|=------------------------------=[ FWSnort ]=------------------------------=| +---------------------------------------------------------------------------+ | | | FWSnort | | Debian 4.0 Etch | | | +---------------------------------------------------------------------------+ |=-------------------------------=[ BH 2007 ]=-----------------------------=| Predpoklad: Nainstalovany zakladny system Debian 4.0 ========= 0. UVOD ========= fwsnort parsuje subory pravidiel, ktore su obsiahnute v IDS Snort a generuje ekvivalentne pravidla pre Linuxovy packet filter (iptables) pre co mozno najvacsie mnozstvo pravidiel. fwsnort pouziva modul packet filtra s nazvom 'string match' na detekovanie utokov na aplikacnej urovni. ================================ 1. FWSNORT - DOWNLOAD, INSTALL ================================ Download ---------- # cd /tmp # wget http://www.cipherdyne.org/fwsnort/download/fwsnort-1.0.3.tar.gz # wget http://www.cipherdyne.org/fwsnort/download/fwsnort-1.0.3.tar_gz.asc # wget http://www.cipherdyne.org/fwsnort/download/fwsnort-1.0.3.tar.gz.md5 Overime kontrolny sucet md5 balicka ----------------------------------- # md5sum -c fwsnort-1.0.3.tar.gz.md5 Ak mame verejny kluc Michaela Rasha tak overime balicek pomocu GPG ------------------------------------------------------------------ # gpg --verify fwsnort-1.0.3.tar_gz.asc Inak si importneme verejny kluc - Michaela Rasha ------------------------------------------------ # gpg --keyserver pgpkeys.pca.dfn.de --search-keys mbr@cipherdyne.com # gpg --keyserver pgpkeys.pca.dfn.de --recv-keys 75C089FE # gpg --fingerprint 75C089FE # gpg --export -a 75C089FE | apt-key add - GPG KEY_SERVERS_PORT: 11371 --------------------------- Download RULES ---------------- http://www.bleedingthreats.net/rules/ http://www.bleedingthreats.net/rules/bleeding.rules.tar.gz http://doc.bleedingthreats.net/bin/view/Main/AllRulesets Install --------- # tar -xvf fwsnort-1.0.3.tar.gz # su # cd fwsnort-1.0.3 # ./install.pl Subory -------- BASH skript vygenerovany fwsnortom. Spustenim tohoto skriptu naplnime packet filter (iptables) skonvertovanymi SNORT pravidlami. --------------------------------- /etc/fwsnort/fwsnort.sh Log subor obsahujuci poznamky z konvertovania SNORT pravidiel na IPTABLES pravidla. ----------------------------------------------------------------------------------- /var/log/fwsnort.log Triedy pravidiel ------------------ attack-responses.rules backdoor.rules bad-traffic.rules bleeding-all.rules chat.rules ddos.rules dns.rules dos.rules experimental.rules exploit.rules finger.rules ftp.rules icmp-info.rules icmp.rules imap.rules info.rules local.rules misc.rules multimedia.rules mysql.rules netbios.rules nntp.rules oracle.rules other-ids.rules p2p.rules policy.rules pop2.rules pop3.rules porn.rules rpc.rules rservices.rules scan.rules shellcode.rules smtp.rules snmp.rules sql.rules telnet.rules tftp.rules virus.rules web-attacks.rules web-cgi.rules web-client.rules web-coldfusion.rules web-frontpage.rules web-iis.rules web-misc.rules web-php.rules x11.rules Pouzitie ---------- * Generovanie iptables pravidiel Vygeneruje iptables pravidla pre rozumne mnozstvo SNORT pravidiel ----------------------------------------------------------------- # fwsnort --include-type attack-responses,bad-traffic,ddos,dos,exploit,info,scan,shellcode Vygeneruje iptables pravidla pre co mozno najviac SNORT pravidiel ----------------------------------------------------------------- # fwsnort Vygeneruje iptables pravidla pre ddos a backdoor SNORT pravidla --------------------------------------------------------------- # fwsnort --include-type ddos,backdoor Vygeneruje iptables pravidla pre pravidla SNORTu s ID 1834 a 2001842 -------------------------------------------------------------------- # fwsnort --snort-sid 1834,2001842 Fwsnortu povieme, ze ma sledovat traffic len na zariadeniach eth0 a eth1 ------------------------------------------------------------------------ # fwsnort --restrict-intf eth0,eth1 * Aktivovanie novo vytvorenych pravidiel Ak mame skonvertovane SNORT pravidla a tym padom aj vegenerovany subor /etc/fwsnort/fwsnort.sh spustime tento skript, ktory nam naplni packet filter tymito pravidlami. ------------------------------------------------------------------------ # /etc/fwsnort/fwsnort.sh * Kontrola novo pridanych pravidiel do iptables Skontrolujeme novo vytvorene iptables pravidla ---------------------------------------------- # iptables -nvL ========== X. Linkz ========== http://www.cipherdyne.org/fwsnort/ http://www.cipherdyne.org/fwsnort/ http://www.nostarch.com/download/firewalls_ch10.pdf