IDS (Instrusion Detect System)_실습_ snort 탐지확인

- 서버 구성도 

192.168.17.2                        | Attacker(eth0) --------+----------(eth0)firewall(eth1) ---------+---------------+---------- 192.168.17.60               192.168.17.100  192.168.27.100      |               |                                                              IDS(eth0)       Meta(eth0)                   192.168.27.50   192.168.27.134

- 실습

Attacker 에서 Meta 공격 

IDS 서버에서 침입 감지 확인 

 [주의] 어떤 서버에서 작업하는지 확실하게 파악하기

(IDS)

# snort -q -A console -b -c /etc/snort/snort.conf

> snort 데몬 실행 

> 아직 아무런 반응이 없다. ( 잘 실행되고 있음 -> 안되면 오류 뜨고 끝남 )

(Attacker)

# ping -c 3 192.168.27.134

(IDS)

12/22-19:24:45.524410  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.27.1 -> 192.168.27.134 12/22-19:24:45.524410  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.27.1 -> 192.168.27.134 12/22-19:24:45.529677  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.27.134 -> 192.168.27.1 12/22-19:24:46.526289  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.27.1 -> 192.168.27.134 12/22-19:24:46.526289  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.27.1 -> 192.168.27.134 12/22-19:24:46.526294  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.27.134 -> 192.168.27.1 12/22-19:24:47.542129  [**] [1:366:7] ICMP PING *NIX [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.27.1 -> 192.168.27.134 12/22-19:24:47.542129  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.27.1 -> 192.168.27.134 12/22-19:24:47.542356  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.27.134 -> 192.168.27.1

ICMP PING *NIX  > unix 또는 linux 에서 icmp ping 신호를 보냄 

<enter> 몇 번 입력합니다. 

(Attacker)

# nmap -p 22 192.168.27.134

(IDS)

12/22-19:25:39.098856  [**] [1:469:3] ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 192.168.27.1 -> 192.168.27.134 12/22-19:25:39.098856  [**] [1:384:5] ICMP PING [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.27.1 -> 192.168.27.134 12/22-19:25:39.098871  [**] [1:408:5] ICMP Echo Reply [**] [Classification: Misc activity] [Priority: 3] {ICMP} 192.168.27.134 -> 192.168.27.1

NMAP 신호 파악 

(Attacker)

# firefox http://192.168.27.134

(IDS)

> 웹 서비스 접속은 정상적인 통신이기 때문에 잡히지 않는다. 

(Attacker)

# paros &

Tools > Options > Local proxy  127.0.01: 8000

( paros 는 종료하지 않는다. )

# firefox http://192.168.27.134 &

Preferences > Advanced > Network > Setting > IP 127.0.0.1 : 8000

> http://192.168.27.134  재접속

>DVWA 클릭

> admin / password 로그인 

paros

> Analyse > Scan Policy... 

> Analyse > Scan

(IDS)

..... 12/22-19:46:34.068886  [**] [1:1579:7] WEB-MISC Domino webadmin.nsf access [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.27.1:56248 -> 192.168.27.134:80 12/22-19:46:34.171284  [**] [1:1582:6] WEB-MISC Domino collect4.nsf access [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.27.1:56248 -> 192.168.27.134:80 12/22-19:46:34.209404  [**] [1:1151:7] WEB-MISC Domino domcfg.nsf access [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.27.1:56249 -> 192.168.27.134:80 12/22-19:46:34.257533  [**] [1:1575:7] WEB-MISC Domino mab.nsf access [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.27.1:56249 -> 192.168.27.134:80 12/22-19:46:34.293646  [**] [1:1577:6] WEB-MISC Domino setup.nsf access [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.27.1:56249 -> 192.168.27.134:80 12/22-19:46:34.305609  [**] [1:1578:6] WEB-MISC Domino statrep.nsf access [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.27.1:56249 -> 192.168.27.134:80 12/22-19:46:34.403270  [**] [1:1584:6] WEB-MISC Domino bookmark.nsf access [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.27.1:56250 -> 192.168.27.134:80 12/22-19:46:34.497320  [**] [1:1152:7] WEB-MISC Domino domlog.nsf access [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.27.1:56250 -> 192.168.27.134:80 .....

(Attacker) 

paros  

> dvwa 오른쪽 클릭 Spider 

(IDS)

.... 12/22-19:50:13.317328  [**] [1:100000186:2] COMMUNITY WEB-PHP phpinfo access [**] [Classification: Information Leak] [Priority: 2] {TCP} 192.168.27.1:56272 -> 192.168.27.134:80 12/22-19:50:13.645830  [**] [1:2281:2] WEB-PHP Setup.php access [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] {TCP} 192.168.27.1:56272 -> 192.168.27.134:80 12/22-19:50:14.765793  [**] [1:100000186:2] COMMUNITY WEB-PHP phpinfo access [**] [Classification: Information Leak] [Priority: 2] {TCP} 192.168.27.1:56272 -> 192.168.27.134:80 12/22-19:50:19.023676  [**] [1:100000186:2] COMMUNITY WEB-PHP phpinfo access [**] [Classification: Information Leak] [Priority: 2] {TCP} 192.168.27.1:56275 -> 192.168.27.134:80 12/22-19:50:19.241647  [**] [1:2281:2] WEB-PHP Setup.php access [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] {TCP} 192.168.27.1:56274 -> 192.168.27.134:80 12/22-19:50:19.297637  [**] [1:2281:2] WEB-PHP Setup.php access [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] {TCP} 192.168.27.1:56275 -> 192.168.27.134:80 .....