). rpc_decode ÁÖ¾îÁø Æ÷Æ®¿¡¼­ÀÇ rpc Æ®·¡ÇÈÀ» Á¤±ÔÈ­Çϸç bo ´Â ¹é ¿À·¯Çǽº °ø°ÝÀ» °Ë»çÇϸç telnet_decode ´Â tenlnet Çù»ó ½ºÆ®¸µÀ» Á¤±ÔÈ­ÇÑ´Ù.

SPADE ¿Í °°Àº ´Ù¸¥ Àü󸮱âµéÀº ¿©±â¼­ ´Ù·çÁö ¾ÊÁö¸¸ ÃßÈÄ ¹öÀü¿¡¼­´Â ´Ù·ç¾îÁú °ÍÀÌ´Ù.

°á±¹ ¿©±â¼­ ¾ð±ÞÇÑ °ÍµéÀº /etc/snort/snort.conf ÀÇ Àü󸮱⠺κÐÀÌ´Ù.

      preprocessor frag2
      preprocessor stream4: detect_scans detect_state_problems
      preprocessor stream4_reassemble: ports all
      preprocessor unidecode: 80 8080
      preprocessor rpc_decode: 111
      preprocessor bo: -nobrute
      preprocessor telnet_decode
      preprocessor portscan: 0.0.0.0/0 6 3 /var/log/snort/portscan.log
      preprocessor portscan-ignorehosts: $DNS_SERVERS
     


4.1.1.3. Snort Ãâ·Â ¸ðµâ

´ÙÀ½Àº Ãâ·Â ¸ðµâµéÀÇ ¼³Á¤À¸·Î ÀÌ Áß¿¡¼­ syslog ¸ðµâÀÎ alert_syslog ¸¦ »ç¿ëÇØ syslog ¿¡ °æº¸¸¦ º¸³¾ °ÍÀ̸ç database ¸ðµâÀ» »ç¿ëÇØ MySQL µ¥ÀÌŸº£À̽º¿¡ Ãß°¡ÀûÀ¸·Î ±â·ÏÇÒ °ÍÀÌ´Ù.

alert_syslog ¸ðµâÀº ±â·ÏµÇ¾îÁ®¾ß ÇÏ´Â °Íµé¿¡ ´ëÇØ ¾î¶² ¿É¼ÇÀ» ÇÊ¿ä·ÎÇÑ´Ù. ÀúÀÚ¿Í °°ÀÌ ·Î±×ÆÄÀÏÀ» ºÐ¼®Çϱâ À§ÇØ SnortSnarf À» »ç¿ëÇÑ´Ù¸é LOG_PID ¿É¼ÇÀ» Ãß°¡ÇؾßÇÑ´Ù. ±×·¸Áö ¾Ê´Ù¸é SnortSnarf ¸¦ »ç¿ëÇÒ ¶§ ¹®Á¦°¡ ÀÖ´Ù.

¾Õ¿¡¼­ ¸»ÇßµíÀÌ ACID ¸¦ »ç¿ëÇÒ °ÍÀε¥ µû¶ó¼­ µ¥ÀÌŸº£À̽º¿¡ ±â·ÏÇϱâ À§ÇØ snort ¸¦ ¼³Á¤ÇÒ ÇÊ¿ä°¡ ÀÖ´Ù. Ưº°ÇÑ ÀÌÀ¯¾øÀÌ MySQL À» ¼±ÅÃÇß´Ù (postgreSQL º¸´Ù MySQL À» ´õ ¸¹ÀÌ µé¾úÀ» »ÓÀÌ´Ù).

database Ãâ·Â ¸ðµâÀº ´ÙÀ½ º¯¼öµéÀ» ÇÊ¿ä·Î ÇÑ´Ù:

log | alert

alert ±â´É¿¡ ´ëÇÑ ·Î±×. log ±â´Éµµ °¡´ÉÇÏ´Ù. Æ÷Æ®½ºÄµ °æº¸¸¦ µ¥ÀÌŸº£À̽º¿¡ ÀúÀåÇÏ°í ½Í´Ù¸é alert ¸¦ »ç¿ëÇØ¾ß ÇÑ´Ù.

mysql|postgrsql|odbc|oracle|mssql

µ¥ÀÌŸº£À̽º ŸÀÔ.

user=<username>

µ¥ÀÌŸº£À̽º¿¡ »ç¿ëµÉ »ç¿ëÀÚÀ̸§À» Á¤ÀÇÇÑ´Ù.

password=<password>

ÁÖ¾îÁø »ç¿ëÀÚ¿¡ ´ëÇØ ÇÊ¿äÇÑ Æнº¿öµå.

dbname=<databasename>

±â·Ï¿¡ »ç¿ëµÇ´Â µ¥ÀÌŸº£À̽º À̸§.

host=<hostname>

µ¥ÀÌŸº£À̽º°¡ ½ÇÇàÁßÀΠȣ½ºÆ®¸¦ Á¤ÀÇÇÑ´Ù. µ¥ÀÌŸº£À̽º°¡ snort ¼¾¼­¿¡¼­ ½ÇÇàµÇ°í ÀÖ´Ù¸é localhost ¸¦ »ç¿ëÇضó.

sensor_name=<sensor name>

Çϳª ÀÌ»óÀÇ ¼¾¼­°¡ ÇϳªÀÇ µ¥ÀÌŸº£À̽º¿¡ ±â·ÏÇÏ°í ÀÖ´Ù¸é ¿©·¯ ¼¾¼­¸¦ ±¸º°ÇϱâÀ§ÇØ °íÀ¯ÀÇ À̸§À» ºÎ¿©ÇÑ´Ù.

/etc/snort/snort.conf ÀÇ Ãâ·Â ¸ðµâ ºÎºÐÀ» º¸ÀÚ.

       output alert_syslog: LOG_AUTH LOG_ALERT LOG_PID
       output database: alert, mysql, user=snort password=mypassword dbname=snort host=localhost sensor_name=mysensor 
      

Çϳª ÀÌ»óÀÇ snort ¼¾¼­¸¦ »ç¿ëÇϸç ÇϳªÀÇ µ¥ÀÌŸº£À̽º¿¡ ±â·ÏÇÏ°í ½Í´Ù¸é º°µµÀÇ ¸Ó½Å¿¡ Áß¾Ó µ¥ÀÌŸº£À̽º¸¦ »ç¿ëÇϱ⠹ٶõ´Ù. ÀÌ·± °æ¿ì °ø°ÝÀÌ ¹ß°ßµÉ ¶§ °æº¸ µ¥ÀÌŸ¸¦ ÇϳªÀÇ ÄÁ¼Ö°ú ¿¬°ü½Ãų ¼ö ÀÖÀ¸¸ç ´õ¿í ÁÁÀº °³¿ä¸¦ ¾òÀ» ¼ö ÀÖ´Ù.


4.1.1.4. Snort ±ÔÄ¢ ÁýÇÕ

±ÔÄ¢µéÀº snort ÀÇ ÇʼöÀûÀÎ ºÎºÐÀ¸·Î ´Ù¾çÇÑ Ç׸ñÀ¸·Î ³ª´©¾îÁ® Àִµ¥ À̵éÀº *.rules ·Î ³¡³ª¸ç /etc/snort/ ¿¡¼­ ãÀ» ¼ö ÀÖ´Ù. 1.8 ÀÌ»óÀÇ ¹öÀü¿¡¼­´Â ºÐ·ù ÇüŸ¦ ¹Ý¿µÇϱâ À§ÇØ Æ÷¸ËÀÌ º¯°æµÇ¾ú´Ù. ¶ÇÇÑ classtype ÀÇ ¿ì¼±±Ç ¼³Á¤À» Á¤ÀÇÇÒ ¼ö ÀÖ´Ù.

¿ø·¡ÀÇ snort tarball À» »ç¿ëÇÏ°í ÀÖ´Ù¸é ¸ðµç ±ÔÄ¢ ÆÄÀϵé°ú classification.config ÆÄÀÏÀ» º¹»çÇÏ±æ ¹Ù¶õ´Ù.

ºÐ·ù ŸÀÔÀÇ ¼³Á¤Àº /etc/snort/classification.config ÆÄÀÏ¿¡¼­ Çϴµ¥ ÀÌ ÆÄÀÏÀº ÀûÀçµÈ snort ±ÔÄ¢¿¡ ´ëÇØ ¹Ì¸® Á¶Á¤µÇ¾î Àֱ⠶§¹®¿¡ ¼Õ´î ÇÊ¿ä´Â ¾ø´Ù. ±×·¯³ª Max Vision ÀÇ vision.rules ¸¦ »ç¿ëÇÏ·Á ÇÑ´Ù¸é classtype ÀÌ ´Ù¸£±â ¶§¹®¿¡ ¾à°£ÀÇ ¶óÀεéÀ» Ãß°¡ÇØ¾ß ÇÒ °ÍÀÌ´Ù. ±×Àú ¸ðµç config classification: ¶óÀÎÀ» vision.conf ¿¡¼­ /etc/snort/classification.config ·Î º¹»çÇؼ­ ºÙ¿©³Ö¾î¶ó. ÀÌÀü ÆÄÀÏÀÌ snort 1.8 ¿¡¼­ µµÀÔµÈ »õ·Î¿î Æ÷¸Ë¿¡ ¸ÂÁö ¾Ê´Â °æ¿ì snort 1.8 ¿¡ ´ëÇÑ vision.rules ¸¦ ÀØÁö¸»°í ¾ò¾î¶ó (http://www.whitehats.com/¿¡¼­ vision18.rules ¹× vision18.conf)

´ÙÀ½Àº vision.rulesÀ» »ç¿ëÇÑ /etc/snort/classification.config ÆÄÀÏÀÌ´Ù:

       #
       # config classification:°£·«ÇÑ À̸§, °£·«ÇÑ ¼³¸í, ¿ì¼±±Ç
       #
       #config classification: not-suspicious,Not Suspicious Traffic,0
       config classification: unknown,Unknown Traffic,1
       config classification: bad-unknown,Potentially Bad Traffic, 2
       config classification: attempted-recon,Attempted Information Leak,3
       config classification: successful-recon-limited,Information Leak,4
       config classification: successful-recon-largescale,Large Scale Information Leak,5
       config classification: attempted-dos,Attempted Denial of Service,6
       config classification: successful-dos,Denial of Service,7
       config classification: attempted-user,Attempted User Privilege Gain,8
       config classification: unsuccessful-user,Unsuccessful User Privilege Gain,7
       config classification: successful-user,Successful User Privilege Gain,9
       config classification: attempted-admin,Attempted Administrator Privilege Gain,10
       config classification: successful-admin,Successful Administrator Privilege Gain,11

       # vision18.conf ¿¡¼­ Ãß°¡µÈ ºÎºÐ
       # classification for use with a management interface
       # low risk
       config classification: not-suspicious,policy traffic that is not suspicious,0
       config classification: suspicious,suspicious miscellaneous traffic,1
       config classification: info-failed,failed information gathering attempt,2
       config classification: relay-failed,failed relay attempt,3
       config classification: data-failed,failed data integrity attempt,4
       config classification: system-failed,failed system integrity attempt,5
       config classification: client-failed,failed client integrity attempt,6
       # middle risk
       config classification: denialofservice,denial of service,7
       config classification: info-attempt,information gathering attempt,8
       config classification: relay-attempt,relay attempt,9
       config classification: data-attempt,data integrity attempt,10
       config classification: system-attempt,system integrity attempt,11
       config classification: client-attempt,client integrity attempt,12
       config classification: data-or-info-attempt,data integrity or information gathering attempt,13
       config classification: system-or-info-attempt,system integrity or information gathering attempt,14
       config classification: relay-or-info-attempt,relay of information gathering attempt,15
       # high risk
       config classification: info-success,successful information gathering attempt,16
       config classification: relay-success,successful relay attempt,17
       config classification: data-success,successful data integrity attempt,18
       config classification: system-success,successful system integrity attempt,19
       config classification: client-success,successful client integrity attempt,20
      

ºÐ·ù ¹× ±ÔÄ¢ ÆÄÀϵéÀº /etc/snort/snort.conf ÆÄÀÏ¿¡ Æ÷ÇԵǾî Àִµ¥ ¿©±â¼­ »ç¿ëµÈ ¾î¶² ±ÔÄ¢ ÆÄÀϵéÀº Ç¥ÁØ ¹èÆ÷¿¡ Æ÷ÇÔµÇ¾î ¾Ê±â ¶§¹®¿¡ CVS ¿¡¼­ º¹»çµÇ¾ú´Ù. ¿¹¸¦ µé¸é virus.rules.

Àü¿¡ ¸»ÇßµíÀÌ vision.rules ÆÄÀÏÀº µÚ¿¡ ³íÀǵǴ arachnids_upd µµ±¸¸¦ ÅëÇØ °¡Á®¿Ã °ÍÀÌ´Ù.

Arachnids_upd ´Â vision18.rules ¿¡¼­ vision.rules ·Î À̸§À» º¯°æ½ÃÅ°Áö¸¸ ¹°·Ð ±ÔÄ¢Àº 1.8 ÀÌ»ó ¹öÀü¿¡ ´ëÇØ ÁغñµÈ °ÍµéÀÌ´Ù.

vision.rules ¿¡¼­ÀÇ INTERNAL ¹× EXTERNAL ¿¡ ´ëÇÑ º¯¼ö Á¤ÀÇ°¡ snort ±ÔÄ¢°ú µ¿ÀÏÇÏÁö ¾Ê±â ¶§¹®¿¡ ÀÌ·¯ÇÑ À̸§µéÀ» º¯°æ½ÃÅ°±â À§ÇØ ½ºÅ©¸³Æ®¸¦ »ç¿ëÇÑ´Ù. ¾Æ·¡ÀÇ arachnids_upd ÀýÀ» ºÁ¶ó.

       # Include classification & priority settings
       include /etc/snort/classification.config
       
       include /etc/snort/exploit.rules
       include /etc/snort/scan.rules
       include /etc/snort/finger.rules
       include /etc/snort/ftp.rules
       include /etc/snort/telnet.rules
       include /etc/snort/smtp.rules
       include /etc/snort/rpc.rules
       include /etc/snort/rservices.rules
       include /etc/snort/backdoor.rules
       include /etc/snort/dos.rules
       include /etc/snort/ddos.rules
       include /etc/snort/dns.rules
       include /etc/snort/netbios.rules
       include /etc/snort/web-cgi.rules
       include /etc/snort/web-coldfusion.rules
       include /etc/snort/web-frontpage.rules
       include /etc/snort/web-iis.rules
       include /etc/snort/web-misc.rules
       include /etc/snort/sql.rules
       include /etc/snort/x11.rules
       include /etc/snort/icmp.rules
       include /etc/snort/shellcode.rules
       include /etc/snort/misc.rules
       include /etc/snort/policy.rules
       include /etc/snort/info.rules
       #include /etc/snort/icmp-info.rules
       include /etc/snort/virus.rules
       include /etc/snort/local.rules
     
       # vision.rules will be catched by arachnids_upd
       include /etc/snort/vision.rules
     

/etc/snort/snort.conf ¼³Á¤À» ¸¶Ä£ ÈÄ /etc/rc.d/init.d/snortd start ¸í·ÉÀ» ÅëÇØ snort ¸¦ ½ÇÇà½ÃÅ°°í /var/log/messages ·Î±× ÆÄÀϳ»ÀÇ ¸ðµç ¿¡·¯µéÀ» ¼öÁ¤ÇØ¾ß ÇÑ´Ù (µ¥ÀÌŸº£À̽º´Â ¾ÆÁ÷ ¼³Á¤µÇ¾î ÀÖÁö ¾Ê±â ¶§¹®¿¡ µ¥ÀÌŸº£À̽º¿Í °ü·ÃµÈ ¸ðµç ¸Þ¼¼Áö´Â ¹«½ÃÇضó). ¸ðµç °ÍÀÌ Àß ÁøÇàµÇ¾ú´Ù¸é ´Ù¸¥ ºÎºÐÀÇ ¼³Á¤À¸·Î °¡ÀÚ.


4.1.2. /etc/rc.d/init.d/snortd

/etc/rc.d/init.d/snortd ¿¡¼­´Â Àû¾îµµ ÀÎÅÍÆäÀ̽º ºÎºÐÀ» ÆíÁýÇØ¾ß Çϴµ¥, INTERFACE="eth0" ¸¦ °¢ÀÚ »ç¿ëÇÏ´Â ÀÎÅÍÆäÀ̽º·Î ¼öÁ¤Çضó. ÀÌ´Â ´Ù¸¥ ÀÌ´õ³Ý (ethx) ¹× pppx ¶Ç´Â ipppx ÀÎÅÍÆäÀ̽ºÀÏ ¼ö ÀÖ´Ù. ¿¹¸¦ µé¾î ISDN À» »ç¿ëÇÏ°í ÀÖ´Ù¸é ÀÎÅÍÆäÀ̽º Á¤ÀÇ´Â ´ÙÀ½°ú °°´Ù.

     INTERFACE="ippp0"
    

Snort ¼¾¼­°¡ ÇϳªÀÇ ÀÎÅÍÆäÀ̽º¿¡¼­¸¸ °¨½ÃÇÏ°í ÀÖ´Ù¸é snortd initscript ¸¦ »ç¿ëÇÏ´Â °ÍÀ¸·Î ÃæºÐÇÏ´Ù. ±×·¯³ª Çϳª ÀÌ»óÀÇ ÀÎÅÍÆäÀ̽º¸¦ °®°í ÀÖ´Ù¸é ÀÌ¿¡ ´ëÇØ ÀúÀÚ°¡ È®ÀåÇÑ ½ºÅ©¸³Æ®¸¦ º¸±â ¹Ù¶õ´Ù. ´ÜÁö ÇϳªÀÇ ÀÎÅÍÆäÀ̽º¸¦ °®°í ÀÖÁö¸¸ ÀúÀÚ¿Í °°ÀÌ swatch ¸¦ »ç¿ëÇÏ°í ½Í´Ù¸é swatch ºÎºÐÀ» snortd ½ºÅ©¸³Æ®·Î º¹»çÇضó (RPM ¹®¼­ÀÇ contrib ÀýÀ» º¸¶ó).

´ÙÀ½ ÀúÀÚ°¡ È®ÀåÇÑ snortd initscript ´Â snort °¡ Çϳª ÀÌ»óÀÇ ÀÎÅÍÆäÀ̽º¸¦ °¨½ÃÇÔÀ» ¾Ë ¼ö ÀÖÀ» °ÍÀÌ´Ù. ÀÎÅÍÆäÀ̽º À̸§¿¡ any ¸¦ »ç¿ëÇÒ ¼öµµ ÀÖ´Ù°í ¸»ÇÒ ¼öµµ ÀÖ´Ù. ¿Ö³ÄÇÏ¸é ±âº»ÀûÀÎ libpcap ÀÌ À̸¦ °¡´ÉÇÏ°Ô Çϱ⠶§¹®ÀÌ´Ù. ±×·¯³ª snort ¼¾¼­°¡ ¼³Ä¡µÇ¾î ÀÖ´Â ·ÎÄà ³×Æ®¿öÅ© °¨½Ã¿¡ °ü½ÉÀÌ ¾ø±â ¶§¹®¿¡ ÀÌ´Â ÀúÀÚ°¡ »ç¿ëÇÏ·Á°í ÇÏ´Â Àǵµ°¡ ¾Æ´Ï´Ù. ÀÌ ·ÎÄà ³×Æ®¿öÅ©´Â ¹æÈ­º® ¼³Ä¡¿Í °°Àº ºÎ°¡ÀûÀÎ º¸¾È ¼³Á¤ÀÌ µÇ¾î ÀÖ´Â º°µµÀÇ ³×Æ®¿öÅ© ¼¼Å©¸ÕÆ®·Î º¸¾ÈÀûÀΠȯ°æ¿¡ ÀÖ¾î¾ß ÇÑ´Ù. µû¶ó¼­ snort ³×Æ®¿öÅ© ÀÚü¸¦ ¸ñÇ¥·ÎÇÑ °ø°ÝÀÇ Å½Áö¸¦ ¿øÇÏ´Â °æ¿ì¸¦ Á¦¿ÜÇÏ°í´Â ½º´ÏÇÎÀº Àǹ̰¡ ¾ø´Ù. ÀÌ ¼¼Å©¸ÕÆ®¿¡ Çϳª ÀÌ»óÀÇ ¼¾¼­¸¦ »ç¿ëÇÑ´Ù¸é ¼¼Å©¸ÕÆ®¸¦ º¸È£Çϱâ À§ÇØ ¸ðµç ¼¾¼­°¡ ¾Æ´Ñ ´ÜÁö ÇϳªÀÇ ¼¾¼­¸¸ ¼³Á¤ÇÒ ÇÊ¿ä°¡ ÀÖ´Ù.

ÀúÀÚ´Â /etc/rc.d/init.d/functions ³»ÀÇ ·¹µåÇÞ»çÀÇ daemon ÇÔ¼ö¿¡¼­ ÆÄ»ýµÈ »õ·Î¿î ÇÔ¼ö daemonMult ¸¦ Ãß°¡ÇÏ¿´´Ù. ÀÌ´Â ÇÁ·Î±×·¥À» Çѹø ÀÌ»ó ½Ãµ¿½Ãų ¼ö ÀÖ´Ù. ÀúÀÚ´Â »õ·Î¿î ¿É¼Ç --mult ¸¦ µµÀÔÇϱâ À§ÇØ ·¹µåÇ޻翡 daemon ÇÔ¼ö¿¡ ´ëÇÑ ÆÐÄ¡¸¦ º¸³Â´Ù. ÀÌ Ãß°¡°¡ ÀÌ·ç¾îÁø´Ù¸é daemonMult ÇÔ¼ö´Â ¾µ¸ð¾ø°Ô µÉ °ÍÀ̸ç È£ÃâÀº daemonMult ¿¡¼­ daemon --mult ·Î º¯°æµÉ °ÍÀÌ´Ù.

¶ÇÇÑ ÀúÀÚ´Â ¸®ºÎÆýà ¿¡·¯ ¸Þ¼¼Áö¸¦ ¾ø¾Ö±â À§ÇØ ÇϺνýºÅÛ À̸§À» snort ¿¡¼­ snortd ·Î º¯°æÇÏ¿´´Ù (·¹µåÇÞ¿¡¼­ killall ½ºÅ©¸³Æ®´Â Á¤È®ÇÑ À̸§¿¡ ÀÇÁ¸ÇÑ´Ù).

ÀúÀÚÀÇ ½ºÅ©¸³Æ®¸¦ ÀÌ¿ëÇÏ¸é °¨½ÃÇÒ ´Ù¼öÀÇ ÀÎÅÍÆäÀ̽º¸¦ Á¤ÀÇÇÒ ¼ö Àִµ¥ ¹ØÀÇ ½ºÅ©¸³Æ®¿¡¼­¿Í °°ÀÌ INTERFACE ¿¡ °ø¹éÀ¸·Î ºÐ¸®µÈ ¸ñ·ÏÀ» »ç¿ëÇضó.

µè°í ÀÖ´Â ÀÎÅÍÆäÀ̽º°¡ ÀÌ¹Ì ÀÛµ¿ÁßÀÎÁö IP ÁÖ¼Ò°¡ Á¤ÀǵǾî ÀÖ´ÂÁö¸¦ º¸±â À§ÇØ ¾à°£ÀÇ Á¤»ó¼º °Ë»çµµ ¶ÇÇÑ Æ÷ÇԵǾî ÀÖ´Ù. Á¤ÀÇµÈ IP ÁÖ¼Ò°¡ ÀÖ´Ù¸é ·¹µåÇÞ ¸®´ª½ºÀÇ °æ¿ì /etc/sysconfig/network-scripts/ifcfg-(interface-name) ¿¡ ÀÖ´Â ÇØ´ç config °¡ »ç¿ëµÉ °ÍÀÌ´Ù. ±×·¸Áö ¾Ê´Ù¸é ÀÎÅÍÆäÀ̽º´Â promiscuous ¸ðµå¿¡¼­ IP ¾øÀÌ ¼³Á¤µÉ °ÍÀÌ´Ù.

ÀÌ´Â ÀÌ´õ³Ý ÀÎÅÍÆäÀ̽º¸¦ Á¦¿ÜÇÑ ¾î¶°ÇÑ ÀÎÅÍÆäÀ̽º¿¡¼­µµ ¾ÆÁ÷ Å×½ºÆ®µÇÁö ¾Ê¾Ò´Ù. ÀúÀÚ´Â °ð ISDN ÀÎÅÍÆäÀ̽º¿¡ ´ëÇØ °ËÅäÇÒ °ÍÀÌ¸ç ¾î¶°ÇÑ Â÷ÀÌ°¡ ÀÖ´Â Áö¸¦ º¸°íÇÒ °ÍÀÌ´Ù.

ÇϳªÀÇ snort ÇÁ·Î¼¼½º°¡ °¢ ÀÎÅÍÆäÀ̽º¿¡¼­ ½ÃÀÛµÇ¸ç ¶ÇÇÑ swatch°¡ ±ÔÄ¢ °»½ÅÀ» À§ÇØ snort ¸¦ Àç½ÃÀÛÇÒ ¶§ ¿¡·¯¸¦ °Ë»çÇϱâ À§ÇØ ½ÇÇàµÉ °ÍÀÌ´Ù (¹ØÀÇ swatch ÀýÀ» º¸¶ó).

snort ¸¦ ¼Ë´Ù¿îÇÒ ¶§ ¸ðµç IP ¾ø´Â ÀÎÅÍÆäÀ̽º´Â ¼Ë´Ù¿îµÉ °ÍÀÌ´Ù. ±×·¯³ª IP ¼³Á¤ÀÌ µÇ¾î ÀÖ´Â ÀÎÅÍÆäÀ̽º´Â ¼Ë´Ù¿îµÇÁö ¾ÊÀ» °ÍÀÌ´Ù. ÀÌ´Â snort'ed ÀÎÅÍÆäÀ̽º°¡ snort ¼¾¼­¿¡ ÇʼöÀûÀÎ °æ¿ì Á¢±ÙºÒ°¡¸¦ ¾ß±âÇÒ ¼ö Àֱ⠶§¹®ÀÌ´Ù.

¾Æ¸¶µµ ´õ¿í ÁÁÀº ÇØ°á¹æ¹ýÀº ´ÙÀ½°ú °°Àº ¿£Æ®¸®¿¡ ´ëÇØ ÀÎÅÍÆäÀ̽ºÀÇ config ÆÄÀÏÀ» °Ë»çÇÏ´Â °ÍÀ¸·Î

     ONBOOT=yes
    

yes °¡ ¾ø´Â °æ¿ì¿¡¸¸ ÀÎÅÍÆäÀ̽º°¡ ¼Ë´Ù¿îµÉ °ÍÀÌ´Ù. ±×·¯³ª ÀÌ°ÍÀº ¾ÆÁ÷ ±¸ÇöµÇ¾î ÀÖÁö ¾Ê´Ù.

´ÙÀ½Àº È®ÀåµÈ snort initscript ÀÌ´Ù:

#!/bin/sh
#
# snortd         Start/Stop the snort IDS daemon.
#
# chkconfig: 2345 40 60
# ¼³¸í:  Snort ´Â ÇöÀç 1100 °³ ÀÌ»óÀÇ È£½ºÆ® ¹× ³×Æ®¿öÅ© Ãë¾à¼º, Æ÷Æ®½ºÄµ, ¹éµµ¾î µîÀ» ŽÁöÇÏ´Â
#               °æ·® ³×Æ®¿öÅ© ħÀÔ Å½Áö ½Ã½ºÅÛÀÌ´Ù.
#
# June 10, 2000 -- Dave Wreski Dave Wreski <dave at linuxsecurity.com>
#   - ÃÖÃÊ ¹öÀü
# July 08, 2000 Dave Wreski <<dave at guardiandigital.com>
#   - snort user/group À» Ãß°¡ÇÏ¿´´Ù
#   - 1.6.2 ¹öÀü Áö¿ø
# April 11, 2001 Sandro Poppi <spoppi at gmx.de>
#   - ´ÙÀ̾ó ¾÷ ¶óÀÎ ¶Ç´Â ÇÑ°³ ÀÌ»óÀÇ ½º´ÏÆÛ ÀÎÅÍÆäÀ̽º »ç¿ëÀ» À§ÇØ ´ÙÁß ÀÎÅÍÆäÀ̽º ¿É¼ÇÀ» Ãß°¡ÇÏ¿´´Ù
#     ÀúÀÚ´Â "-i any" ¸¦ »ç¿ëÇÏ´Â libpcap ¿É¼ÇÀÌ ÁÁÀº ¼±ÅÃÀ̶ó°í »ý°¢ÇÏÁö ¾Ê´Â´Ù.
#     ¿Ö³ÄÇϸé snort °¡ ÇÑ°³ÀÌ»óÀÇ ip °¡ ¾ø´Â ÀÎÅÍÆäÀ̽ºµéÀ» °¨½ÃÇϵµ·Ï ¼³Á¤µÉ ¼ö Àֱ⠶§¹®ÀÌ´Ù.
#      ±×·¯³ª ¸ð´ÏÅÍ ÀÎÅÍÆäÀ̽º´Â º¸È£µÇÁö ¾ÊÀº »óÅ·ΠÁ¸ÀçÇÑ´Ù.
#   - ¸®ºÎÆÃÇÒ¶§ÀÇ ¿¡·¯ ¸Þ½ÃÁö¸¦ ¾ø¾Ö±â À§ÇØ ÇϺνýºÅÛ À̸§À» snort ¿¡¼­ snortd ·Î º¯°æÇÏ¿´´Ù
#      (·¹µåÇÞÀÇ killall ½ºÅ©¸³Æ®´Â Á¤È®ÇÑ À̸§¿¡ ÀÇÁ¸ÇÑ´Ù)
#   - snort ÀÇ ´ÙÁß ÀνºÅϽº¸¦ ½ÇÇà½Ãų ¼ö ÀÖµµ·Ï /etc/rc.d/init.d/functions ³»ÀÇ daemon ÇÔ¼ö¿¡¼­ ÆÄ»ýµÈ 
#      daemonMult ÇÔ¼ö¸¦ Ãß°¡ÇÏ¿´´Ù
#      (°á±¹ ÀÌ´Â ·¹µåÇÞÀÇ daemon ÇÔ¼ö³»·Î ÅëÇÕµÉ ¼ö Àִµ¥ ÀúÀÚ¿¡°Ô ¿¬¶ôÇضó)
# January 01, 2002 Sandro Poppi <spoppi at gmx.de>
#   - swatch °¡ ¼³Ä¡µÇ¾î ÀÖ´ÂÁöÀÇ °Ë»ç¸¦ Ãß°¡ÇÏ¿´´Ù
#   - ÀÌ´õ³ÝÀÌ¿ÜÀÇ ÀÎÅ×ÆäÀ̽ºµé¿¡ ´ëÇÑ °Ë»ç¸¦ Ãß°¡ÇÏ¿´´Ù. À̵éÀº ifconfig ·Î ÀÛµ¿µÈ´Ù°í »ý°¢Çϱ⠶§¹®ÀÌ´Ù.
#
# Source function library.
. /etc/rc.d/init.d/functions

# ÇÁ·Î±×·¥À» Çѹø ÀÌ»ó ½ÃÀÛÇϱâ À§ÇÑ ÇÔ¼ö
# /etc/rc.d/init.d/functions ³»ÀÇ µ¥¸ó ÇÔ¼ö¸¦ ÀçÀÛ¼ºÇÑ °ÍÀÌ´Ù
daemonMult() {
        # ±¸¹®À» Å×½ºÆ®ÇÑ´Ù.
        gotbase=
        user=
        nicelevel=0
        while [ "$1" != "${1##-}" -o "$1" != "${1##+}" ]; do
          case $1 in
            '')    echo '$0: Usage: daemon [+/-nicelevel] {program}'
                   return 1;;
            --check)
                   shift
                   base=$1
                   gotbase="yes"
                   shift
                   ;;
            --user)
                   shift
                   daemon_user=$1
                   shift
                   ;;
            -*|+*) nicelevel=$1
                   shift
                   ;;
             *)    nicelevel=0
                   ;;
          esac
        done

        # basename À» ÀúÀåÇÑ´Ù.
        [ -z $gotbase ] && base=`basename $1`

        # ¹Ýµå½Ã ¾î´À °÷¿¡µµ ÄÚ¾î ´ýÇÁÇÏÁö ¾Êµµ·Ï Çضó; ÀÌ°ÍÀÌ µ¥¸ó°ú °ü·ÃµÈ
        # ¹®Á¦¸¦ ÀúÁöÇÏ´Â µ¿½Ã¿¡ ¶ÇÇÑ ¾à°£ÀÇ º¸¾È ¹®Á¦¸¦ ¾ø¾Ø´Ù.
        ulimit -S -c 0 >/dev/null 2>&1

        # Echo daemon
        [ "$BOOTUP" = "verbose" ] && echo -n " $base"

        # µ¥¸óÀ» ±¸µ¿½ÃŲ´Ù.
        if [ -z "$daemon_user" ]; then
           nice -n $nicelevel initlog $INITLOG_ARGS -c "$*" && success "$base startup" || failure "$base startup"
        else
           nice -n $nicelevel initlog $INITLOG_ARGS -c "su $daemon_user -c \"$*\"" && success "$base startup" || failure "$base startup"
        fi
}

# ³×Æ®¿öÅ© ÀÎÅÍÆäÀ̽º(µé)¸¦ ÁöÁ¤Çضó
INTERFACE="eth1 eth2"

# See how we were called.
case "$1" in
start)
        if [ -x /usr/bin/swatch ] ; then
          echo -n "Starting swatch: "
          # swatch ¸¦ »ç¿ëÇϱâ À§ÇØ ÀúÀÚ°¡ ½á³Ö¾ú´Ù
          # snort ±¸µ¿½ÃÀÇ ¿¡·¯¿¡ ´ëÇÑ Áö½Ã¸¦ ¾ò±â À§ÇØ snort Àü¿¡ À̸¦ ½ÇÇà½ÃŲ´Ù
          # snort ¿É¼Ç -s ¸¦ »ç¿ëÇÑ´Ù¸é /var/log/secure ¸¦ »ç¿ëÇضó
          # snort.conf ¿¡¼­ alert_syslog: Ãâ·Â ¿É¼ÇÀ» »ç¿ëÇÑ´Ù¸é /var/log/messages ¸¦ »ç¿ëÇضó
          /usr/bin/swatch --daemon --tail /var/log/messages --config-file /etc/swatch/swatchrc &
          touch /var/lock/subsys/swatch
          echo "done."
          echo
        fi

        # ´ÙÁß ÀÎÅÍÆäÀ̽º ¿É¼ÇÀ» Ãß°¡ÇÏ¿´´Ù
        for i in `echo "$INTERFACE"` ; do
          echo -n "Starting snort on interface $i: "
          # ½ºÅ©¸³Æ® ±¸µ¿½Ã snort ¿¡ ´ëÇØ ip °¡ ¾ø´Â ½º´ÏÆÛ ÀÎÅÍÆäÀ̽º¸¦ ±¸ÇöÇϱâ À§ÇØ »ðÀÌÇÏ¿´´Ù
          # ÀÎÅÍÆäÀ̽º°¡ ¾ÆÁ÷ ÀûÀçµÇÁö ¾Ê¾Ò°Å³ª ¶Ç´Â ±¸µ¿µÇÁö ¾Ê¾Ò´Ù¸é
          if [ `/sbin/ifconfig $i 2>&1 | /bin/grep -c "Device not found"` = "0" \
               -o `/sbin/ifconfig $i 2>&1 | /bin/grep -c "UP"` = "0" ] ; then

            # ÀÌ´õ³Ý¿ÜÀÇ ´Ù¸¥ ÀÎÅÍÆäÀ̽º¸¦ °Ë»çÇÑ´Ù
            if [ `echo $i | /bin/grep -c "^eth"` = "1" ] ; then
              # ÁÖ¾îÁø ÀÎÅÍÆäÀ̽º¿¡ ´ëÇÑ config °¡ ÀÖ´ÂÁö¸¦ °Ë»çÇÑ´Ù
              # º¸Åë ÀÌ´Â ½º´ÏÆÛ ÀÎÅÍÆäÀ̽º¿¡ ´ëÇؼ­´Â º¸¾È»óÀÇ ÀÌÀ¯·Î »ý·«µÇ¾î¾ß ÇÑ´Ù
              if [ -s "/etc/sysconfig/network-scripts/ifcfg-$i" ]; then
                # config ¸¦ »ç¿ëÇÑ´Ù
                /sbin/ifup $i
              else
                # ip °¡ ¾ø´Â ½º´ÏÆÛ ÀÎÅÍÆäÀ̽º
                /sbin/ifconfig $i up promisc
              fi
            fi
          fi
          # À§ÀÇ ÀçÀÛ¼ºµÈ µ¥¸ó ÇÔ¼ö¸¦ ½ÇÇà½ÃŲ´Ù
          daemonMult /usr/sbin/snort -u snort -g snort -d -D \
                 -i $i -I -l /var/log/snort -c /etc/snort/snort.conf
          echo
        done

        touch /var/lock/subsys/snortd

        ;;
  stop)
        echo -n "Stopping snort: "
        killproc snort
        rm -f /var/lock/subsys/snortd

        # ÀúÀÚ°¡ »ðÀÔÇÏ¿´´Ù
        if [ -x /usr/bin/swatch ] ; then
          echo
          echo -n "Stopping swatch: "
          kill `ps x|grep "/usr/bin/swatch"|grep -v grep|awk '{ print $1 }'`
          rm -f /var/lock/subsys/swatch
        fi

        # ´ÜÁö ip ÁÖ¼Ò°¡ ¾ø´Ù¸é ÀÎÅÍÆäÀ̽º¸¦ ¼Ë´Ù¿î½ÃŲ´Ù
        # ÀÌ´õ³Ý ÀÎÅÍÆäÀ̽º¶ó¸é ÀÎÅÍÆäÀ̽º¸¦ ¼Ë´Ù¿î½ÃÅ°±æ ¿øÄ¡ ¾Ê±â ¶§¹®¿¡ ´ÙÀ½À» ½ÇÇà½ÃŲ´Ù
        for i in `echo "$INTERFACES"`; do
          if [`echo $i | /bin/grep -c "^eth"` = "1" -a \
              `/sbin/ifconfig $i 2>&1 | /bin/grep -c "inet addr:"` = "0" ] ; then
            /sbin/ifconfig $i down
          fi
        done
        echo
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  status)
        status snort
        #status swatch
        ;;
  *)
        echo "Usage: $0 {start|stop|restart|status}"
        exit 1
esac
exit 0
    


4.1.3. /etc/snort/snort-check

ÀÌ ½© ½ºÅ©¸³Æ®´Â smbclient ¸¦ ÅëÇØ À©Æ˾÷À» »ý¼º½ÃÅ°°Å³ª ÁÖ¾îÁø »ç¶÷¿¡°Ô À̸ÞÀÏÀ» º¸³»´Âµ¥ »ç¿ëµÈ´Ù. ÀÌ´Â snort ȨÆäÀÌÁö¿¡ ¹ßÇ¥µÈ Bill Richardson ÀÇ ½ºÅ©¸³Æ®¿¡ °í¹«µÇ¾î ÀÛ¼ºÇÏ¿´´Ù.

À©Æ˾÷ ºÎºÐÀº snort 1.8 ¿¡ µµÀÔµÈ smb Ãâ·Â ¸ðµâ·Î ÀÎÇØ ¾µ¸ð¾øÀ»Áöµµ ¸ð¸£¸ç ÀúÀÚ´Â À̸¦ ¾ÆÁ÷ Å×½ºÆ®ÇÏÁö ¾Ê¾Ò´Ù.

#!/bin/sh

# ´Ù¼öÀÇ Æ÷¸ËÀ¸·Î °æº¸¸¦ º¸³»±â À§ÇØ swatch ³»¿¡¼­ ½ÇÇàµÇ´Â ½ºÅ©¸³Æ®
# www.snort.org ¿¡ ÀÖ´Â Bill Richardson ÀÇ ½ºÅ©¸³Æ®¿¡ ¿µ°¨À» ¹Þ¾Ò´Ù
# À©Æ˾÷À» º¸³»´Â ¿öÅ© ½ºÅ×À̼ÇÀÇ À̸§À» °®°í ÀÖ´Â "hosts" ÆÄÀÏÀ» ÀоîµéÀ̵µ·Ï
# È®ÀåµÇ¾ú´Ù. ±¸¹®Àº snortd ¿É¼Ç -M °ú °°´Ù.
# Poppi, 02.05.2001

# ¼±°áÁ¶°Ç:
# Samba °¡ Á¤È®È÷ ¼³Ä¡µÇ¾î ÀÖ¾î¾ß ÇÑ´Ù.
# °¢ÀÚ ½Ã½ºÅÛ¿¡ ¸Â°Ô ´ÙÀ½ º¯¼öµéÀ» º¯°æ½ÃŲ´Ù (·¹µåÇÞ 7.x À» »ç¿ëÇÑ´Ù¸é ¹«¹æÇÏ´Ù)

# hostfile Àº À©Æ˾÷À» À§ÇÑ ¿öÅ© ½ºÅ×À̼ÇÀ» Æ÷ÇÔÇÏ°í ÀÖ´Â ÆÄÀϸíÀ» °®°í ÀÖ´Ù.
hostfile="/etc/snort/hosts"

# recipientfile Àº ¸ðµç recipient (¼ö·ÉÀÚ) ÀÇ ÁÖ¼Ò¸¦ °®°í ÀÖ´Ù.
# °¢ recipient ´Â ÇÑÁÙ¿¡ ÇϳªÀÌ´Ù.
recipientfile="/etc/snort/recipients"

# recipient ÆÄÀÏÀÌ Á¸ÀçÇÑ´Ù¸é
if [ -s "$recipientfile" ] ; then
  # À̸ÞÀÏ ÁÖ¼Ò¸¦ °®´Â recipientlist ¸¦ »ý¼ºÇÑ´Ù
  for i in `cat $recipientfile` ; do
    recipients="$recipients "$i
  done

  echo "$*" | mail -s "Snort-Alert!!!" "$recipients"
fi

# hostfile Á¸ÀçÇÑ´Ù¸é À©Æ˾÷À» º¸³½´Ù
if [ -s "$hostfile" ] ; then
  for i in `cat $hostfile` ; do
    echo "Snort-Alert! $*" | smbclient -M $i > /dev/null 2>&1
  done
fi
     


4.1.3.1. /etc/snort/hosts

ÀÌ ÆÄÀÏ¿¡ snort ¸Þ½ÃÁö¸¦ ¹Þ´Â È£½ºÆ®ÀÇ ¿öÅ© ½ºÅ×À̼ÇÀÇ À̸§À» ÇÑÁÙ¿¡ Çϳª¾¿ ³Ö¾î¶ó.

       ws001
       ws002
       ws003
      


4.1.3.2. /etc/snort/recipients

/etc/snort/recipients ¿¡ snort °æº¸¸¦ ¹Þ±æ ¿øÇÏ´Â (¶Ç´Â ¹Þµµ·Ï µÇ¾îÀÖ´Â) ¼ö·ÉÀÚÀÇ À̸ÞÀÏ ÁÖ¼Ò¸¦ ÇÑÁÙ¿¡ Çϳª¾¿ ³Ö¾î¶ó.

       jane@internal.local.com
       henk@snort.info
       sandro@snort.info
      

µÎÆÄÀÏÁß Çϳª¶óµµ »ý·«µÈ´Ù¸é ÇØ´ç Ư¡Àº ±ÝÁöµÈ´Ù.


4.1.4. Snort ³»ºÎ Åë°èÀÚ·á

Snort ´Â ¾à°£ÀÇ ³»ºÎ Åë°èÀڷḦ Ãâ·ÂÇÒ ¼ö ÀÖ´Â ±â´ÉÀÌ ³»ÀåµÇ¾î Àִµ¥ ÀÌ´Â ´ÙÀ½ ¸í·ÉÀ» »ç¿ëÇÏ¿© ±â·ÏµÉ ¼ö ÀÖ´Ù:

/bin/kill -SIGUSR1 <pid of snort>

¶Ç´Â µ¿ÀÏ ¸Ó½Å¿¡ ÇÑ°³ ÀÌ»óÀÇ snort ÇÁ·Î¼¼½º°¡ ÀÖ°í µ¿½Ã¿¡ ¸ðµç Á¤º¸¸¦ ¾ò°í ½Í´Ù¸é ´ÙÀ½ ¸í·ÉÀ» »ç¿ëÇÒ ¼ö ÀÖ´Ù:

/bin/killall -USR1 snort

À§ÀÇ ¸í·ÉÀ» »ç¿ëÇÑ °æ¿ì syslog (/var/log/messages) ¿¡¼­ ´ÙÀ½°ú °°Àº ³»ºÎ Åë°èÀڷḦ ¾ò´Â´Ù.

Sep 29 07:51:48 ids01 snort[8000]:   ===============================================================================
Sep 29 07:51:48 ids01 snort[8000]: Snort analyzed 27316 out of 27316 packets,
Sep 29 07:51:48 ids01 snort[8000]: dropping 0(0.000%) packets
Sep 29 07:51:48 ids01 snort[8000]: Breakdown by protocol:                Action Stats:
Sep 29 07:51:48 ids01 snort[8000]:     TCP: 27152      (99.400%)         ALERTS: 0
Sep 29 07:51:48 ids01 snort[8000]:     UDP: 0          (0.000%)          LOGGED: 0
Sep 29 07:51:48 ids01 snort[8000]:    ICMP: 164        (0.600%)          PASSED: 0
Sep 29 07:51:48 ids01 snort[8000]:     ARP: 0          (0.000%)
Sep 29 07:51:48 ids01 snort[8000]:    IPv6: 0          (0.000%)
Sep 29 07:51:48 ids01 snort[8000]:     IPX: 0          (0.000%)
Sep 29 07:51:48 ids01 snort[8000]:   OTHER: 0          (0.000%)
Sep 29 07:51:48 ids01 snort[8000]: DISCARD: 0          (0.000%)
Sep 29 07:51:48 ids01 snort[8000]: ===============================================================================
Sep 29 07:51:48 ids01 snort[8000]: Fragmentation Stats:
Sep 29 07:51:48 ids01 snort[8000]: Fragmented IP Packets: 0          (0.000%)
Sep 29 07:51:48 ids01 snort[8000]:     Fragment Trackers: 0
Sep 29 07:51:48 ids01 snort[8000]:    Rebuilt IP Packets: 0
Sep 29 07:51:48 ids01 snort[8000]:    Frag elements used: 0
Sep 29 07:51:48 ids01 snort[8000]: Discarded(incomplete): 0
Sep 29 07:51:48 ids01 snort[8000]:    Discarded(timeout): 0
Sep 29 07:51:48 ids01 snort[8000]:   Frag2 memory faults: 0
Sep 29 07:51:48 ids01 snort[8000]: ===============================================================================
Sep 29 07:51:48 ids01 snort[8000]: TCP Stream Reassembly Stats:
Sep 29 07:51:48 ids01 snort[8000]:         TCP Packets Used: 27152      (99.400%)
Sep 29 07:51:48 ids01 snort[8000]:          Stream Trackers: 1
Sep 29 07:51:48 ids01 snort[8000]:           Stream flushes: 0
Sep 29 07:51:48 ids01 snort[8000]:            Segments used: 0
Sep 29 07:51:48 ids01 snort[8000]:    Stream4 Memory Faults: 0
Sep 29 07:51:48 ids01 snort[8000]: ===============================================================================
     

±×·¯³ª ´ÙÀ½À» ±â¾ïÇضó: 1.8.3 ÀÌÀü ¹öÀü¿¡¼­´Â »õ·Î¿î Åë°è ÀڷḦ ¾ò±âÀ§Çؼ­´Â snort ¸¦ À籸µ¿½ÃÄÑ¾ß ÇÑ´Ù. µû¶ó¼­ ÀÌÀü ¹öÀüÀ̶ó¸é ´Ã kill -SIGUSR1 °ú snort restart ¸¦ ÇÔ²² ½ÇÇà½ÃÄѶó.

¿ì¼± óÀ½ÀÇ µÎ ¶óÀÎÀ» º¸¾Æ¾ß ÇÑ´Ù. snort °¡ ¹ö·ÁÁö´Â (dropped) ÆÐŶÀÌ ÀÖ´Ù°í ¸»ÇÑ´Ù¸é snort ¼³Á¤»Ó¸¸ÀÌ ¾Æ´Ï¶ó snort ¹Ú½ºÀÇ ¼³Á¤µµ ¸Å¿ì ÀÚ¼¼È÷ Á¶»çÇØ¾ß ÇÑ´Ù.

¿¹¸¦ µé¾î ¹Ú½º¿¡ ÇʼöÀûÀÌÁö ¾ÊÀº ¸ðµç ºÒÇÊ¿äÇÑ ¼­ºñ½º¸¦ Á¤Áö½ÃÄѶó. ±×¸®°í top ¸í·ÉÀÇ Ãâ·ÂÀ» Á¶»çÇضó. À¯ÈÞ Ä«¿îÅÍ°¡ ¸Å¿ì ³·´Ù¸é ¾î¶² ÇÁ·Î¼¼½ºµéÀÌ cpu ½Ã°£À» ¼ÒºñÇÏ¸ç °á±¹ ÇØ´ç ÇÁ·Î±×·¥ ÆÐŶÀ» outsource ÇÏ°í ÀÖ´ÂÁö ¾Ë¾Æ³»¾ß ÇÑ´Ù. ÀÌ´Â ÀûÀº ¸Þ¸ð¸® ¹×/¶Ç´Â »ç¾çÀÌ ³·Àº cpu ¸¦ °®´Â µ¿ÀÏ ¸Ó½Å¿¡¼­ ACID, µ¥ÀÌŸº£À̽º ¹× snort ¸¦ »ç¿ëÇÒ ¶§¿¡ ÇØ´çµÈ´Ù.

´Ù¸¥ µ¥ÀÌŸ ¶óÀεéÀº Àü󸮱âµé ¹× À̵éÀÇ ÀÛ¾÷¿¡ ´ëÇÑ °³¿ä¸¦ Á¦°øÇÑ´Ù. ¶ÇÇÑ ¸Þ¸ð¸® fault ºÎºÐÀ» Á¶»çÇØ¾ß ÇÑ´Ù. ¼ýÀÚ°¡ 0 ÀÌ ¾Æ´Ï¶ó¸é ¸Þ¸ð¸® »ç¿ëÀ» Á¶»çÇØ¾ß ÇÏ¸ç °á±¹ ´õ¿í ¸¹Àº ¸Þ¸ð¸®¸¦ »ç¿ëÇϵµ·Ï Àü󸮱⸦ ¼³Á¤ÇØ¾ß ÇÑ´Ù (/etc/snort/snort.conf ³»ÀÇ ÀûÀýÇÑ ºÎºÐÀ» Á¶»çÇضó).

´ÙÀ½Àº Greg Sarsons ¿¡ ¿µ°¨À» ¹ÞÀº snort ÀÇ ³»ºÎ Åë°èÀڷḦ ¾ò±â À§ÇÑ ÂªÀº ½ºÅ©¸³Æ®ÀÌ´Ù. À̸¦ ÆÄÀÏ·Î ÀúÀåÇÑ ÈÄ snort ¸¦ Àç½ÃÀÛÇضó.

Åë°èÀÚ·á ÆÄÀÏÀº /var/log/snort/archive ¿¡ ÀúÀåµÉ °ÍÀÌ¸ç µû¶ó¼­ ÀÌ µð·ºÅ丮¸¦ ¿ì¼±ÀûÀ¸·Î »ý¼ºÇØ¾ß ÇÑ´Ù.

#!/bin/bash
# syslog ¶Ç´Â kill -USR1 <snort-pid> ½ÇÇà ÈÄ »ý¼ºµÈ ÁÖ¾îÁø ÆÄÀϷκÎÅÍ
# Ưº°ÇÑ snort Åë°è ÀڷḦ »ý¼º ¹× ÃßÃâÇϱâ À§ÇÑ ½ºÅ©¸³Æ®
#
# ÀÌ ½ºÅ©¸³Æ®´Â pid °¡ ·Î±×ÆÄÀÏ¿¡ ±â·ÏµÊÀ» °¡Á¤ÇÑ´Ù.
# ÀÌ´Â snort.conf ÆÄÀÏ¿¡ ´ÙÀ½ ¶óÀÎÀ» »ç¿ëÇÏ¸é °¡´ÉÇÏ´Ù:
# output alert_syslog: LOG_AUTH LOG_ALERT LOG_PID
#
# (c) Sandro Poppi 2001
# Released under GPL

echo "Starting gathering snort internal statistics. Please be patient..."

if [ "$1." == "." -o ! -e "$1" ] ; then
  # ÁÖ¾îÁø ÆÄÀÏÀÌ ¾ø°Å³ª Á¸ÀçÇÏÁö ¾Ê´Â °æ¿ì ´ÙÀ½ µðÆúÆ® ÆÄÀÏÀ» »ç¿ëÇÑ´Ù
  log_file="/var/log/messages"

else
  # ·Î±×ÆÄÀÏÀÇ À§Ä¡°¡ Ç¥ÁØÀûÀÌÁö ¾ÊÀ»¶§´Â ¹Ýµå½Ã snort °¡ ÀÌ ·Î±× ÆÄÀÏÀ» »ç¿ëÇϵµ·Ï Çضó
  # ±×·¸Áö ¾Ê´Ù¸é USR1 ½Ã±×³ÎÀ» º¸³¾¶§ ÀÌ ½ºÅ©¸³Æ®´Â ÀÛµ¿ÇÏÁö ¾ÊÀ» °ÍÀÌ´Ù
  log_file="$1"
fi

# snort pid ¸¦ ¾Ë¾Æ³½´Ù
snort_pid=`/sbin/pidof snort`

# ¸ðµç snort ÇÁ·Î¼¼½º¿¡ ´ëÇØ ³»ºÎ Åë°èÀڷḦ ¾ò´Â´Ù
# ÀÌ¹Ì Á¤·ÄµÈ Ãâ·ÂÀ» ¾ò±âÀ§ÇØ killall À» »ç¿ëÇÏÁö ¾Ê´Â´Ù
for i in `echo $snort_pid` ; do
  kill -USR1 $i
  
  # snort °¡ Åë°èÀڷḦ syslog ¿¡ º¸³»µµ·Ï 2Ãʵ¿¾È ÈÞ¸éÇÑ´Ù
  sleep 2
done
  
# USR1 ½Ã±×³ÎÀ» º¸³½ÈÄ Áï°¢ÀûÀ¸·Î snort ¸¦ Àç½ÃÀÛÇÑ´Ù
# ÀÌ´Â 2001³â 1¿ù 11ÀÏ°æ ÀÌÈÄÀÇ snort CVS ¹öÀü ¶Ç´Â 1.8.2 ¹öÀü ÀÌ»óÀÇ ¸ðµç ¹öÀüÀ»
# »ç¿ëÇÒ ¶§ »ý·«µÉ ¼öµµ ÀÖ´Ù.
/etc/rc.d/init.d/snortd restart

for i in `echo $snort_pid` ; do
  # process logfile

  filename=/var/log/snort/archive/snort.`date "+%Y-%m-%d"`.$i.log
    
  # ±âÁ¸ ÆÄÀÏÀ» °Ë»çÇÏ°í Á¸ÀçÇÑ´Ù¸é ÆÄÀϸíÀ» º¯°æÇÑ´Ù
  if [ -e "$filename" ] ; then
    mv "$filename" "$filename.bak"
  fi
  
  egrep "snort\[$i\]:" $log_file > "$filename"
  
  # ´ÙÀ½ ¶óÀΰú °°Àº ¶óÀεéÀ» »ç¿ëÇÏ¿© ¹ö·ÁÁö´Â ÆÐŶÀÌ ÀÖ´ÂÁö Á¶»çÇÑ´Ù
  # Oct 22 18:02:06 xbgh17183 snort[573]: dropping 0(0.000%) packets 
  if [ "`egrep "dropping" $filename | awk -F "[ (]" '{ print $7 }'`" != "0" -a \
       "`egrep -c "dropping" $filename`" != "0" ] ; then
    echo "Snort's dropping packets!!! Take a look on the configuration and/or the system's performance!!!"
  fi 
  
done

echo "Gathering snort internal statistics finished..."
     


4.1.5. Snort Å×½ºÆ®Çϱâ

snort ¸¦ Å×½ºÆ®Çϱâ À§Çؼ­´Â /etc/rc.d/init.d/snortd ¸¦ ÆíÁýÇÏ°í ÀÎÅÍÆäÀ̽º°¡ ·çÇÁ¹é ÀÎÅÍÆäÀ̽º lo ¿¡¼­ µè°Ô ÇØ¾ß ÇÑ´Ù. ³×Æ®¿öÅ© Ä«µå°¡ ¼³Ä¡µÇ¾î ÀÖ´Â »ç¶÷ÀÇ °æ¿ì´Â ´ë½Å eth0 ¸¦ »ç¿ëÇÒ ¼ö ÀÖÁö¸¸ snot ¿Í snort °¡ µ¿ÀÏ ¸Ó½Å¿¡¼­ ½ÇÇàµÇ°í ÀÖ´Ù¸é ÀÎÅÍÆäÀ̽º¸¦ ÅëÇØ ¾î¶°ÇÑ ÆÐŶµµ Àü¼ÛµÇÁö ¾Ê±â¶§¹®¿¡ snot ¸¦ µÎ¹ø° pc ¸¦ »ç¿ëÇØ ½ÇÇà½ÃÄÑ¾ß ÇÑ´Ù.

snort ¸¦ Å×½ºÆ®ÇÏ´Â ¾Æ¸¶µµ °¡Àå °£´ÜÇÑ ¹æ¹ýÀº http://www.sec33.com/sniph/ ¿¡¼­ ãÀ» ¼ö ÀÖ´Â snot ¸¦ »ç¿ëÇÏ´Â °ÍÀÌ´Ù.

Snot ¸¦ À§ÇØ libnet ¸¦ ¼³Ä¡ÇØ¾ß Çϴµ¥ ·¹µåÇÞ 7.x ¿¡´Â »ç¿ë°¡´ÉÇÑ RPM ÀÌ ¾ø±â ´ë¹®¿¡ http://rpmfind.net/ ¹× ¸Çµå·¹ÀÌÅ© »çÀÌÆ® http://www.mandrake.com/ ¿¡¼­ ãÀ» ¼ö ÀÖ´Â ¸Çµå·¹ÀÌÅ© ¼ÒÇÁÆ®»çÀÇ libnet-1.0.2-6mdk.i586.rpm À» »ç¿ëÇÒ ¼ö ÀÖ´Ù. ´ëºÎºÐÀÇ ¸Çµå·¹ÀÌÅ© RPM µéÀº ·¹µåÇÞ ½Ã½ºÅÛ¿¡¼­ ¾Æ¹« ¹®Á¦¾øÀÌ »ç¿ëÇÒ ¼ö ÀÖ´Ù. ±×·¯³ª ¸Çµå·¹ÀÌÅ©´Â i386 RPM µéÀ» Á¦°øÇÏÁö ¾ÊÀ½¿¡ ÁÖÀÇÇضó µû¶ó¼­ ¿¹Àü ÆæƼ¾ö P5 ÀÌÀü ÇÁ·Î¼¼¼­¿¡´Â À̵éÀ» »ç¿ëÇÒ ¼ö ¾ø´Ù. ÀÌ·± °æ¿ì http://www.packetfactory.net/projects/libnet ¿¡¼­ ¼Ò½º¸¦ ¾òÀº ÈÄ ½º½º·Î ÄÄÆÄÀÏÇØ¾ß ÇÑ´Ù.

snot ¸¦ ÄÄÆÄÀÏÇϱâ À§Çؼ­´Â ´ÜÁö tarball À» untar ÇÑ ÈÄ snot µð·ºÅ丮¿¡¼­ make ¸í·ÉÀ» ½ÇÇà½ÃÅ°¸é µÈ´Ù. ¿¡·¯¾øÀÌ ÄÄÆÄÀÏÀÌ Á¾·áµÇ¸é ¹Ù·Î snot ¸¦ »ç¿ëÇÒ ¼ö ÀÖ´Ù. ±×·¸Áö ¾Ê´Ù¸é ¾î¶² °³¹ß ÆÐÅ°Áö°¡ ¾ø´Â °æ¿ìÀÌ´Ù.

snot ¸¦ ÁغñÇϱâ À§ÇØ /etc/snort/snort.conf ÆÄÀÏÀ» snot µð·ºÅ丮·Î º¹»çÇÑ ÈÄ Çϳª ¶Ç´Â ±× ÀÌ»óÀÇ ±ÔÄ¢ ÆÄÀϵéÀ» º¹»çÇÑ snort.conf ÆÄÀÏÀÇ ³¡ºÎºÐ¿¡ cat ÇØÁÖ¸é µÈ´Ù:

cat /etc/snort/backdoor.rules >> snort.conf

±× ÈÄ ÇÑ ÄÁ¼Ö¿¡¼­ tail -f /var/log/messages À» ½ÇÇà½ÃÅ°°í µ¿½Ã¿¡ ´Ù¸¥ ÄÁ¼Ö¿¡¼­ Å×½ºÆ®¸¦ ÇØ¾ß ÇÑ´Ù.

snortd initscript ¿¡¼­ ÀÎÅÍÆäÀ̽º À̸§¿¡ lo ¸¦ »ç¿ëÇß´Ù¸é ´ÙÀ½°ú °°ÀÌ snot ¸¦ ½ÇÇà½Ãų ¼ö ÀÖ´Ù.

./snot -r snort.conf -d localhost -n 5

ÀÌ ¸í·ÉÀº snot ¿¡°Ô º¹»çÇÑ snort.conf ¸¦ »ç¿ëÇϸç, ¸ñÀûÁö´Â localhost ÀÌ°í ³Ê¹« ¸¹Àº °æº¸¸¦ À¯¹ßÇÏÁö ¾Êµµ·Ï À̸¦ ÃÖ´ë 5·Î Á¦ÇÑÇ϶ó°í ÇÑ´Ù.

Ãß°¡ÀûÀÎ º¯¼ö¸¦ ¹«½ÃÇ϶ó°í ÇÏ´Â ¾à°£ÀÇ ¸Þ½ÃÁö¸¦ ¾Æ¸¶µµ ¹ÞÀ» °ÍÀÌ´Ù. ÀÌ´Â snot °¡ snort 1.8 ¿¡ µµÀÔµÈ »õ·Î¿î º¯¼ö¸¦ ´Ù·ê ¼ö ¾ø±â ¶§¹®À¸·Î ÇãµÕµÇÁö ¸»°í ±×Àú ¸Þ½ÃÁö¸¦ ¹«½ÃÇضó. snot ´Â Àß ½ÇÇàµÇ°í ÀÖ´Ù.

/var/log/messages ¿¡¼­ ¾à°£ÀÇ snort °æº¸¸¦ º¼ ¼ö ÀÖ´Ù.

Sep 10 18:22:33 ids01 snort[1536]: <lo> GateCrasher access: 192.168.213.151:6969 -> 127.0.0.1:3170
Sep 10 18:22:33 ids01 snort[1536]: <lo> GateCrasher access: 192.168.213.151:6969 -> 127.0.0.1:3170
Sep 10 18:22:33 ids01 snort[1536]: <lo> GateCrasher access: 192.168.155.231:6969 -> 127.0.0.1:57580
Sep 10 18:22:33 ids01 snort[1536]: <lo> GateCrasher access: 192.168.155.231:6969 -> 127.0.0.1:57580
Sep 10 18:22:33 ids01 snort[1536]: <lo> Deep Throat access: 192.168.170.42:2140 -> 127.0.0.1:60521
     

ºñ½ÁÇÑ °æº¸¸¦ ¾ò´Â´Ù¸é ÁÁ´Ù. ±×·¸Áö ¾Ê´Ù¸é À§¿Í À¯»çÇÑ °á°ú¸¦ ¾òÀ» ¶§±îÁö ¼³Á¤À» Á¶»çÇϱ⠹ٶõ´Ù.

ÀÌÁ¦ /etc/snort/snort.conf ¸¦ ÆíÁýÇØ INTERFACE º¯¼ö¿¡ Á¤È®ÇÑ °ªÀ» ³ÖÀº ÈÄ snort ¸¦ Àç½ÃÀÛÇØ¾ß ÇÑ´Ù.


4.2. MySQL ¼³Á¤Çϱâ

Snort °¡ MySQL ¿¡ °æº¸¸¦ º¸³¾ ¼ö ÀÖµµ·Ï Çϱâ À§Çؼ­´Â ¿ì¼± MySQL À» ¼³Ä¡ÇØ¾ß ÇÑ´Ù. ´ëºÎºÐÀÇ ¸®´ª½º ¹èÆ÷ÆÇ¿¡´Â »ç¿ëÇÒ ¼ö ÀÖ´Â MySQL ÆÐÅ°Áö°¡ ÀÖÀ¸¸ç µû¶ó¼­ À̸¦ ÀÌ¿ëÇÏ¸é µÈ´Ù. ±×·¸Áö ¾Ê´Ù¸é ¾Æ¸¶µµ http://www.mysql.org/ ¿¡¼­ Ÿ¸£º¼À» ´Ù¿î·Îµå¹Þ¾Æ ½ºÅ©·¡Ä¡·ÎºÎÅÍ À̸¦ ÄÄÆÄÀÏ ¹× ¼³Ä¡ÇØ¾ß ÇÒ °ÍÀÌ´Ù. À̸¦ ¼³Ä¡Çϱâ À§Çؼ­ MySQL ¿¡ Æ÷ÇԵǾî ÀÖ´Â ¹®¼­¸¦ º¸¶ó.

MySQL µ¥¸óÀ» ½ÇÇà½ÃŲ ÈÄ (·¹µåÇÞÀÇ °æ¿ì RPM À» ¼³Ä¡ÇÑ ÈÄ /etc/rc.d/init.d/mysql start ¸¦ ½ÇÇà½ÃŲ´Ù) snort µ¥ÀÌŸº£À̽º¸¦ ÃʱâÈ­½ÃÄÑ¾ß ÇÑ´Ù. ÀÌ´Â ´ÙÀ½ Àý¿¡ ±â¼úµÇ¾î ÀÖ´Ù:

[root@ids01 /root]# mysql -u root
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 133 to server version: 3.23.32

Type 'help;' or '\h' for help. Type '\c' to clear the buffer

mysql>create database snort;
Query OK, 1 row affected (0.00 sec)

mysql> connect snort
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Connection id:    139
Current database: snort

mysql> status
--------------
mysql  Ver 11.12 Distrib 3.23.32, for redhat-linux-gnu (i386)

Connection id:          139
Current database:       snort
Current user:           root@localhost
Current pager:          stdout
Using outfile:          ''
Server version:         3.23.32
Protocol version:       10
Connection:             Localhost via UNIX socket
Client characterset:    latin1
Server characterset:    latin1
UNIX socket:            /var/lib/mysql/mysql.sock
Uptime:                 1 day 2 hours 6 min 21 sec

Threads: 14  Questions: 4272  Slow queries: 0  Opens: 58  Flush tables: 1  Open tables: 18 Queries per second avg: 0.045
--------------

mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye
    

Çʼö µ¥ÀÌŸº£À̽º Å×ÀÌºí ±¸Á¶¸¦ »ý¼º½ÃÅ°±â À§ÇØ º»·¡ÀÇ Å¸¸£º¼ ¶Ç´Â ÀúÀÚÀÇ RPMÀÇ contrib ¿¡¼­ ãÀ» ¼ö ÀÖ´Â create_mysql ½ºÅ©¸³Æ®¸¦ »ç¿ëÇÑ´Ù.

[root@ids01 /root]# mysql -u root snort < ./contrib/create_mysql

µ¥ÀÌŸº£À̽º¿¡ ´ëÇØ »ç¿ëÀÚ¾ÆÀ̵ð/Æнº¿öµå ½ÖÀ» Ãß°¡ÇÏ°í xxxx ¸¦ °¢ÀÚÀÇ È¯°æ¿¡ ÀûÇÕÇÑ Æнº¿öµå·Î º¯°æÇÏ´Â °ÍÀ» ±â¾ïÇØ¾ß ÇÒ °ÍÀÌ´Ù.

[root@ids01 /root]# mysql -u root mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 148 to server version: 3.23.32

Type 'help;' or '\h' for help. Type '\c' to clear the buffer

mysql> insert into user (User,Password) values('snort',PASSWORD('xxxx'));
Query OK, 1 row affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye
    

ÆíÀǸ¦ À§ÇØ snort Ÿ¸£º¼°ú ÀúÀÚÀÇ RPM ÀÇ contrib ¿¡ ÀÖ´Â ¾à°£ÀÇ Æ¯º°ÇÑ Å×À̺íÀ» ´ÙÀ½ ¸í·ÉÀ» »ç¿ëÇÏ¿© Ãß°¡Çضó

zcat snortdb-extra.gz | mysql -u root snort

ACID ÀÇ ÀúÀå Ư¡À» »ç¿ëÇÏ·Á¸é snort µ¥ÀÌŸº£À̽º¸¦ Á¤ÀÇÇß´ø ¹æ¹ý°ú µ¿ÀÏÇÏ°Ô ´Ù¸¥ µ¥ÀÌŸº£À̽º snort_archive (¶Ç´Â ¿øÇÏ´Â ´Ù¸¥ À̸§ÀÇ µ¥ÀÌŸº£À̽º) ¸¦ »ý¼ºÇØ¾ß ÇÒ °ÍÀÌ´Ù.

Áö±ÝºÎÅÍ µ¥ÀÌŸº£À̽º´Â /etc/snort/snort.conf ¿¡¼­ È°¼ºÈ­½Ãų ¼ö ÀÖ´Â snort ÀÇ database Ãâ·Â ¸ðµâÀ» ÅëÇØ ¾ðÁ¦µçÁö ±â·Ï¿¡ »ç¿ëµÉ ¼ö ÀÖ´Ù.


4.3. ADODB ¼³Á¤Çϱâ

ADODB ´Â ACID ÀÇ Çʼö ºÎºÐÀ¸·Î ACID ¿Í °°Àº PHP ±â¹Ý ÇÁ·Î±×·¥¿¡ ´ëÇØ µ¥ÀÌŸº£À̽º ¿¬°áÀ» Áö¿øÇÑ´Ù.

À¥ ¼­¹ö¿¡ »ç¿ëÇÒ ¼ö ÀÖ´Â µð·ºÅ丮¿¡ ADODB ¸¦ ¼³Ä¡Çضó. ·¹µåÇÞÀÇ °æ¿ì ÀÌ´Â /var/www/html/adodb/ ÀÌ´Ù.

ADODB ¹öÀü 1.31 Àº adodb.inc.php ¿¡ ¹ö±×°¡ Àִµ¥ ´õ¿í »õ·Î¿î ¹öÀü¿¡¼­µµ ¹ö±×°¡ Á¸ÀçÇÒ ¼öµµ ÀÖ´Ù. °¢ÀÚÀÇ ·ÎÄà ¿ä°ÇÀ» ¹Ý¿µÇϱâ À§ÇØ 40¹ø° ÁÙÀÇ °æ·Î¸¦ º¯°æ½ÃÄÑ¾ß ÇÒ °ÍÀÌ´Ù. dirname() ¸í·ÉÀ» ¿ÏÀüÈ÷ Áö¿ì´Â °ÍÀÌ ÇʼöÀûÀÌ¸ç µû¶ó¼­ ´ÙÀ½°ú °°´Ù:

 if (!defined('_ADODB_LAYER')) {
        define('_ADODB_LAYER',1);

        define('ADODB_FETCH_DEFAULT',0);
        define('ADODB_FETCH_NUM',1);
        define('ADODB_FETCH_ASSOC',2);
        define('ADODB_FETCH_BOTH',3);

        GLOBAL
                $ADODB_vers,            // µ¥ÀÌŸº£À̽º ¹öÀü
                $ADODB_Database,        // »ç¿ëµÈ ¸¶Áö¸· µ¥ÀÌŸº£À̽º µå¶óÀ̹ö
                $ADODB_COUNTRECS,       // ¹ÝȯµÈ ·¹ÄÚµåÀÇ Ä«¿îÆ® ³Ñ¹ö - Á¶È¸¸¦ ´À¸®°Ô ÇÑ´Ù
                $ADODB_CACHE_DIR,       // ij½Ã ·¹ÄÚµå¼Â¿¡ ´ëÇÑ µð·ºÅ丮
                $ADODB_FETCH_MODE;      // DEFAULT, NUM, ASSOC or BOTH. Default follows native driver default...

        $ADODB_FETCH_MODE = ADODB_FETCH_DEFAULT;
        /**
         * ¾Æ·¡ÀÇ °ªÀ» ÀÌ ÆÄÀÏÀÌ ³õÀÌ´Â µð·ºÅ丮·Î ¼³Á¤Çضó
         * ADODB_RootPath ´Â ADODB_DIR ·Î À̸§ÀÌ º¯°æµÇ¾ú´Ù
         */
        if (!defined('ADODB_DIR')) define('ADODB_DIR','/var/www/html/adodb');

    

ÀÌ°ÍÀÌ ADODB ¿¡ ÇàÇØÁ®¾ß ÇÏ´Â ¸ðµç °ÍÀÌ´Ù.


4.4. PHPlot ¼³Á¤Çϱâ

PHPlot À» ´Ù¿î·ÎµåÇÑ ÈÄ À¥ ¼­¹ö°¡ ÀνÄÇÒ ¼ö ÀÖ´Â µð·ºÅ丮¿¡ ÆÐÅ°Áö¸¦ ³õ¾Æ¶ó. ·¹µåÇÞ¿¡¼­ ÀÌ´Â /var/www/html/phplot/ ÀÌ´Ù. ¿©±â¼­´Â ¼³Á¤ÇÒ °ÍÀÌ ¾Æ¹« °Íµµ ¾ø´Ù.


4.5. ACID ¼³Á¤Çϱâ

¾Õ¿¡¼­ ¸»ÇßµíÀÌ ACID ´Â Á¤È®È÷ ÀÛµ¿Çϱâ À§ÇØ ¸î°³ÀÇ Ãß°¡ÀûÀÎ ÇÁ·Î±×·¥ÀÌ ¼³Ä¡µÉ ÇÊ¿ä°¡ ÀÖ´Ù. MySQL ¹öÀü 3.23 ÀÌ»óÀÇ µ¥ÀÌŸº£À̽º ½Ã½ºÅÛ, PHP ¸ðµâ mod_php ÀÌ ÀÖ´Â apache ¿Í °°ÀÌ PHP 4.0.2 ÀÌ»óÀ» Áö¿øÇÏ´Â À¥ ¼­¹ö¿Í ADODB ¹öÀü 0.93 ÀÌ ÇÊ¿äÇÑ ¹Ý¸é ±×·¡ÇÈ ¶óÀ̺귯¸® gd ¹öÀü 1.8 ÀÌ»ó°ú PHPlot ¹öÀü 4.4.6 ÀÌ»óÀº ¼±ÅÃÀÌÁö¸¸ ÃßõµÈ´Ù. apache, PHP ¸ðµâ ¹× gd ´Â ¸ðµç ¸®´ª½º ¹èÆ÷ÆÇ¿¡ ´Ã Æ÷ÇÔµÇ¾î ¼³Ä¡µÇ¾î Àֱ⶧¹®¿¡ ÀÌ ¹®¼­¿¡¼­´Â À̵éÀ» ´Ù·çÁö´Â ¾Ê´Â´Ù.

Snort 1.8 ÀÌ»ó¿¡ ´ëÇؼ­´Â Àû¾îµµ ACID 0.9.6b13 ÀÌ ÇÊ¿äÇÒ °ÍÀÌ´Ù. ACID ´Â ÀúÀÚÀÇ RPM ÀÇ contrib ¿¡ ÀÖÁö¸¸ ACID ´Â ºü¸£°Ô °³¹ßµÇ°í Àֱ⠶§¹®¿¡ ÀÌÀü ¹öÀüÀÏ ¼öµµ ÀÖ´Ù. µû¶ó¼­ ´õ¿í »õ·Î¿î ¹öÀüÀÌ Á¸ÀçÇÏ´ÂÁö ´Ã ACID ÀÇ È¨ÆäÀÌÁö¸¦ º¸¾Æ¾ß ÇÑ´Ù.

ACID ¸¦ /var/www/html/acid ¿Í °°ÀÌ À¥ ¼­¹ö¿¡¼­ ÀνÄÇÒ ¼ö ÀÖ´Â µð·ºÅ丮¿¡ ¼³Ä¡Çضó.

/var/www/html/acid/acid_conf.php ¿¡¼­ °¢ÀÚÀÇ È¯°æ¿¡ ¸Âµµ·Ï ¾à°£ÀÇ º¯¼öµéÀ» ÆíÁýÇØ¾ß ÇÒ °ÍÀÌ´Ù.

¿ì¼± º¯¼ö DBtype ¿¡ µ¥ÀÌŸº£À̽º ŸÀÔÀ» Á¤ÀÇÇضó. ´ÙÀ½ alert_* ¿Í archive_* º¯¼öµéÀ» Á¤ÀÇÇضó.

ChartLib_path ¿¡ PHPlot ¿¡ ´ëÇÑ °æ·Î¸¦ Á¤ÀÇÇضó. ÀÌ ¹®¼­¿¡¼­´Â /var/www/html/phplot ÀÌ´Ù.

Á¤ÀÇÇØ¾ß ÇÒ ¸¶Áö¸· º¯¼ö´Â portscan_file ·Î snort ÀÇ Æ÷Æ®½ºÄµ ·Î±×ÆÄÀÏÀÇ Àý´ë °æ·Î¿Í ÆÄÀϸíÀ» Á¤ÀÇÇضó.

¸ðµç ´Ù¸¥ º¯¼öµéÀº ´çºÐ°£Àº ÃæºÐÇÏ´Ù. ¹°·Ð ¿ä±¸¿¡ ÀûÇÕÇÏ°Ô À̵éÀ» ÆíÁýÇÒ ¼ö ÀÖ´Ù.

´ÙÀ½Àº ÀúÀÚ°¡ »ç¿ëÇÑ config ÀÌ´Ù:

<?php

$ACID_VERSION = "0.9.6b15";

/* DB Ãß»ó ¶óÀ̺귯¸®¿¡ ´ëÇÑ °æ·Î
 *  (ÁÖÀÇ: µð·ºÅ丮 ´ÙÀ½¿¡ ¹é½½·¡½¬¸¦ Æ÷ÇÔÇÏÁö ¸¶¶ó)
 *   e.g. $foo = "/tmp"      [OK]
 *        $foo = "/tmp/"     [WRONG]
 *        $foo = "c:\tmp"    [OK]
 *        $foo = "c:\tmp\"   [WRONG]
 */
$DBlib_path = "/var/www/html/adodb";

/* ±âº»ÀûÀÎ °æº¸ µ¥ÀÌŸº£À̽º ŸÀÔ
 *
 *  MySQL       : "mysql"
 *  PostgresSQL : "postgres"
 */
$DBtype = "mysql";

/* Alert DB ¿¬°á º¯¼öµé */
 *   - $alert_dbname   : Snort °æº¸ DB ÀÇ MySQL µ¥ÀÌŸº£À̽º À̸§
 *   - $alert_host     : DB °¡ ÀúÀåµÇ´Â È£½ºÆ®
 *   - $alert_port     : DB ¿¡ Á¢¼ÓÇÏ´Â Æ÷Æ®
 *   - $alert_user     : DB »ç¿ëÀÚ
 *   - $alert_password : DB »ç¿ëÀÚÀÇ Æнº¿öµå
 *
 *  ÀÌ Á¤º¸´Â Snort µ¥ÀÌŸº£À̽º Ãâ·Â Ç÷¯±×ÀÎ ¼³Á¤¿¡¼­ ¼öÁýµÉ ¼ö ÀÖ´Ù.
 */
$alert_dbname   = "snort";
$alert_host     = "localhost";
$alert_port     = "";
$alert_user     = "snort";
$alert_password = "xxxx";

/* Archive DB ¿¬°á º¯¼öµé */
$archive_dbname   = "snort_archive";
$archive_host     = "localhost";
$archive_port     = "";
$archive_user     = "snort";
$archive_password = "xxxx";

/* »ç¿ëÇÒ DB ¿¬°á ŸÀÔ
 *   1  : ¿µ¼ÓÀûÀÎ ¿¬°áÀ» »ç¿ëÇÑ´Ù (pconnect)
 *   2  : Åë»óÀûÀÎ ¿¬°áÀ» »ç¿ëÇÑ´Ù (connect)
 */
$db_connect_method = 1;

/* ±×·¡ÇÈ ¶óÀ̺귯¸®¿¡ ´ëÇÑ °æ·Î
 *  (ÁÖÀÇ: µð·ºÅ丮 ´ÙÀ½¿¡ ¹é½½·¡½¬¸¦ Æ÷ÇÔÇÏÁö ¸¶¶ó)
 */
$ChartLib_path = "/var/www/html/phplot";

/* Â÷Æ®ÀÇ ÆÄÀÏ Æ÷¸Ë ('png', 'jpeg', 'gif') */
$chart_file_format = "png";

/* Â÷Æ®ÀÇ µðÆúÆ® Ä÷¯
 *    - $chart_bg_color_default    : Â÷Æ®ÀÇ ¹é±×¶ó¿îµå Ä÷¯
 *    - $chart_lgrid_color_default : Â÷Æ®ÀÇ ±×¸®µå¶óÀÎ Ä÷¯
 *    - $chart_bar_color_default   : Â÷Æ®ÀÇ ¸·´ë/¼± Ä÷¯
 */
$chart_bg_color_default     = array(255,255,255);
$chart_lgrid_color_default  = array(205,205,205);
$chart_bar_color_default    = array(190, 5, 5);

/* ±âÁØ ¿ä¼Ò´ç ÃÖ´ë ÁÙ¼ö */
$MAX_ROWS = 20;

/* ¸ðµç Á¶È¸ °á°ú¿¡ ´ëÇØ Ç¥½ÃÇϱâ À§ÇÑ ÁÙ¼ö */
$show_rows = 50;

/* ½º³À¼¦µ¿¾È¿¡ ¹ÝȯµÇ´Â ¾ÆÀÌÅÛ¼ö 
 *  Last _X_ # of alerts/unique alerts/ports/IP
 */
$last_num_alerts = 15;
$last_num_ualerts = 15;
$last_num_uports = 15;
$last_num_uaddr = 15;

/* ½º³À¼¦µ¿¾È¿¡ ¹ÝȯµÇ´Â ¾ÆÀÌÅÛ¼ö 
 *  °¡Àå ÀÚÁÖ ÀϾ À¯ÀÏÇÑ alerts/IPs/ports
 */
$freq_num_alerts = 5;
$freq_num_uaddr = 15;
$freq_num_uports = 15;

/* Á¶È¸ °á°ú¸¦ Ç¥½ÃÇÒ ¶§ »ç¿ëµÇ´Â ½ºÅ©·Ñ ¹öÆ°ÀÇ ¼ö */
$max_scroll_buttons = 12;

/* µð¹ö±× ¸ðµå - ¾ó¸¶³ª ¸¹Àº µð¹ö±ë Á¤º¸°¡ º¸¿©Áö´Â Áö¸¦ °áÁ¤
 * ŸÀÌ¹Ö ¸ðµå - ŸÀÌ¹Ö Á¤º¸ Ç¥½Ã
 * SQL trace ¸ðµå - SQL ¹®À» ±â·Ï
 *   0 : Ưº°ÇÑ Á¤º¸ ¾øÀ½
 *   1 : µð¹ö±ë Á¤º¸
 *   2 : È®ÀåµÈ µð¹ö±ë Á¤º¸
 *
 * HTML no cache - no-cache Áö½Ã°¡ ºê¶ó¿ìÀú·Î º¸³»Áö´Â Áö¸¦ °áÁ¤
 *                 ÀͽºÇ÷η¯¿¡ ´ëÇؼ­´Â 1 ÀÌ´Ù
 *
 * SQL trace ÆÄÀÏ - SQL trace ¸¦ ±â·ÏÇϱâ À§ÇÑ ÆÄÀÏ
 */
$debug_mode = 0;
$debug_time_mode = 1;
$html_no_cache = 1;
$sql_trace_mode = 0;
$sql_trace_file = "";

/* Auto-Screen refresh
 * - Refresh_Stat_Page - ¾î´À Á¤µµÀÇ Åë°è ÀÚ·á ÆäÀÌÁö°¡ »õ·Ó°Ô º¸¿©Á®¾ß Çϴ°¡?
 * - Stat_Page_Refresh_Time - refresh °£°Ý (ÃÊ´ÜÀ§)
 */
$refresh_stat_page = 1;
$stat_page_refresh_time = 180;

/* °æº¸¿¡ ´ëÇØ Ã³À½/ÀÌÀü/¸¶Áö¸· ŸÀÓ½ºÅÆÇÁ¸¦ Ç¥½ÃÇϴ°¡ ¶Ç´Â
 * À¯ÀÏÇÑ °æº¸ ¸ñ·Ï¿¡ ´ëÇØ ±×Àú óÀ½/¸¶Áö¸· ŸÀÓ½ºÅÆÇÁ¸¦ Ç¥½ÃÇϴ°¡
 *    1: yes
 *    0: no
 */
$show_previous_alert = 1;

/* Sets maximum execution time (in seconds) of any particular page.
 * ÁÖÀÇ: ÀÌ´Â PHP ¼³Á¤ ÆÄÀÏ º¯¼ö max_execution_time À» ¹«½ÃÇÑ´Ù.
 *       µû¶ó¼­ ½ºÅ©¸³Æ®°¡ ÃÑ ($max_script_runtime + max_execution_time) Ãʵ¿¾È ½ÇÇàµÉ ¼ö ÀÖ´Ù
 */
$max_script_runtime = 180;

/* IP ÁÖ¼Ò¿¡ ´ëÇÑ ±âÁØÀÌ °Ë»ö ½ºÅ©¸°¿¡ ¾î¶»°Ô ÀԷµǾî¾ß Çϴ°¡?
 *   1 : °¢ ¿ÁÅÝÀÌ º°µµ ÇʵåÀÌ´Ù
 *   2 : Àüü ÁÖ¼Ò°¡ ÇϳªÀÇ ÇʵåÀÌ´Ù
 */
$ip_address_input = 2;

/* IP ¸¦ FQDN (Fully Qualified Domain Name) ·Î ¹Ù²Ü °ÍÀΰ¡ (¾î¶² Á¶È¸¿¡ ´ëÇØ)?
 *    1 : yes
 *    0 : no
 */
$resolve_IP = 0;

/* summary stats °¡ ¸ðµç Á¶È¸ °á°ú ÆäÀÌÁö¿¡ ´ëÇØ °è»êµÇ¾î¾ß Çϴ°¡
 * (ÀÌ ¿É¼ÇÀ» Çã°¡ÇÏ´Â °ÍÀº ÆäÀÌÁö ·Îµù ½Ã°£À» ´À¸®°Ô ÇÒ °ÍÀÌ´Ù)
 */
$show_summary_stats = 1;

/* DNS ij½Ã À¯È¿±â°£ (ºÐ´ÜÀ§) */
$dns_cache_lifetime = 20160;

/* Whois Á¤º¸ ij½Ã À¯È¿±â°£ (ºÐ´ÜÀ§) */
$whois_cache_lifetime = 40320;

/* Snort spp_portscan ·Î±× ÆÄÀÏ */
$portscan_file = "/var/log/snort/portscan.log";

/* À̺¥Æ® ij½Ã ÀÚµ¿ °»½Å
 *
 *  À̺¥Æ® ij½Ã°¡ ¸ðµç ÆäÀÌÁö ·Î±×¿¡ ´ëÇØ °ËÁõµÇ°í °»½ÅµÇ¾î¾ß Çϴ°¡?
 *  ±×·¸Áö ¾Ê´Ù¸é ij½Ã´Â 'cache and status' ÆäÀÌÁö·ÎºÎÅÍ ¸í½ÃÀûÀ¸·Î °»½ÅµÇ¾î¾ß ÇÒ °ÍÀÌ´Ù.
 *
 *  ÁÖÀÇ: ÀÌ ¿É¼ÇÀ» Çã°¡ÇÏ´Â °ÍÀº ij½ÃµÇÁö ¾ÊÀº ¸¹Àº °æº¸°¡ ÀÖÀ»¶§ ÆäÀÌÁö ·Îµù ½Ã°£À»
 *  »ó´çÈ÷ ´À¸®°Ô ÇÒ °ÍÀÌ´Ù. ±×·¯³ª ÀÌ´Â ´ÜÁö Çѹø °Þ´Â ºÒÆíÀÌ´Ù.
 *
 *   1 : yes
 *   0 : no
 */
$event_cache_auto_update = 1;

/* ¿ÜºÎ Whois Á¶È¸¿¡ ´ëÇÑ ¸µÅ© */
$external_whois_link = "http://www.samspade.org/t/ipwhois?a=";

?>
    

ÀúÀÚ°¡ Æнº¿öµå·Î xxxx ¸¦ »ç¿ëÇß´ÂÁö ÀǾÆÇØÇÒÁö ¸ð¸¥´Ù. ÁÁ´Ù ¿©·¯ºÐÀº ¼¼»óÀÇ ¸ðµÎ°¡ »ç¿ëÇÒ ¼ö ÀÖ´Â Æнº¿öµå¸¦ ÁÁ¾ÆÇϴ°¡?

ºê¶ó¿ìÀú·Î ACID ¸¦ óÀ½ ºÒ·¯¿Ã ¶§ ¼±ÅÃµÈ µ¥ÀÌŸº£À̽º¿¡ ACID Áö¿øÀ» ¼³Ä¡ÇØ¾ß ÇÑ´Ù´Â Áö½Ã¸¦ ¾òÀ» °ÍÀÌ´Ù. Setup ¸¦ Ŭ¸¯Çضó ±×·¯¸é ACID °¡ µ¥ÀÌŸº£À̽º¿¡ Çʼö ¿£Æ®¸®¸¦ »ý¼ºÇÒ °ÍÀÌ´Ù. ¸ðµç °ÍÀÌ Á¤È®È÷ ¼³Á¤µÇ¸é Áö±Ý µ¥ÀÌÅ׺£À̽º¿¡ ÀÖ´Â ¸ðµç Á¤º¸¸¦ ¾òÀ» °ÍÀÌ´Ù. ÀϹÝÀûÀ¸·Î À̶§¿¡´Â ¾Æ¹« °Íµµ ¾øÀ» °ÍÀÌ´Ù.

snot(À­ ÀýÀ» º¸¶ó) ¶Ç´Â nmap ( http://www.nmap.org/, ¸Å¿ì ¸¹Àº ´É·ÂÀ» °®°í ÀÖ´Â Æ÷Æ®½ºÄ³³Ê) ¶Ç´Â nessus (http://www.nessus.org/, ½Ã½ºÅÛÀÇ Ãë¾à¼ºÀ» ã±â À§ÇÑ ½ºÄ³³Ê) ¸¦ »ç¿ëÇØ ¾î¶² snort ±ÔÄ¢µéÀ» À¯¹ßÇØ º¸¶ó.

ÀÌ°ÍÀÌ ÀϾ ¶§¸¶´Ù ¹Ù·Î ACID ¿¡¼­ ¸ðµç °æº¸¸¦ ¾òÀ» °ÍÀÌ´Ù.


4.6. SnortSnarf ¼³Á¤Çϱâ

SnortSnarf ´Â µ¥ÀÌŸº£À̽º´ë½Å snort ÀÇ ·Î±×ÆÄÀÏÀ» ºÐ¼®ÇÏ´Â ´Ù¸¥ µµ±¸ÀÌ´Ù.

SnortSnarf ¸¦ ¿øÇÏ´Â µð·ºÅ丮¿¡ tar ÇÑ ÈÄ ¼³Ä¡Çضó. ÀúÀÚÀÇ °æ¿ì´Â /opt/SnortSnarf ¿¡ ¼³Ä¡Çß´Ù.

Çʼö ÆÞ ¸ðµâÀ» SnortSnarf ¿¡ »ç¿ëÇÒ ¼ö ÀÖµµ·Ï /opt/SnortSnarf/Time-modules/lib/Time ¸¦ /opt/SnortSnarf/include/SnortSnarf/Time ¿¡ º¹»çÇضó.

´ÙÀ½ ¶óÀεéÀ» À¥ ¼­¹öÀÇ cgi-bin ¿¡ º¹»çÇضó (¿¹, /var/www.cgi-bin/):

     /opt/SnortSnarf/cgi/*
     /opt/SnortSnarf/include/ann_xml.pl
     /opt/SnortSnarf/include/web_utils.pl
     /opt/SnortSnarf/include/xml_help.pl
    

SnortSnarf ¿¡¼­ »ç°í¿¡ ´ëÇÑ ¸Þ¸ð¸¦ »ý¼ºÇÒ ¼ö ÀÖ´Â annotation Ư¡À» »ç¿ëÇÏ°í ½Í´Ù¸é ¿ì¼± /var/www/html/SnortSnarf/annotations µð·ºÅ丮¸¦ »ý¼ºÇؾßÇÑ´Ù. ´ÙÀ½ /opt/SnortSnarf/new-annotation-base.xml ¸¦ /var/www/html/SnortSnarf/annotations ¿¡ º¹»çÇÑ ÈÄ /opt/SnortSnarf/utilities ¿¡ ÀÖ´Â ´ÙÀ½ ¸í·ÉÀ» ½ÇÇà½ÃŲ´Ù.

./setup_anns_dir.pl -g apache /var/www/html/SnortSnarf/annotations

/var/www/html/SnortSnarf/annotations ÀÇ ±ÇÇÑÀ» °Ë»çÇؼ­ ´ÙÀ½°ú °°µµ·Ï Çضó.

[root@ids01 SnortSnarf]# ll -a /var/www/html/SnortSnarf/annotations/
total 16
drwxrwx---    2 root     apache       4096 May 23 14:31 .
drwxr-xr-x    8 root     root         4096 May 23 14:17 ..
-rw-r--r--    1 apache   apache        478 May 23 14:31 new-annotation-base.xml
    

ÀúÀÚ´Â ´Ù·ç±â Èûµç @INC ¿¡·¯ (ÆÞ¿¡ ´ëÇØ ´õ¿í ¸¹Àº Áö½ÄÀ» °®°í ÀÖ´Â ´©±º°¡°¡ ÀÌ ¿¡·¯µéÀ» ¾ø¾Ö´Â ¹æ¹ý¿¡ ´ëÇÑ ÈùÆ®¸¦ ÀúÀÚ¿¡°Ô ÁÙ ¼ö ÀÖ´Ù) µéÀ» ¾ø¾Ö±â À§ÇØ /opt/SnortSnarf/snortsnarf.sh wrapper ½ºÅ©¸³Æ®¸¦ ¸¸µé¾ú´Ù. ÀúÀÚ´Â ¿ÀÀü 6 ½ÃºÎÅÍ ¿ÀÈÄ 6 ½Ã±îÁö ¸Å½Ã°£ cron À» ÅëÇØ /opt/SnortSnarf/snortsnarf.sh À» ½ÇÇà½ÃÅ°°í ÀÖ´Ù.

ÀúÀÚÀÇ crontab ¿£Æ®¸®´Â ´ÙÀ½°ú °°´Ù:

# ¿ÀÀü 6½ÃºÎÅÍ ¿ÀÈÄ 6½Ã±îÁö ¸Å½Ã°£ SnortSnarf Åë°è ÀڷḦ »ý¼ºÇÑ´Ù
0 6,7,8,9,10,11,12,13,14,15,16,17,18 * * * /opt/SnortSnarf/snortsnarf.sh
    

SnortSnarf ´Â ´Ù¼¸°³ÀÇ ·Î±×ÆÄÀÏ /var/log/messages* À» ºÐ¼®Çϱâ À§ÇØ È£ÃâµÇ¸ç »ý¼ºµÈ HTML ÆÄÀϵéÀ» /var/www/html/SnortSnarf µð·ºÅ丮³»¿¡ ³ÖÀº ÈÄ À§¿¡ ±â¼úµÈ annotation Ư¡À» ÀÌ¿ëÇÑ´Ù.

´ÙÀ½Àº /opt/SnortSnarf/snortsnarf.sh ÆÄÀÏ ³»¿ëÀÌ´Ù:

#!/bin/sh
# @INC ¹®Á¦¸¦ ¾ø¾Ö±â À§ÇØ crontab °ú ÇÔ²² »ç¿ëÇϱâ À§ÇÑ wrapper
# Poppi, 22.05.2001
cd /opt/SnortSnarf
./snortsnarf.pl -d /var/www/html/SnortSnarf -db /var/www/html/SnortSnarf/annotations/new-annotation-base.xml -dns -rulesfile /etc/snort/snort.conf -ldir "file://var/log/snort/" /var/log/messages /var/log/messages.1 /var/log/messages.2 /var/log/messages.3 /var/log/messages.4
    

snortsnarf.sh À» ½ÇÇà½ÃÄѼ­ SnortSnarf ¸¦ Å×½ºÆ®ÇÏ°í ºê¶ó¿ìÀú·Î /var/www/html/SnortSnarf/ ¸¦ Á¶»çÇغ¸¶ó.


4.7. Arachnids_upd ¼³Á¤Çϱâ

°æ°í: ¾î¶°ÇÑ ¾Ïȣȭ ¶Ç´Â ÀÎÁõ¾øÀÌ ±ÔÄ¢µéÀ» ÀÚµ¿ °»½ÅÇÏ´Â °ÍÀº °ø°ÝÀÚ°¡ IDS ¿¡¼­ Á¸Àç°¡ ¹ß°¢µÇÁö ¾ÊÀ» ¼ö ÀÖµµ·Ï ±ÔÄ¢µéÀÌ ¼Õ»óµÉ ¼ö Àֱ⶧¹®¿¡ ¹éµµ¾î¸¦ ¸¸µé ¼ö ÀÖ´Ù. µû¶ó¼­ À̸¦ Á¶½ÉÇؼ­ »ç¿ëÇØ¾ß ÇÑ´Ù.

´Ù¸¥ ¹®Á¦´Â wwww.whitehats.com ÀÌ Á¾Á¾ ¿ÀÇÁ¶óÀÎÀ̶ó´Â °ÍÀÌ¸ç µû¶ó¼­ ¾î¶°ÇÑ ±ÔÄ¢µéµµ ´Ù¿î·Îµå¹ÞÀ» ¼ö ¾ø´Ù.

arachnids_upd ÆÐÅ°Áö¸¦ ¼±ÅÃÇÑ µð·ºÅ丮¿¡ ¾ÐÃàÇØÁ¦Çضó. ÀúÀÚ´Â /opt/arachnids_upd/ ¸¦ »ç¿ëÇÑ´Ù.

Snort 1.8 ÀÌ»ó¿¡ ´ëÇØ /opt/arachnids_upd/arachnids_upd.pl ¸¦ ÆíÁýÇؼ­ ´Ù¿î·ÎµåÇÒ ÆÄÀϸíÀ» º¯°æÇØ¾ß ÇÒ °ÍÀÌ´Ù:

     my $url = "http://www.whitehats.com/ids/vision18.rules.gz";   # Default URL.
    

Arachnids_upd ´Â wget ¸¦ »ç¿ëÇϱ⠶§¹®¿¡ °¢ÀÚÀÇ ½Ã½ºÅÛ¿¡ ¼³Ä¡µÇ¾î¾ß Çϸç ÀÎÅÍ³Ý ¿¬°á°ú ÀÛµ¿µÇµµ·Ï ¼³Á¤µÇ¾î¾ß ÇÑ´Ù.

»ç¿ëÀÚ ÀÎÁõÀ» ÇÏ´Â ÇÁ¶ô½Ã ¼­¹ö¸¦ ÅëÇÑ ¿¬°áÀÇ °æ¿ì .wgetrc ¿¹Á¦ ÆÄÀÏÀÌ´Ù:

     proxy_user = user
     proxy_passwd = xxxx
     http_proxy = <proxy>:<port>
     ftp_proxy = <proxy>:<port>
     use_proxy = on
    

<proxy> ¿Í <port> ¸¦ °¢°¢ °¢ÀÚÀÇ ÇÁ¶ô½Ã À̸§ ¶Ç´Â ip ÁÖ¼Ò¿Í ÇÁ¶ô½Ã°¡ »ç¿ëÇÏ´Â Æ÷Æ® ³Ñ¹ö·Î ´ëüÇضó. ÇÁ¶ô½Ã¸¦ »ç¿ëÇÏÁö ¾Ê´Â´Ù¸é ÀÌ ¿£Æ®¸®µé Áß ¾Æ¹«°Íµµ ÇÊ¿äÇÏÁö ¾Ê´Ù.

ÀúÀÚ´Â »õ·Î¿î ±ÔÄ¢À» ¾ò°í /etc/snort/snort.conf ÀÇ Á¤ÀÇ¿¡ ¸Â°Ô º¯¼ö À̸§ vision.rules À» º¯°æÇÏ¸ç »õ·Î¿î ±ÔÄ¢µéÀÌ À¯È¿Çϵµ·Ï snort ¸¦ Àç½ÃÀÛ½ÃÅ°´Â ½© ½ºÅ©¸³Æ®¸¦ ÀÛ¼ºÇß´Ù.

#!/bin/sh
# arachnids_upd.pl À» »ç¿ëÇÏ¿© vision.rules ÆÄÀÏÀ» Á¤È®È÷ °»½ÅÇϱâ À§ÇÑ ½ºÅ©¸³Æ®
# Poppi 22.05.2001

# »õ·Î¿î ±ÔÄ¢À» ¾ò´Â´Ù (~/.wgetrc °¡ ÀÎÅͳݿ¡ Á¢¼ÓÇÒ ¼ö ÀÖµµ·Ï ¼³Á¤µÇ¾î¾ß ÇÑ´Ù)
/opt/arachnids_upd/arachnids_upd.pl -o /opt/arachnids_upd/vision.rules -b /opt/arachnids_upd/rules.backup/ -c

# /etc/snort/snort.conf ÆÄÀϳ»¿¡ »ç¿ëµÈ º¯¼öÀ̸§À¸·Î º¯°æÇÏ°í »õ·Î¿î ÆÄÀÏÀ» Á¤È®ÇÑ °÷À¸·Î º¹»çÇÑ´Ù
cat /opt/arachnids_upd/vision.rules | sed s/EXTERNAL/EXTERNAL_NET/g | sed s/INTERNAL/HOME_NET/g > /etc/snort/vision.rules

# ±ÔÄ¢µéÀÌ À¯È¿Çϵµ·Ï snort ¸¦ Àç½ÃÀÛÇÑ´Ù
/etc/rc.d/init.d/snortd restart
    

Arachnids_upd ´Â ¶ÇÇÑ ´Ù¿î·ÎµåÇÏ´Â µ¿¾È vision.rules ³»ÀÇ ±ÔÄ¢µéÀ» »èÁ¦ÇÒ ¼ö Àֱ⠶§¹®¿¡ ¿øÇÑ´Ù¸é /opt/arachnids_upd/arachnids.ignore ¸¦ ÆíÁýÇØ ¹«½ÃµÇ¾î¾ß ÇÏ´Â IDS ³Ñ¹ö¸¦ ³ÖÀ» ¼ö ÀÖ´Ù.

     # ±ÔÄ¢µéÀÌ ±ÝÁöµÇ¾î¾ß ÇÏ´Â IDS ³Ñ¹ö¸¦ ³Ö¾î¶ó.
     # ÇÑÁÙ¿¡ ÇÑ°³ÀÇ IDS ³Ñ¹ö.

     # Examples:

     1      # Ignore IDS1
     2      # Ignore IDS2
     3      # Ignore ISD3
     
     # I think you get it now :)
    


4.8. Swatch ¼³Á¤Çϱâ

Swatch ´Â ¸ðµç ·Î±×ÆÄÀÏÀ» ´Ù·ç´Â ¿ì¼öÇÑ ÆÐÅ°Áö·Î °ø°Ý°ú °ü·ÃµÈ ¾î¶°ÇÑ °ÍÀÌ ·Î±×ÆÄÀÏ¿¡ ±â·ÏµÈ´Ù¸é °æ°íÇØÁÖµµ·Ï Á¤±Ô Ç¥ÇöÀ» ÀÌ¿ëÇØ ¼³Á¤µÉ ¼ö ÀÖ´Ù.

Swatch ´Â ´ÙÀ½ ÆÞ ¸ðµâÀÌ ¼³Ä¡µÇ¾î¾ß ÇÑ´Ù:

     perl-TimeDate
     perl-Date-Calc
     perl-Time-HiRes
     perl-File-Tail
    

Swatch ´Â ÀúÀÚÀÇ ¼Ò½º RPM http://www.lug-burghausen.org/projects/Snort-Statistics/swatch-3.0.2-1.src.rpm °ú ÇÔ²² http://www.lug-burghausen.org/projects/Snort-Statistics/swatch-3.0.2-1.noarch.rpm ¿¡¼­ RPM À¸·Î ¾òÀ» ¼ö ÀÖ´Ù.

Swatch ´Â /etc/swatch/swatch.conf ¼³Á¤ ÆÄÀÏÀ» ÅëÇØ ¼³Á¤µÈ´Ù.

ÀúÀÚ´Â ¿ø·¡ swatch ÆÐÅ°ÁöÀÇ ¾à°£ÀÇ ´Ù¸¥ ¿¹¿Í ÇÔ²² ¹Ø¿¡ º¸ÀÌ´Â snort ¸Þ½ÃÁö¿Í ¿¡·¯¿¡ ´ëÇÑ µÎ ±ÔÄ¢À» Æ÷ÇÔÇÏ°í ÀÖ´Â µ¥¸ð swatch.conf ¸¦ °®´Â ¼Ò½º RPM À» ÀÛ¼ºÇÏ°í ÀÖ´Ù.

# global swatch.conf file
# * Poppi, 30.04.2001
# - ÃÖÃʹöÀü
#
# * Poppi, 08.06.2001
# - ¿¡·¯ Áö¿øÀ» Ãß°¡ÇÏ¿´´Ùt; ¹Ýµå½Ã snort º¸´Ù swatch ¸¦ ¸ÕÀú ½ÇÇà½ÃÄѶó;)
#
# Poppi, 19.09.2001
# - µ¿ÀÏ »ç°Ç¿¡ ´ëÇØ ³Ê¹« ¸¹Àº °æº¸¸¦ ¾òÁö ¾Êµµ·Ï throttle ¿É¼ÇÀ» Ãß°¡ÇÏ¿´´Ù

# PID °¡ ÀÖ´Â Á¤»óÀûÀÎ snort ¸Þ½ÃÁö
# 10Ãʵ¿¾È µÎ°³°¡ ÀÖ´Â °æº¸¸¦ Á¦°ÅÇضó (¿¹ pings)
watchfor /snort\[/
        bell
        exec /etc/snort/snort-check $0
        throttle 00:00:10

# snort ¿¡·¯ ¸Þ½ÃÁö´Â [!] indicator °¡ ÀÖÀ» ¼öµµ ÀÖ°í ¾øÀ» ¼öµµ ÀÖ´Ù
watchfor /snort: (\[\!\])* ERROR/
        bell
        exec /etc/snort/snort-check $0
    

ù¹ø° ±ÔÄ¢Àº Ãâ·Â ¸ðµâ alert_syslog ¸¦ ÅëÇØ »ý¼ºµÈ ¸ðµç °æº¸¸¦ ¾ò±â À§ÇÑ °ÍÀÌ°í µÎ¹ø° ±ÔÄ¢Àº (±ÔÄ¢ ÆÄÀÏ¿¡¼­ÀÇ ¿¡·¯µé°ú °°ÀÌ) ¹«¾ùÀΰ¡ À߸øµÈ °æ¿ì snort °¡ »ý¼ºÇÏ´Â ¸ðµç ¿¡·¯ ¸Þ½ÃÁöµéÀ» ¾ò±â À§ÇÑ °ÍÀÌ´Ù.

µÎ ±ÔÄ¢Àº pc ¿¡ ½ÅÈ£¸¦ º¸³» ¾Ë¸®¸ç (¸¸¾à ¼¾¼­°¡ ¿î¿µÀÚ°¡ ¾ø´Â ¹æ¿¡¼­ »ç¿ëµÇ°í ÀÖ´Ù¸é ¾Æ¹« Àǹ̵µ ¾ø´Ù) ÁÖ¾îÁø »ç¶÷¿¡°Ô °æ°íÇϱâ À§ÇØ ¾Õ¿¡¼­ ±â¼úÇÑ snort-check ½ºÅ©¸³Æ®¸¦ ÀÌ¿ëÇÑ´Ù. &0 ³»¿¡ swatch ´Â swatch ¸¦ À¯¹ßÇÑ ·Î±×ÆÄÀϳ»ÀÇ ¸ðµç ¿£Æ®¸®¸¦ Á¦°øÇÑ´Ù.

Swatch ´Â snort º¸´Ù ¸ÕÀú ½ÃÀ۵Ǿî¾ß ÇÑ´Ù. Á¤È®ÇÑ chkconfig dates ¸¦ °®´Â swatch ÀÚ½ÅÀÇ initscript ¸¦ »ý¼ºÇÏ´Â ´ë½Å ÀúÀÚ´Â À̸¦ /etc/rc.d/init.d/snortd ¿¡ Æ÷ÇÔÇÏ¿´´Ù. ¿Ö³ÄÇϸé ÀúÀÚ°¡ »ç¿ëÇÏ´Â swatch ÀÇ ÀÇÁ¸¼º¶§¹®¿¡ ÀÌ·¸°Ô Çϱâ·Î °áÁ¤Çß´Ù. ÀúÀÚ´Â ÁÁÀº ¹æ½ÄÀÌ ¾Æ´Ï¸ç swatch ºÎºÐÀÌ ºñ±³Àû ½±°Ô initscript ³»¿¡¼­ ÀÛ¼ºµÉ ¼ö ÀÖÀ½À» ¾Ë°í ÀÖ´Ù. ¾Æ¸¶µµ ÃßÈÄ¿¡ À̸¦ º¯°æÇÒ °ÍÀÌ´Ù.


5. º¸¾È ¹®Á¦

Snort ´Â ÀÚ½ÅÀÇ userid/group ½ÖÀÎ snort/snort ÇÏ¿¡¼­ ½ÇÇàµÈ´Ù. ÀÌ´Â ¾ÆÁ÷²¯ ¼öÁ¤µÇÁö ¾ÊÀº ¸ðµç ¹öÆÛ ¿À¹öÇ÷ο찡 ´ÜÁö snort »ç¿ëÀÚ°¡ °®´Â ±ÇÇѸ¸À» °®À½À» È®ÀÎÇÑ´Ù. ÀÌ°ÍÀÌ ÃæºÐÇÏÁö ¾ÊÀº »ç¶÷µéÀÇ °æ¿ì´Â snort ÀÇ Ä¿¸Çµå ¶óÀÎ ¿É¼Ç -t ¸¦ »ç¿ëÇØ chroot µÈ ȯ°æÀ» »ç¿ëÇÒ ¼öµµ ÀÖ´Ù. ±×·¯³ª ÀúÀÚ¿¡°Ô ÀÌ ¹æ¹ýÀ» ¹¯Áö ¸»¾Æ¶ó. ÀúÀÚ´Â Çغ»ÀûÀÌ ¾øÀ¸¸ç ¾Æ¸¶µµ ÇÏÁö ¾ÊÀ» °ÍÀÌ´Ù.

¸ðµç º¸¾È °ü·Ã ½Ã½ºÅÛ¿¡¼­¿Í °°ÀÌ ÇÊ¿äÀÌ»óÀÇ ¼­ºñ½º¸¦ Çã¿ëÇÏÁö ¸¶¶ó. ¸ðµç ¸®´ª½º ¹èÆ÷ÆÇÀÇ Ç¥ÁØ ¼³Ä¡¸¦ ÇÑ °æ¿ì ¹èÆ÷ÆÇÀÌ ¿¹Àü inetd ¸¦ »ç¿ëÇÏ°í ÀÖ´Ù¸é /etc/inetd.conf ¸¦ xinetd ±â¹Ý ½Ã½ºÅÛÀ̶ó¸é /etc/xinetd.d/* ¸¦ Á¶»çÇؼ­ ½Ã½ºÅÛ¿¡ ½ÇÁ¦·Î ÇʼöÀûÀÌÁö ¾ÊÀº ¸ðµç ¼­ºñ½º¸¦ ±ÝÁöÇØ¾ß ÇÑ´Ù. ¿¹¸¦ µé¾î ÅÚ³Ý »ç¿ëÀ» ¿øÇÏÁö ¾Ê´Â´Ù¸é À̸¦ ssh ·Î ´ëüÇضó.

¶ÇÇÑ ·¹µåÇÞ°ú °°ÀÌ System V ±â¹Ý ½Ã½ºÅÛ¿¡¼­ /etc/rc.d/init.d/* ¿¡ ÀÖ´Â initscript µéÀ» Á¶»çÇضó. nfs ¿Í portmap ¿Í °°ÀÌ »ç¿ëÇÏÁö ¾Ê´Â ¼­ºñ½º°¡ ÀÖ´Ù¸é ÇØ´ç ÆÐÅ°Áö¸¦ ¿ÏÀüÈ÷ Á¦°ÅÇضó.

Security-HOWTO, ½Ã½ºÅÛ °ü¸®ÀÚ °¡ÀÌµå ¶Ç´Â ³×Æ®¿öÅ© °ü¸®ÀÚ °¡ÀÌµå ¿Í °°Àº ¸¹Àº º¸¾È °ü·Ã ¹®¼­µéÀ» Àоî¾ß ÇÑ´Ù.

¶Ç´Â http://www.securityfocus.com/, http://www.linuxsecurity.org/ ¶Ç´Â http://www.insecure.org/ ¿Í °°Àº ¿©·¯ º¸¾È °ü·Ã À¥ »çÀÌÆ®¸¦ Á¶»çÇضó.


6. µµ¿ò¾ò±â

°á±¹ ÀÚ½ÅÀÇ ¹®Á¦¸¦ ÇØ°áÇÒ ¼ö ¾ø¾î ´©±º°¡ÀÇ µµ¿òÀ» ÇÊ¿ä·Î ÇÒ ¼öµµ ÀÖ´Ù. °¡Àå È¿°úÀûÀÎ ¹æ¹ýÀº °¡±î¿î °÷ ¶Ç´Â °¡Àå °¡±î¿î ¸®´ª½º »ç¿ëÀÚ ±×·ì³»ÀÇ ´©±º°¡¿¡°Ô ¹¯°Å³ª À¥À» °Ë»öÇÏ´Â °ÍÀÌ´Ù.

±×·¯³ª ¿ì¼±ÀûÀ¸·Î http://www.snort.org/ °ú snort ¸ÞÀϸµ ¸®½ºÆ®¸¦ »ìÆ캸µµ·Ï Çضó. ÀúÀÚ´Â ÀÌ°÷ÀÇ »ç¶÷µé¿¡°Ô ¸Å¿ì ¸¹Àº µµ¿òÀ» ¹Þ¾Ò´Ù.

¶Ç´Ù¸¥ ¹æ¹ýÀº ¸Å¿ì ¸Å¿ì ¸¹Àº ´º½º±×·ìÁß¿¡¼­ Usenet New ¿¡ Áú¹®À» ÇÏ´Â °ÍÀÌ´Ù. ¹®Á¦´Â Áú¹®¿¡ ´ëÇÑ ´äº¯ÀÌ ¾øÀ» Á¤µµ·Î ÀÌ°÷Àº ¸Å¿ì ¸¹Àº »ç¶÷µéÀÌ ÀÖ°í È¥¶õ½º·´´Ù.

¾î´À °÷¿¡ Áú¹®À» ÇÏ´øÁö Á¶¸®ÀÖ°Ô Áú¹®ÇÏ´Â °ÍÀÌ Áß¿äÇÏ´Ù ±×·¸Áö ¾ÊÀ¸¸é ¿©·¯ºÐÀÇ Áú¹®Àº ½ÅÁßÈ÷ ´Ù·ïÁöÁö ¾ÊÀ» °ÍÀÌ´Ù. ´Ü¼øÈ÷ snort °¡ ÀÛµ¿ÇÏÁö ¾Ê´Â´Ù ¶ó°í ¸»ÇÏ´Â °ÍÀº µµ¿òÀÌ µÇÁö ¾ÊÀ¸¸ç ´ë½Å ºÒÄèÇÑ ´äº¯¸¸ ´õ¿í Áõ°¡ÇÒ °ÍÀÌ´Ù. ¹°·Ð ¿îÁÁ´Ù¸é ´©±º°¡°¡ ¼³¸íÇØ ÁÙ °ÍÀÌ´Ù.

´ë½Å »ç¶÷µéÀÌ ¿©·¯ºÐÀ» µµ¿ï ¼ö ÀÖµµ·Ï ¾à°£Àº ¼¼ºÎÀûÀ¸·Î ¹®Á¦¸¦ ±â¼úÇضó. ¿©·¯ºÐÀÌ ¿¹»óÇÏÁö ¸øÇß´ø °÷¿¡ ¹®Á¦°¡ ÀÖÀ» ¼öµµ ÀÖ´Ù. µû¶ó¼­ ¿©·¯ºÐÀÇ ½Ã½ºÅÛ¿¡ ´ëÇØ ´ÙÀ½ Á¤º¸¸¦ ¿­°ÅÇ϶ó°í Ãæ°íÇÑ´Ù.

¼ÒÇÁÆ®¿þ¾î

  • /etc/snort/snort.conf

  • /etc/swatch/swatch.conf (»ç¿ëÇÏ´Â °æ¿ì)

  • /var/log/messages ³»¿¡¼­ ´ÜÁö ¿¬°üÀÖ´Â ¿£Æ®¸®µéÀÇ ¹ßÃé

  • »ç¿ëÇÏ´Â ¸®´ª½º ¹èÆ÷ÆÇ ¶Ç´Â ¿î¿µÃ¼Á¦¿Í ¹öÀü

  • ¿¡·¯°¡ ÀÖ´Â ¼ÒÇÁÆ®¿þ¾î (¹öÀü ³Ñ¹ö ¶Ç´Â ³¯Â¥)

ÀúÀÚ¿¡°Ô Á÷Á¢ÀûÀ¸·Î Áú¹®ÇÒ ¼öµµ ÀÖ´Ù. ±×·¯³ª ±â¾ïÇϱ⠹ٶõ´Ù: ÀúÀÚ´Â ÄÄÇ»ÅÍ ÀÛ¾÷¿Ü¿¡ ´Ù¸¥ Àϵµ ÇÏ°í ÀÖÀ¸¸ç ±×¸® ÇÑ°¡ÇÑ ÆíÀÌ ¾Æ´Ï´Ù. ÀúÀÚ´Â °ÅÀÇ ¾ðÁ¦³ª À̸ÞÀÏ¿¡ ´äÀåÇÒ °ÍÀÌÁö¸¸ ¾à°£ ½Ã°£ÀÌ °É¸± ¼ö ÀÖ´Ù. ¶ÇÇÑ ÀúÀÚ´Â snort ¸ÞÀϸµ ¸®½ºÆ®¿¡ °¡ÀÔÇßÀ¸¸ç µû¶ó¼­ À̸¦ ÅëÇØ ÀúÀÚ¿¡°Ô ¿¬¶ôÇÒ ¼ö ÀÖ´Ù.


7. Áú¹®°ú ´äº¯

This is just a collection of what I believe are the most common questions people might have. Give me more feedback and I will turn this section into a proper FAQ.

  • Q:

    A:

(rest deleted.)


ID
Password
Join
A truly wise man never plays leapfrog with a Unicorn.


sponsored by andamiro
sponsored by cdnetworks
sponsored by HP

Valid XHTML 1.0! Valid CSS! powered by MoniWiki
last modified 2003-09-28 18:12:45
Processing time 0.0018 sec