12:44 Using snort to block the attack script kiddisov | |
| This article does not purport to be complete descriptions of snort, but merely provides the user with a turnkey solution for protecting your server from the small and playful pens. Personally, I put the whole thing on OpenBSD, but from changing the system are not changed. Lyrical digression snort (http://snort.org) - intrusion detection systems (NIDS) to ipv4 networks based on libpcap. Itself - the usual tcpdump. But it is possible to create rules by which it will block harmful traffic and create a security event (alert). I have is a bunch of snort-sensor, linked through a collector based appended prelude (http://prelude-ids.org). All the rules are written himself. Results (statistics work for 4 months): false positives - about 2% (the average traffic - 120 Mbit / sec). Locks per day - about 15. Number of missed attacks - 0 (after the implementation of the security of any one server was not hacked. Under the protection cost Hosting and VDS). In addition appended modules avtoabyusa on the RIPE database and blocking traffic to the root of Cisco. So, we have: A certain server mounted with a snort-inline (in the case of * BSD is installed from ports, in the case of Linux - from the source indicating the option - enable-inline). To start configure itself snort (for your operating system path may be different - see the credit default configuration). / Etc / snort / snort.conf # abbreviated version of the config - the rules of SourceFire I do not use. Var HOME_NET 1.2.3.4 # ip-address of your server var EXTERNAL_NET any var HTTP_SERVERS $ HOME_NET portvar HTTP_PORTS [80,8080] # path to Rules var RULE_PATH / etc / snort / rules var PREPROC_RULE_PATH / etc / snort / preproc_rules # do not allow an error processing packages - they do not need nafig config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_tcpopt_ttcp_alerts config disable_tcpopt_alerts config disable_ipopt_alerts # Folder processors dynamicpreprocessor directory / usr / local / lib / snort_dynamicpreprocessor / dynamicengine / usr / local / lib / snort_dynamicengine / libsf_engine.so # packet fragmentation - is needed for tcp preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy linux # tcp and udp processor - you need to httpinspect preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp no preprocessor stream5_tcp: policy linux # preprocessor stream5_udp: ignore_any_rules # and here he http_inspect # replace unicode.map 1251 on its credit default encoding preprocessor http_inspect: global iis_unicode_map unicode.map 1251 preprocessor http_inspect_server: server default profile apache no_alerts ports {80 8080 8180} oversize_dir_length 500 output alert_syslog: LOG_ALERT # inkludim classifiers traffic include classification.config include reference.config # and the rules file include $ RULE_PATH / local.rules and create a $ RULE_PATH / local.rules: # kill UNION SQL injection drop tcp any any -> $ HOME_NET $ HTTP_PORTS (msg: "UNION SQL Injection"; uricontent: "union" ; nocase; uricontent: "select"; nocase; sid: 1; gid: 666) # kill blind SQL injection drop tcp any any -> $ HOME_NET $ HTTP_PORTS (msg: "Blind SQL Injection "; uricontent:" ascii "; nocase; uricontent:" substr "; nocase; uricontent:" select "; nocase; sid: 2; gid: 666) # kill XSS / CSS drop tcp any any -> $ HOME_NET $ HTTP_PORTS (msg: "XSS / CSS attack"; uricontent: "<script>"; nocase; uricontent: "</ script>"; nocase; sid: 4; gid: 666 ;) # kill sly XSS / CSS drop tcp any any -> $ HOME_NET $ HTTP_PORTS (msg: "XSS / CSS attack"; pcre: "/ GET \ / .* \? .* = (javascript: | onclick = | onmouseover = | onmouseout = | onload =) .* \ n / i "; sid: 5; gid: 666) # kill .. / .. / .. / etc / passwd drop tcp any any -> $ HOME_NET $ HTTP_PORTS (msg: "PHP include attack"; uricontent :"=../.."; sid: 6; gid: 666) Run snort snort-i em0-c / etc / snort / snort.conf-D Check and be glad. Note. There is not affected by security issues POST-requests, but nothing is impossible. P.S. Published the article at the request of a kreon'a that Habre was not present. | |
|
| |
| Total comments: 0 | |