IPS 설정하기

- 환경 구성

192.168.17.2                  | Attacker --------+---------- KaliLinux(IDS/IPS) ---------+ 192.168.17.60          192.168.17.50  192.168.27.50      |                                                                    Meta              192.168.27.134

> IDS 실습환경에서 firewall 대신 IDS 서버를 사용한다. 

> NIC 카드를 추가하고 ip_forword 기능 추가 

> Attacker  /root/bin/route.sh 의 gw를 192.168.17.50 으로 변경 후 실행

> Meta 서버의 gw 192.168.27.50 으로 수정

> Attacker 에서 Meta 로 ping test

- IPS 설정

간단하게 말해서 IDS rule 설정에서 alert 으로 알리고 log에 저장했다면 drop 과 Reject 로 버리면 된다. 

(KaliLinux IDS/IPS)

# vi /etc/snort/snort.conf

..... # Configure DAQ related options for inline operation. For more information, see README.daq config daq:afpacket config daq_mode:inline config policy_mode:inline # # config daq: <type> # config daq_dir: <dir> # config daq_mode: <mode> # config daq_var: <var> # ......

> 추가

# vi /etc/snort/rules/local.rules

# $Id: local.rules,v 1.11 2004/07/23 20:15:44 bmc Exp $ # ---------------- # LOCAL RULES # ---------------- # This file intentionally does not come with signatures.  Put your local # additions here. drop tcp any any -> any 23 (msg: "Test Message Port 23"; sid:999995; rev:1;)

> telnet 접속을 차단한다. 

# snort -Q -c /etc/snort/snort.conf -i eth0:eth1 -A console

 -Q         Enable inline mode operation.

(Attack)

# telnet 192.168.27.134

Trying 192.168.27.134... Connected to 192.168.27.134. Escape character is '^]'.                 _                  _       _ _        _     _      ____    _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \  | '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) | | | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/  |_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|                             |_|                                           Warning: Never expose this VM to an untrusted network! Contact: msfdev[at]metasploit.com Login with msfadmin/msfadmin to get started metasploitable login: msfadmin Password: Connection closed by foreign host.

> 접속이 끊긴다. 

(KaliLinux IDS/IPS)

12/26-21:11:06.502613  [Drop] [**] [1:999995:1] Test Message Port 23 [**] [Priority: 0] {TCP} 192.168.17.60:48516 -> 192.168.27.134:23 12/26-21:11:10.806572  [Drop] [**] [1:999995:1] Test Message Port 23 [**] [Priority: 0] {TCP} 192.168.17.60:48518 -> 192.168.27.134:23 12/26-21:11:25.382433  [Drop] [**] [1:999995:1] Test Message Port 23 [**] [Priority: 0] {TCP} 192.168.17.60:48520 -> 192.168.27.134:23

> drop된 것을 알 수 있다.