20253903 2025-2026-2 《网络攻防实践》第5次作业
1.实践内容
本次实验主要围绕网络安全中的防火墙配置与入侵检测技术开展。
-
通过在 Linux 主机上配置 iptables 规则,实现了对 ICMP 数据包的过滤以及基于源 IP 的访问控制,掌握了基本的网络访问控制策略配置方法。
-
使用 Snort 工具对离线数据包进行分析,通过启用规则集并编写自定义规则,实现了对典型扫描行为(如 Nmap 扫描)的检测,并能够以结构化日志形式输出分析结果。
-
对蜜网环境中网关的防火墙与 IDS/IPS 配置进行分析。通过导出并解析 iptables 规则,理解了蜜网在攻击流量采集与控制方面的策略设计,包括对不同接口流量的差异化处理、日志记录机制以及基于速率限制的防护策略。同时结合 Snort 规则文件,分析了其如何利用特征匹配与协议行为识别网络扫描与探测行为。
2.实践过程
2.1 防火墙配置
这里以配置seed linux主机的防火墙为例
2.1.1 过滤ICMP数据包,使得主机不接收Ping包
首先使用命令iptables -L查看本机的防火墙规则
使用命令iptables -A INPUT -p icmp -j DROP来丢弃所有进入本机的 ICMP请求
在另一台主机中使用ping命令尝试对seed linux进行icmp访问
可以看到,此时另一台主机无法ping通seed linux,此时使用iptables -L查看防火墙规则
可以看到在防火墙规则中,所有来的icmp包都被丢弃
使用命令iptables -D INPUT -p icmp -j DROP将刚刚添加的规则删掉,之后再使用另一台主机ping
可以看到,icmp包被放行,成功ping通
2.1.2 只允许特定IP地址,访问主机的某一网络服务,而其他的IP地址无法访问
首先在kali使用telnet命令访问seed linux
可以看到成功访问,使用同网段的WinXPattacker用telnet访问seed linux
也能够成功访问
首先使用命令iptables -P INPUT DROP拦截所有请求
此时其他主机无法访问seed linux
在seed linux中使用命令iptables -A INPUT -p tcp -s 192.168.200.4 -j ACCEPT来允许kali访问
可以看到,在kali中访问seed linux的telnet服务正常
2.2 动手实践:Snort
使用snort对listen.pcap文件进行入侵检测和日志分析
2.2.1 从给定路径下离线的listen.pcap文件读取网络日志数据源,并将编码形式转化为ASCII
由于我使用的是snort3,与教程中的snort2命令可能会有区别,要注意!
首先使用命令snort -r ./listen.pcap -c /etc/snort/snort.lua -A alert_full对listen.pcap进行转换查看
可以看到该流量包的一些统计信息,例如有135512个tcp包等
在默认情况下,安装的snort3不会开启内置的规则集,我们需要手动将其开启,使用命令vim /etc/snort/snort.lua来编辑规则脚本
使用?命令找到enable_builtin_rules = true这个字段,在默认情况下这个字段前面有两个-作为注释,将其删掉后wq保存同时在下面加入rules = [[include /etc/snort/rules/local.rules]],最终应该像下面这样
snort进行扫描需要指定规则集,针对namp扫描,目前默认安装的snort3中没有合适的规则集,我们需要自定义并写入到/etc/snort/rules/local.rules
sudo vim一下/etc/snort/rules/local.rules,写入如下规则
alert tcp any any -> $HOME_NET any (
msg:"NMAP possible SYN scan";
flags:S;
flow:stateless;
detection_filter:track by_src, count 20, seconds 3;
classtype:attempted-recon;
sid:1000001;
rev:1;
)
alert tcp any any -> $HOME_NET any (
msg:"NMAP possible FIN scan";
flags:F;
flow:stateless;
detection_filter:track by_src, count 10, seconds 3;
classtype:attempted-recon;
sid:1000002;
rev:1;
)
alert tcp any any -> $HOME_NET any (
msg:"NMAP possible NULL scan";
flags:0;
flow:stateless;
detection_filter:track by_src, count 10, seconds 3;
classtype:attempted-recon;
sid:1000003;
rev:1;
)
alert tcp any any -> $HOME_NET any (
msg:"NMAP possible XMAS scan";
flags:FUP;
flow:stateless;
detection_filter:track by_src, count 10, seconds 3;
classtype:attempted-recon;
sid:1000004;
rev:1;
)
alert tcp any any -> $HOME_NET any (
msg:"NMAP possible ACK scan";
flags:A;
flow:stateless;
detection_filter:track by_src, count 20, seconds 3;
classtype:attempted-recon;
sid:1000005;
rev:1;
)
之后使用命令snort -r ./listen.pcap -c /etc/snort/snort.lua -A alert_json -l /var/log/snort
--lua "alert_json = {file = true, fields = 'timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action msg class'}"将命中规则的流量以json格式存储在/var/log/snort中,并加入一些详细字段便于阅读,命令运行后查看/var/log/snort/alert_json.txt
可以看到namp的扫描成功被识别,msg字段有详细信息,class属于信息泄露
2.3 分析配置规则
任务是分析虚拟网络攻防环境中蜜网网关的防火墙和IDS/IPS配置规则,说明蜜网网关是如何利用防火墙和入侵检测技术完成其攻击数据捕获和控制需求的
通过手动安装vm-tools,创建共享文件夹,使用命令iptables -L > test.txt将防火墙规则导出,内容如下
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- 192.168.200.0/25 anywhere tcp dpt:ssh state NEW
ACCEPT tcp -- 192.168.200.0/25 anywhere tcp dpt:https state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 192.168.200.255
ACCEPT all -- anywhere 255.255.255.255
LOG tcp -- anywhere anywhere PHYSDEV match --physdev-in eth0 state NEW LOG level debug prefix `INBOUND TCP: '
ACCEPT tcp -- anywhere anywhere PHYSDEV match --physdev-in eth0 state NEW
LOG udp -- anywhere anywhere PHYSDEV match --physdev-in eth0 state NEW LOG level debug prefix `INBOUND UDP: '
ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in eth0 state NEW
LOG icmp -- anywhere anywhere PHYSDEV match --physdev-in eth0 state NEW LOG level debug prefix `INBOUND ICMP: '
ACCEPT icmp -- anywhere anywhere PHYSDEV match --physdev-in eth0 state NEW
LOG all -- anywhere anywhere PHYSDEV match --physdev-in eth0 state NEW LOG level debug prefix `INBOUND OTHER: '
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in eth0 state NEW
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in eth0
DROP udp -- anywhere roo-test.localdomain PHYSDEV match --physdev-in eth1 udp dpt:pt2-discover
LOG udp -- anywhere 255.255.255.255 PHYSDEV match --physdev-in eth1 udp spt:bootpc dpt:bootps LOG level debug prefix `DHCP OUT REQUEST: '
ACCEPT udp -- anywhere 255.255.255.255 PHYSDEV match --physdev-in eth1 udp spt:bootpc dpt:bootps
LOG udp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 udp dpt:domain LOG level debug prefix `Legal DNS: '
LOG tcp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 tcp dpt:domain LOG level debug prefix `Legal DNS: '
ACCEPT udp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 udp dpt:domain
ACCEPT tcp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 tcp dpt:domain
LOG udp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 udp dpt:domain LOG level debug prefix `Legal DNS: '
LOG tcp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 tcp dpt:domain LOG level debug prefix `Legal DNS: '
ACCEPT udp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 udp dpt:domain
ACCEPT tcp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 tcp dpt:domain
LOG all -- anywhere anywhere PHYSDEV match --physdev-in eth1 --physdev-out eth1 LOG level debug prefix `Honeypot -> Honeypot: '
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in eth1 --physdev-out eth1
QUEUE all -- anywhere anywhere PHYSDEV match --physdev-in eth1 state RELATED,ESTABLISHED
tcpHandler tcp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 20/hour burst 20
LOG tcp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 1/hour burst 1 LOG level debug prefix `Drop TCP > 20 attempts'
DROP tcp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW
tcpHandler tcp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state RELATED
udpHandler udp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 20/hour burst 20
LOG udp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 1/hour burst 1 LOG level debug prefix `Drop udp > 20 attempts'
DROP udp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW
icmpHandler icmp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 50/hour burst 50
LOG icmp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 1/hour burst 1 LOG level debug prefix `Drop icmp > 50 attempts'
DROP icmp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW
otherHandler all -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 10/hour burst 10
LOG all -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 1/hour burst 1 LOG level debug prefix `Drop other > 10 attempts'
tcpHandler tcp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 20/hour burst 20
LOG tcp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 1/hour burst 1 LOG level debug prefix `Drop TCP > 20 attempts'
DROP tcp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW
tcpHandler tcp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state RELATED
udpHandler udp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 20/hour burst 20
LOG udp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 1/hour burst 1 LOG level debug prefix `Drop udp > 20 attempts'
DROP udp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW
icmpHandler icmp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 50/hour burst 50
LOG icmp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 1/hour burst 1 LOG level debug prefix `Drop icmp > 50 attempts'
DROP icmp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW
otherHandler all -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 10/hour burst 10
LOG all -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 1/hour burst 1 LOG level debug prefix `Drop other > 10 attempts'
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:nicname state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:nicname state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:domain state NEW,RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:ntp state NEW,RELATED,ESTABLISHED
Chain icmpHandler (2 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix `OUTBOUND ICMP: '
QUEUE all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain otherHandler (2 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix `OUTBOUND OTHER: '
QUEUE all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain tcpHandler (4 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix `OUTBOUND TCP: '
QUEUE all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain udpHandler (2 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix `OUTBOUND UDP: '
QUEUE all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
下面是精简版的规则分析
Chain INPUT (policy DROP) # 默认策略:丢弃所有进入本机的数据包
target prot opt source destination
ACCEPT all -- anywhere anywhere # 放行所有进入本机的流量;该规则位于链首,导致后续更细粒度的 INPUT 规则基本失去约束意义
ACCEPT tcp -- 192.168.200.0/25 anywhere tcp dpt:ssh state NEW # 允许 192.168.200.0/25 网段对本机发起新的 SSH 连接;但已被上一条全放行规则覆盖
ACCEPT tcp -- 192.168.200.0/25 anywhere tcp dpt:https state NEW # 允许 192.168.200.0/25 网段对本机发起新的 HTTPS 连接;同样被链首全放行规则覆盖
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED # 放行已建立/相关连接返回流量;属于标准状态检测规则,但在当前 INPUT 链中作用被弱化
Chain FORWARD (policy DROP) # 默认策略:丢弃所有经过本机转发的数据包
target prot opt source destination
ACCEPT all -- anywhere 192.168.200.255 # 允许发往 192.168.200.255 的广播流量
ACCEPT all -- anywhere 255.255.255.255 # 允许受限广播流量,常见于 DHCP 等场景
LOG tcp -- anywhere anywhere PHYSDEV match --physdev-in eth0 state NEW LOG level debug prefix `INBOUND TCP: ' # 记录从 eth0 进入的新的 TCP 转发连接
ACCEPT tcp -- anywhere anywhere PHYSDEV match --physdev-in eth0 state NEW # 放行从 eth0 进入的新的 TCP 转发连接
LOG udp -- anywhere anywhere PHYSDEV match --physdev-in eth0 state NEW LOG level debug prefix `INBOUND UDP: ' # 记录从 eth0 进入的新的 UDP 转发流量
ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in eth0 state NEW # 放行从 eth0 进入的新的 UDP 转发流量
LOG icmp -- anywhere anywhere PHYSDEV match --physdev-in eth0 state NEW LOG level debug prefix `INBOUND ICMP: ' # 记录从 eth0 进入的新的 ICMP 转发流量
ACCEPT icmp -- anywhere anywhere PHYSDEV match --physdev-in eth0 state NEW # 放行从 eth0 进入的新的 ICMP 转发流量
LOG all -- anywhere anywhere PHYSDEV match --physdev-in eth0 state NEW LOG level debug prefix `INBOUND OTHER: ' # 记录从 eth0 进入的其他新协议流量
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in eth0 state NEW # 放行从 eth0 进入的其他新协议流量;相当于 eth0 新流量兜底放行
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in eth0 # 放行所有从 eth0 进入的转发流量;说明攻击侧进入的数据整体采取“先记录、再放行”策略
DROP udp -- anywhere roo-test.localdomain PHYSDEV match --physdev-in eth1 udp dpt:pt2-discover # 丢弃从 eth1 进入、目的为 roo-test.localdomain 的 pt2-discover UDP 流量,用于屏蔽特定发现/探测服务
LOG udp -- anywhere 255.255.255.255 PHYSDEV match --physdev-in eth1 udp spt:bootpc dpt:bootps LOG level debug prefix `DHCP OUT REQUEST: ' # 记录从 eth1 进入的 DHCP 客户端请求
ACCEPT udp -- anywhere 255.255.255.255 PHYSDEV match --physdev-in eth1 udp spt:bootpc dpt:bootps # 放行从 eth1 进入的 DHCP 请求
LOG udp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 udp dpt:domain LOG level debug prefix `Legal DNS: ' # 记录 192.168.200.130 发起的 UDP DNS 请求
LOG tcp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 tcp dpt:domain LOG level debug prefix `Legal DNS: ' # 记录 192.168.200.130 发起的 TCP DNS 请求
ACCEPT udp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 udp dpt:domain # 放行 192.168.200.130 的 UDP DNS 请求
ACCEPT tcp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 tcp dpt:domain # 放行 192.168.200.130 的 TCP DNS 请求
LOG udp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 udp dpt:domain LOG level debug prefix `Legal DNS: ' # 记录 192.168.200.131 发起的 UDP DNS 请求
LOG tcp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 tcp dpt:domain LOG level debug prefix `Legal DNS: ' # 记录 192.168.200.131 发起的 TCP DNS 请求
ACCEPT udp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 udp dpt:domain # 放行 192.168.200.131 的 UDP DNS 请求
ACCEPT tcp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 tcp dpt:domain # 放行 192.168.200.131 的 TCP DNS 请求
LOG all -- anywhere anywhere PHYSDEV match --physdev-in eth1 --physdev-out eth1 LOG level debug prefix `Honeypot -> Honeypot: ' # 记录 eth1 到 eth1 的内部互通流量
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in eth1 --physdev-out eth1 # 放行 eth1 内部主机之间的互访
QUEUE all -- anywhere anywhere PHYSDEV match --physdev-in eth1 state RELATED,ESTABLISHED # 将 eth1 上已建立/相关流量送入 NFQUEUE,交由用户态程序进一步分析/处理
tcpHandler tcp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 20/hour burst 20 # 对 192.168.200.130 的新建 TCP 连接做速率限制:平均每小时 20 次,突发 20 次;符合限制的流量转交 tcpHandler 链
LOG tcp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 1/hour burst 1 LOG level debug prefix `Drop TCP > 20 attempts' # 对超限 TCP 新连接做日志记录(日志本身也限速)
DROP tcp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW # 丢弃 192.168.200.130 超过阈值的 TCP 新连接
tcpHandler tcp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state RELATED # 将 192.168.200.130 的相关 TCP 流量交给 tcpHandler 链处理
udpHandler udp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 20/hour burst 20 # 对 192.168.200.130 的新建 UDP 流量做速率限制:平均每小时 20 次,突发 20 次;符合限制的流量转交 udpHandler 链
LOG udp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 1/hour burst 1 LOG level debug prefix `Drop udp > 20 attempts' # 记录超限的 UDP 新流量
DROP udp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW # 丢弃 192.168.200.130 超过阈值的 UDP 新流量
icmpHandler icmp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 50/hour burst 50 # 对 192.168.200.130 的新建 ICMP 流量做速率限制:平均每小时 50 次,突发 50 次;符合限制的流量转交 icmpHandler 链
LOG icmp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 1/hour burst 1 LOG level debug prefix `Drop icmp > 50 attempts' # 记录超限的 ICMP 流量
DROP icmp -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW # 丢弃 192.168.200.130 超过阈值的 ICMP 流量
otherHandler all -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 10/hour burst 10 # 对 192.168.200.130 的其他新协议流量做速率限制:平均每小时 10 次,突发 10 次;符合限制的流量转交 otherHandler 链
LOG all -- 192.168.200.130 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 1/hour burst 1 LOG level debug prefix `Drop other > 10 attempts' # 记录超限的其他协议流量
tcpHandler tcp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 20/hour burst 20 # 对 192.168.200.131 的新建 TCP 连接做速率限制;与 130 的策略相同
LOG tcp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 1/hour burst 1 LOG level debug prefix `Drop TCP > 20 attempts' # 记录 131 上超限的 TCP 新连接
DROP tcp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW # 丢弃 192.168.200.131 超过阈值的 TCP 新连接
tcpHandler tcp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state RELATED # 将 192.168.200.131 的相关 TCP 流量交给 tcpHandler 链处理
udpHandler udp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 20/hour burst 20 # 对 192.168.200.131 的新建 UDP 流量做速率限制
LOG udp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 1/hour burst 1 LOG level debug prefix `Drop udp > 20 attempts' # 记录 131 上超限的 UDP 新流量
DROP udp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW # 丢弃 192.168.200.131 超过阈值的 UDP 新流量
icmpHandler icmp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 50/hour burst 50 # 对 192.168.200.131 的新建 ICMP 流量做速率限制
LOG icmp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 1/hour burst 1 LOG level debug prefix `Drop icmp > 50 attempts' # 记录 131 上超限的 ICMP 流量
DROP icmp -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW # 丢弃 192.168.200.131 超过阈值的 ICMP 流量
otherHandler all -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 10/hour burst 10 # 对 192.168.200.131 的其他新协议流量做速率限制
LOG all -- 192.168.200.131 anywhere PHYSDEV match --physdev-in eth1 state NEW limit: avg 1/hour burst 1 LOG level debug prefix `Drop other > 10 attempts' # 记录 131 上超限的其他协议流量
Chain OUTPUT (policy DROP) # 默认策略:丢弃所有本机发出的数据包
target prot opt source destination
ACCEPT all -- anywhere anywhere # 放行所有本机发出的流量;该规则位于链首,导致后续 OUTPUT 规则基本成为冗余
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW # 允许本机主动发起 SSH 连接;但已被上一条全放行规则覆盖
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW # 允许本机主动发起 SMTP 连接;被覆盖
ACCEPT tcp -- anywhere anywhere tcp dpt:nicname state NEW # 允许访问 43/tcp(nicname/whois 类服务);被覆盖
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW # 允许本机主动发起 HTTP 连接;被覆盖
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW # 允许本机主动发起 HTTPS 连接;被覆盖
ACCEPT udp -- anywhere anywhere udp dpt:domain # 允许本机发起 UDP DNS 请求;被覆盖
ACCEPT udp -- anywhere anywhere udp dpt:ntp # 允许本机发起 NTP 请求;被覆盖
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED # 放行已建立/相关的 TCP 返回流量;被链首规则弱化
ACCEPT udp -- anywhere anywhere state RELATED # 放行相关 UDP 流量;被链首规则弱化
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,RELATED,ESTABLISHED # SSH 规则重复定义,属于冗余
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp state NEW,RELATED,ESTABLISHED # SMTP 规则重复定义,属于冗余
ACCEPT tcp -- anywhere anywhere tcp dpt:nicname state NEW,RELATED,ESTABLISHED # nicname 规则重复定义,属于冗余
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,RELATED,ESTABLISHED # HTTP 规则重复定义,属于冗余
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,RELATED,ESTABLISHED # HTTPS 规则重复定义,属于冗余
ACCEPT udp -- anywhere anywhere udp dpt:domain state NEW,RELATED,ESTABLISHED # DNS 规则重复定义,属于冗余
ACCEPT udp -- anywhere anywhere udp dpt:ntp state NEW,RELATED,ESTABLISHED # NTP 规则重复定义,属于冗余
Chain icmpHandler (2 references) # 自定义链:处理受限主机发出的 ICMP 流量
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix `OUTBOUND ICMP: ' # 记录 ICMP 流量
QUEUE all -- anywhere anywhere # 送入 NFQUEUE,交给用户态程序进一步处理
ACCEPT all -- anywhere anywhere # 最终放行
Chain otherHandler (2 references) # 自定义链:处理其他协议流量
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix `OUTBOUND OTHER: ' # 记录其他协议流量
QUEUE all -- anywhere anywhere # 送入 NFQUEUE
ACCEPT all -- anywhere anywhere # 最终放行
Chain tcpHandler (4 references) # 自定义链:处理 TCP 流量
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix `OUTBOUND TCP: ' # 记录 TCP 流量
QUEUE all -- anywhere anywhere # 送入 NFQUEUE
ACCEPT all -- anywhere anywhere # 最终放行
Chain udpHandler (2 references) # 自定义链:处理 UDP 流量
target prot opt source destination
LOG all -- anywhere anywhere LOG level debug prefix `OUTBOUND UDP: ' # 记录 UDP 流量
QUEUE all -- anywhere anywhere # 送入 NFQUEUE
ACCEPT all -- anywhere anywhere # 最终放行
总之,这套规则eth0 侧基本采取“先记录、再放行”的策略,用来接收并审计来自攻击侧的流量;eth1 侧则对 192.168.200.130 和 192.168.200.131 两台蜜罐主机做了更细的控制,包括 DNS 白名单、TCP/UDP/ICMP/其他协议的速率限制,以及通过 NFQUEUE 把流量送到用户态程序继续分析。相对而言,INPUT 和 OUTPUT 虽然默认策略都是 DROP,但由于链首都存在 ACCEPT all,实际效果等同于全放开,后面的细化规则大多被覆盖或变成冗余。
honeywall使用snort2作为IDS/IPS,首先查看一下它的规则,规则位置在/etc/snort/snort.conf
#--------------------------------------------------
# http://www.snort.org Snort 2.6.1.5 Ruleset
# Contact: snort-sigs@lists.sourceforge.net
#--------------------------------------------------
# $Id$
#
###################################################
# This file contains a sample snort configuration.
# You can take the following steps to create your own custom configuration:
#
# 1) Set the variables for your network
# 2) Configure dynamic loaded libraries
# 3) Configure preprocessors
# 4) Configure output plugins
# 5) Add any runtime config directives
# 6) Customize your rule set
#
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect your local network. The
# variable is currently setup for an RFC 1918 address space.
#
# You can specify it explicitly as:
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS which will be always
# initialized to IP address and netmask of the network interface which you run
# snort at. Under Windows, this must be specified as
# $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:
var HOME_NET any
# Set up the external network addresses as well. A good start may be "any"
var EXTERNAL_NET any
# Configure your server lists. This allows snort to only look for attacks to
# systems that have a service up. Why look for HTTP attacks if you are not
# running a web server? This allows quick filtering based on IP addresses
# These configurations MUST follow the same configuration scheme as defined
# above for $HOME_NET.
# List of DNS servers on your network
var DNS_SERVERS $HOME_NET
# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET
# List of web servers on your network
var HTTP_SERVERS $HOME_NET
# List of sql servers on your network
var SQL_SERVERS $HOME_NET
# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET
# List of snmp servers on your network
var SNMP_SERVERS $HOME_NET
# Configure your service ports. This allows snort to look for attacks destined
# to a specific application only on the ports that application runs on. For
# example, if you run a web server on port 8081, set your HTTP_PORTS variable
# like this:
#
# var HTTP_PORTS 8081
#
# Port lists must either be continuous [eg 80:8080], or a single port [eg 80].
# We will adding support for a real list of ports in the future.
# Ports you run web servers on
#
# Please note: [80,8080] does not work.
# If you wish to define multiple HTTP ports, use the following convention
# when customizing your rule set (as part of Step #6 below). This should
# not be done here, as the rules files may depend on the classifications
# and/or references, which are included below.
#
## var HTTP_PORTS 80
## include somefile.rules
## var HTTP_PORTS 8080
## include somefile.rules
var HTTP_PORTS 80
# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80
# Ports you do oracle attacks on
var ORACLE_PORTS 1521
# other variables
#
# AIM servers. AOL has a habit of adding new AIM servers, so instead of
# modifying the signatures when they do, we add them to this list of servers.
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
var RULE_PATH /etc/snort/rules
# Configure the snort decoder
# ============================
#
# Snort's decoder will alert on lots of things such as header
# truncation or options of unusual length or infrequently used tcp options
#
#
# Stop generic decode events:
#
# config disable_decode_alerts
#
# Stop Alerts on experimental TCP options
#
# config disable_tcpopt_experimental_alerts
#
# Stop Alerts on obsolete TCP options
#
# config disable_tcpopt_obsolete_alerts
#
# Stop Alerts on T/TCP alerts
#
# In snort 2.0.1 and above, this only alerts when a TCP option is detected
# that shows T/TCP being actively used on the network. If this is normal
# behavior for your network, disable the next option.
#
# config disable_tcpopt_ttcp_alerts
#
# Stop Alerts on all other TCPOption type events:
#
# config disable_tcpopt_alerts
#
# Stop Alerts on invalid ip options
#
# config disable_ipopt_alerts
#
# Alert if value in length field (IP, TCP, UDP) is greater than the
# actual length of the captured portion of the packet that the length
# is supposed to represent:
#
# config enable_decode_oversized_alerts
#
# Same as above, but drop packet if in Inline mode -
# enable_decode_oversized_alerts must be enabled for this to work:
#
# config enable_decode_oversized_drops
#
# Configure the detection engine
# ===============================
#
# Use a different pattern matcher in case you have a machine with very limited
# resources:
#
# config detection: search-method lowmem
# Configure Inline Resets
# ========================
#
# If running an iptables firewall with snort in InlineMode() we can now
# perform resets via a physical device. We grab the indev from iptables
# and use this for the interface on which to send resets. This config
# option takes an argument for the src mac address you want to use in the
# reset packet. This way the bridge can remain stealthy. If the src mac
# option is not set we use the mac address of the indev device. If we
# don't set this option we will default to sending resets via raw socket,
# which needs an ipaddress to be assigned to the int.
#
# config layer2resets: 00:06:76:DD:5F:E3
###################################################
# Step #2: Configure dynamic loaded libraries
#
# If snort was configured to use dynamically loaded libraries,
# those libraries can be loaded here.
#
# Each of the following configuration options can be done via
# the command line as well.
#
# Load all dynamic preprocessors from the install path
# (same as command line option --dynamic-preprocessor-lib-dir)
#
dynamicpreprocessor directory /usr/lib/snort-2.6.1.5_dynamicpreprocessor/
#
# Load a specific dynamic preprocessor library from the install path
# (same as command line option --dynamic-preprocessor-lib)
#
# dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
#
# Load a dynamic engine from the install path
# (same as command line option --dynamic-engine-lib)
#
dynamicengine /usr/lib/snort-2.6.1.5_dynamicengine/libsf_engine.so
#
# Load all dynamic rules libraries from the install path
# (same as command line option --dynamic-detection-lib-dir)
#
# dynamicdetection directory /usr/local/lib/snort_dynamicrule/
#
# Load a specific dynamic rule library from the install path
# (same as command line option --dynamic-detection-lib)
#
# dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
#
###################################################
# Step #3: Configure preprocessors
#
# General configuration for preprocessors is of
# the form
# preprocessor <name_of_processor>: <configuration_options>
# Configure Flow tracking module
# -------------------------------
#
# The Flow tracking module is meant to start unifying the state keeping
# mechanisms of snort into a single place. Right now, only a portscan detector
# is implemented but in the long term, many of the stateful subsystems of
# snort will be migrated over to becoming flow plugins. This must be enabled
# for flow-portscan to work correctly.
#
# See README.flow for additional information
#
preprocessor flow: stats_interval 0 hash 2
# frag2: IP defragmentation support
# -------------------------------
# This preprocessor performs IP defragmentation. This plugin will also detect
# people launching fragmentation attacks (usually DoS) against hosts. No
# arguments loads the default configuration of the preprocessor, which is a 60
# second timeout and a 4MB fragment buffer.
# The following (comma delimited) options are available for frag2
# timeout [seconds] - sets the number of [seconds] that an unfinished
# fragment will be kept around waiting for completion,
# if this time expires the fragment will be flushed
# memcap [bytes] - limit frag2 memory usage to [number] bytes
# (default: 4194304)
#
# min_ttl [number] - minimum ttl to accept
#
# ttl_limit [number] - difference of ttl to accept without alerting
# will cause false positves with router flap
#
# Frag2 uses Generator ID 113 and uses the following SIDS
# for that GID:
# SID Event description
# ----- -------------------
# 1 Oversized fragment (reassembled frag > 64k bytes)
# 2 Teardrop-type attack
#preprocessor frag2
# frag3: Target-based IP defragmentation
# --------------------------------------
#
# Frag3 is a brand new IP defragmentation preprocessor that is capable of
# performing "target-based" processing of IP fragments. Check out the
# README.frag3 file in the doc directory for more background and configuration
# information.
#
# Frag3 configuration is a two step process, a global initialization phase
# followed by the definition of a set of defragmentation engines.
#
# Global configuration defines the number of fragmented packets that Snort can
# track at the same time and gives you options regarding the memory cap for the
# subsystem or, optionally, allows you to preallocate all the memory for the
# entire frag3 system.
#
# frag3_global options:
# max_frags: Maximum number of frag trackers that may be active at once.
# Default value is 8192.
# memcap: Maximum amount of memory that frag3 may access at any given time.
# Default value is 4MB.
# prealloc_frags: Maximum number of individual fragments that may be processed
# at once. This is instead of the memcap system, uses static
# allocation to increase performance. No default value. Each
# preallocated fragment eats ~1550 bytes.
#
# Target-based behavior is attached to an engine as a "policy" for handling
# overlaps and retransmissions as enumerated in the Paxson paper. There are
# currently five policy types available: "BSD", "BSD-right", "First", "Linux"
# and "Last". Engines can be bound to standard Snort CIDR blocks or
# IP lists.
#
# frag3_engine options:
# timeout: Amount of time a fragmented packet may be active before expiring.
# Default value is 60 seconds.
# ttl_limit: Limit of delta allowable for TTLs of packets in the fragments.
# Based on the initial received fragment TTL.
# min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below this
# value will be discarded. Default value is 0.
# detect_anomalies: Activates frag3's anomaly detection mechanisms.
# policy: Target-based policy to assign to this engine. Default is BSD.
# bind_to: IP address set to bind this engine to. Default is all hosts.
#
# Frag3 configuration example:
#preprocessor frag3_global: max_frags 65536 prealloc_frags 262144
#preprocessor frag3_engine: policy linux \
# bind_to [10.1.1.12/32,10.1.1.13/32] \
# detect_anomalies
#preprocessor frag3_engine: policy first \
# bind_to 10.2.1.0/24 \
# detect_anomalies
#preprocessor frag3_engine: policy last \
# bind_to 10.3.1.0/24
#preprocessor frag3_engine: policy bsd
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat stick/snot
# against TCP rules. Also performs full TCP stream reassembly, stateful
# inspection of TCP streams, etc. Can statefully detect various portscan
# types, fingerprinting, ECN, etc.
# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8388608)
# options (options are comma delimited):
# detect_scans - stream4 will detect stealth portscans and generate alerts
# when it sees them when this option is set
# detect_state_problems - detect TCP state problems, this tends to be very
# noisy because there are a lot of crappy ip stack
# implementations out there
#
# disable_evasion_alerts - turn off the possibly noisy mitigation of
# overlapping sequences.
#
# ttl_limit [number] - differential of the initial ttl on a session versus
# the normal that someone may be playing games.
# Routing flap may cause lots of false positives.
#
# keepstats [machine|binary] - keep session statistics, add "machine" to
# get them in a flat format for machine reading, add
# "binary" to get them in a unified binary output
# format
# noinspect - turn off stateful inspection only
# timeout [number] - set the session timeout counter to [number] seconds,
# default is 30 seconds
# max_sessions [number] - limit the number of sessions stream4 keeps
# track of
# memcap [number] - limit stream4 memory usage to [number] bytes (does
# not include session tracking, which is set by the
# max_sessions option)
# log_flushed_streams - if an event is detected on a stream this option will
# cause all packets that are stored in the stream4
# packet buffers to be flushed to disk. This only
# works when logging in pcap mode!
# server_inspect_limit [bytes] - Byte limit on server side inspection.
# enable_udp_sessions - turn on tracking of "sessions" over UDP. Requires
# configure --enable-stream4udp. UDP sessions are
# only created when there is a rule for the sender or
# responder that has a flow or flowbits keyword.
# max_udp_sessions [number] - limit the number of simultaneous UDP sessions
# to track
# udp_ignore_any - Do not inspect UDP packets unless there is a port specific
# rule for a given port. This is a performance improvement
# and turns off inspection for udp xxx any -> xxx any rules
# cache_clean_sessions [number] - Cleanup the session cache by number sessions
# at a time. The larger the value, the
# more sessions are purged from the cache when
# the session limit or memcap is reached.
# Defaults to 5.
#
#
#
# Stream4 uses Generator ID 111 and uses the following SIDS
# for that GID:
# SID Event description
# ----- -------------------
# 1 Stealth activity
# 2 Evasive RST packet
# 3 Evasive TCP packet retransmission
# 4 TCP Window violation
# 5 Data on SYN packet
# 6 Stealth scan: full XMAS
# 7 Stealth scan: SYN-ACK-PSH-URG
# 8 Stealth scan: FIN scan
# 9 Stealth scan: NULL scan
# 10 Stealth scan: NMAP XMAS scan
# 11 Stealth scan: Vecna scan
# 12 Stealth scan: NMAP fingerprint scan stateful detect
# 13 Stealth scan: SYN-FIN scan
# 14 TCP forward overlap
preprocessor stream4: disable_evasion_alerts
# tcp stream reassembly directive
# no arguments loads the default configuration
# Only reassemble the client,
# Only reassemble the default list of ports (See below),
# Give alerts for "bad" streams
#
# Available options (comma delimited):
# clientonly - reassemble traffic for the client side of a connection only
# serveronly - reassemble traffic for the server side of a connection only
# both - reassemble both sides of a session
# noalerts - turn off alerts from the stream reassembly stage of stream4
# ports [list] - use the space separated list of ports in [list], "all"
# will turn on reassembly for all ports, "default" will turn
# on reassembly for ports 21, 23, 25, 42, 53, 80, 110,
# 111, 135, 136, 137, 139, 143, 445, 513, 1433, 1521,
# and 3306
# favor_old - favor an old segment (based on sequence number) over a new one.
# This is the default.
# favor_new - favor an new segment (based on sequence number) over an old one.
# overlap_limit [number] - limit on overlaping segments for a session.
# flush_on_alert - flushes stream when an alert is generated for a session.
# flush_behavior [mode] -
# default - use old static flushpoints (default)
# large_window - use new larger static flushpoints
# random - use random flushpoints defined by flush_base,
# flush_seed and flush_range
# flush_base [number] - lowest allowed random flushpoint (512 by default)
# flush_range [number] - number is the space within which random flushpoints
# are generated (default 1213)
# flush_seed [number] - seed for the random number generator, defaults to
# Snort PID + time
#
# Using the default random flushpoints, the smallest flushpoint is 512,
# and the largest is 1725 bytes.
preprocessor stream4_reassemble
# stream5: Target Based stateful inspection/stream reassembly for Snort
# ---------------------------------------------------------------------
# EXPERIMENTAL CODE!!!
#
# THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE!
# USE AT YOUR OWN RISK! DO NOT USE IN PRODUCTION ENVIRONMENTS.
# YOU HAVE BEEN WARNED.
#
# Stream5 is a target-based stream engine for Snort. Its functionality
# replaces that of Stream4. Consequently, BOTH Stream4 and Stream5
# cannot be used simultaneously. Comment out the stream4 configurations
# above to use Stream5.
#
# See README.stream for details on the configuration options.
#
# Example config (that emulates Stream4 with UDP support compiled in)
# preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
# track_udp yes
# preprocessor stream5_tcp: policy first, use_static_footprint_sizes
# preprocessor stream5_udp: ignore_any_rules
# Performance Statistics
# ----------------------
# Documentation for this is provided in the Snort Manual. You should read it.
# It is included in the release distribution as doc/snort_manual.pdf
#
# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
# http_inspect: normalize and detect HTTP traffic and protocol anomalies
#
# lots of options available here. See doc/README.http_inspect.
# unicode.map should be wherever your snort.conf lives, or given
# a full path to where snort can find it.
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
#
# Example unique server configuration
#
#preprocessor http_inspect_server: server 1.1.1.1 \
# ports { 80 3128 8080 } \
# flow_depth 0 \
# ascii no \
# double_decode yes \
# non_rfc_char { 0x00 } \
# chunk_length 500000 \
# non_strict \
# oversize_dir_length 300 \
# no_alerts
# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual 4-byte encoding
# that is used by default. This plugin takes the port numbers that RPC
# services are running on as arguments - it is assumed that the given ports
# are actually running this type of service. If not, change the ports or turn
# it off.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
# no_alert_large_fragments - don't alert when the fragmented
# sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
# exceeds the current packet size
preprocessor rpc_decode: 111 32771
# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network.
#
# arguments:
# syntax:
# preprocessor bo: noalert { client | server | general | snort_attack } \
# drop { client | server | general | snort_attack }
# example:
# preprocessor bo: noalert { general server } drop { snort_attack }
#
# The Back Orifice detector uses Generator ID 105 and uses the
# following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 Back Orifice traffic detected
# 2 Back Orifice Client Traffic Detected
# 3 Back Orifice Server Traffic Detected
# 4 Back Orifice Snort Buffer Attack
preprocessor bo
# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp
# traffic. It works in much the same way as the http_decode preprocessor,
# searching for traffic that breaks up the normal data stream of a protocol and
# replacing it with a normalized representation of that traffic so that the
# "content" pattern matching keyword can work without requiring modifications.
# This preprocessor requires no arguments.
#
# DEPRECATED in favor of ftp_telnet dynamic preprocessor
#preprocessor telnet_decode
#
# ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff overflow
# ---------------------------------------------------------------------------
# This preprocessor normalizes telnet negotiation strings from telnet and
# ftp traffic. It looks for traffic that breaks the normal data stream
# of the protocol, replacing it with a normalized representation of that
# traffic so that the "content" pattern matching keyword can work without
# requiring modifications.
#
# It also performs protocol correctness checks for the FTP command channel,
# and identifies open FTP data transfers.
#
# FTPTelnet has numerous options available, please read
# README.ftptelnet for help configuring the options for the global
# telnet, ftp server, and ftp client sections for the protocol.
#####
# Per Step #2, set the following to load the ftptelnet preprocessor
# dynamicpreprocessor <full path to libsf_ftptelnet_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful
preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200
# This is consistent with the FTP rules as of 18 Sept 2004.
# CWD can have param length of 200
# MODE has an additional mode of Z (compressed)
# Check for string formats in USER & PASS commands
# Check nDTM commands that set modification time on the file.
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan
preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes
# smtp: SMTP normalizer, protocol enforcement and buffer overflow
# ---------------------------------------------------------------------------
# This preprocessor normalizes SMTP commands by removing extraneous spaces.
# It looks for overly long command lines, response lines, and data header lines.
# It can alert on invalid commands, or specific valid commands. It can optionally
# ignore mail data, and can ignore TLS encrypted data.
#
# SMTP has numerous options available, please read README.SMTP for help
# configuring options.
#####
# Per Step #2, set the following to load the smtp preprocessor
# dynamicpreprocessor <full path to libsf_smtp_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
preprocessor smtp: \
ports { 25 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }
# sfPortscan
# ----------
# Portscan detection module. Detects various types of portscans and
# portsweeps. For more information on detection philosophy, alert types,
# and detailed portscan information, please refer to the README.sfportscan.
#
# -configuration options-
# proto { tcp udp icmp ip all }
# The arguments to the proto option are the types of protocol scans that
# the user wants to detect. Arguments should be separated by spaces and
# not commas.
# scan_type { portscan portsweep decoy_portscan distributed_portscan all }
# The arguments to the scan_type option are the scan types that the
# user wants to detect. Arguments should be separated by spaces and not
# commas.
# sense_level { low|medium|high }
# There is only one argument to this option and it is the level of
# sensitivity in which to detect portscans. The 'low' sensitivity
# detects scans by the common method of looking for response errors, such
# as TCP RSTs or ICMP unreachables. This level requires the least
# tuning. The 'medium' sensitivity level detects portscans and
# filtered portscans (portscans that receive no response). This
# sensitivity level usually requires tuning out scan events from NATed
# IPs, DNS cache servers, etc. The 'high' sensitivity level has
# lower thresholds for portscan detection and a longer time window than
# the 'medium' sensitivity level. Requires more tuning and may be noisy
# on very active networks. However, this sensitivity levels catches the
# most scans.
# memcap { positive integer }
# The maximum number of bytes to allocate for portscan detection. The
# higher this number the more nodes that can be tracked.
# logfile { filename }
# This option specifies the file to log portscan and detailed portscan
# values to. If there is not a leading /, then snort logs to the
# configured log directory. Refer to README.sfportscan for details on
# the logged values in the logfile.
# watch_ip { Snort IP List }
# ignore_scanners { Snort IP List }
# ignore_scanned { Snort IP List }
# These options take a snort IP list as the argument. The 'watch_ip'
# option specifies the IP(s) to watch for portscan. The
# 'ignore_scanners' option specifies the IP(s) to ignore as scanners.
# Note that these hosts are still watched as scanned hosts. The
# 'ignore_scanners' option is used to tune alerts from very active
# hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option
# specifies the IP(s) to ignore as scanned hosts. Note that these hosts
# are still watched as scanner hosts. The 'ignore_scanned' option is
# used to tune alerts from very active hosts such as syslog servers, etc.
# detect_ack_scans
# This option will include sessions picked up in midstream by the stream
# module, which is necessary to detect ACK scans. However, this can lead to
# false alerts, especially under heavy load with dropped packets; which is why
# the option is off by default.
#
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }
# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
# unicast ARP requests, and specific ARP mapping monitoring. To make use of
# this preprocessor you must specify the IP and hardware address of hosts on
# the same layer 2 segment as you. Specify one host IP MAC combo per line.
# Also takes a "-unicast" option to turn on unicast ARP request detection.
# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 Unicast ARP request
# 2 Etherframe ARP mismatch (src)
# 3 Etherframe ARP mismatch (dst)
# 4 ARP cache overwrite attack
#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
# ssh
#----------------------------------------
# EXPERIMENTAL CODE!!!
#
# THIS CODE IS STILL EXPERIMENTAL AND MAY OR MAY NOT BE STABLE!
# USE AT YOUR OWN RISK! DO NOT USE IN PRODUCTION ENVIRONMENTS.
# YOU HAVE BEEN WARNED.
#
# The SSH preprocessor detects the following exploits: Gobbles, CRC 32,
# Secure CRT, and the Protocol Mismatch exploit.
#
# Both Gobbles and CRC 32 attacks occur after the key exchange, and are
# therefore encrypted. Both attacks involve sending a large payload
# (20kb+) to the server immediately after the authentication challenge.
# To detect the attacks, the SSH preprocessor counts the number of bytes
# transmitted to the server. If those bytes exceed a pre-defined limit
# within a pre-define number of packets, an alert is generated. Since
# Gobbles only effects SSHv2 and CRC 32 only effects SSHv1, the SSH
# version string exchange is used to distinguish the attacks.
#
# The Secure CRT and protocol mismatch exploits are observable before
# the key exchange.
#
# SSH has numerous options available, please read README.ssh for help
# configuring options.
#####
# Per Step #2, set the following to load the ssh preprocessor
# dynamicpreprocessor <full path to libsf_ssh_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_ssh_preproc.so>
#
#preprocessor ssh: server_ports { 22 } \
# max_client_bytes 19600 \
# max_encrypted_packets 20
# DCE/RPC
#----------------------------------------
#
# The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic.
# It is primarily interested in DCE/RPC data, and only decodes SMB
# to get at the DCE/RPC data carried by the SMB layer.
#
# Currently, the preprocessor only handles reassembly of fragmentation
# at both the SMB and DCE/RPC layer. Snort rules can be evaded by
# using both types of fragmentation; with the preprocessor enabled
# the rules are given a buffer with a reassembled SMB or DCE/RPC
# packet to examine.
#
# At the SMB layer, only fragmentation using WriteAndX is currently
# reassembled. Other methods will be handled in future versions of
# the preprocessor.
#
# Autodetection of SMB is done by looking for "\xFFSMB" at the start of
# the SMB data, as well as checking the NetBIOS header (which is always
# present for SMB) for the type "SMB Session".
#
# Autodetection of DCE/RPC is not as reliable. Currently, two bytes are
# checked in the packet. Assuming that the data is a DCE/RPC header,
# one byte is checked for DCE/RPC version (5) and another for the type
# "DCE/RPC Request". If both match, the preprocessor proceeds with that
# assumption that it is looking at DCE/RPC data. If subsequent checks
# are nonsensical, it ends processing.
#
# DCERPC has numerous options available, please read README.dcerpc for help
# configuring options.
#####
# Per Step #2, set the following to load the dcerpc preprocessor
# dynamicpreprocessor <full path to libsf_dcerpc_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>
preprocessor dcerpc: \
autodetect \
max_frag_size 3000 \
memcap 100000
# DNS
#----------------------------------------
# The dns preprocessor (currently) decodes DNS Response traffic
# and detects a few vulnerabilities.
#
# DNS has a few options available, please read README.dns for
# help configuring options.
#####
# Per Step #2, set the following to load the dns preprocessor
# dynamicpreprocessor <full path to libsf_dns_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
preprocessor dns: \
ports { 53 } \
enable_rdata_overflow
####################################################################
# Step #4: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use. General
# configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
#
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments. Win32 can also optionally
# specify a particular hostname/port. Under Win32, the default hostname is
# '127.0.0.1', and the default port is 514.
#
# [Unix flavours should use this format...]
# output alert_syslog: LOG_AUTH LOG_ALERT
#
# [Win32 can use any of these formats...]
# output alert_syslog: LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: tcpdump.log
# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
# output database: log, mysql, user=root password=test dbname=db host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# output database: log, oracle, dbname=snort user=snort password=test
# unified: Snort unified binary format alerting and logging
# -------------------------------------------------------------
# The unified output plugin provides two new formats for logging and generating
# alerts from Snort, the "unified" format. The unified format is a straight
# binary format for logging data out of Snort that is designed to be fast and
# efficient. Used with barnyard (the new alert/log processor), most of the
# overhead for logging and alerting to various slow storage mechanisms such as
# databases or the network can now be avoided.
#
# Check out the spo_unified.h file for the data formats.
#
# Two arguments are supported.
# filename - base filename to write to (current time_t is appended)
# limit - maximum size of spool file in MB (default: 128)
#
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128
# prelude: log to the Prelude Hybrid IDS system
# ---------------------------------------------
#
# profile = Name of the Prelude profile to use (default is snort).
#
# Snort priority to IDMEF severity mappings:
# high < medium < low < info
#
# These are the default mapped from classification.config:
# info = 4
# low = 3
# medium = 2
# high = anything below medium
#
# output alert_prelude
# output alert_prelude: profile=snort-profile-name
# You can optionally define new rule types and associate one or more output
# plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
# type log
# output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
#
# This example will create a rule type that will log to syslog and a mysql
# database:
# ruletype redalert
# {
# type alert
# output alert_syslog: LOG_AUTH LOG_ALERT
# output database: log, mysql, user=snort dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE:
# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
# (msg:"Someone is being LEET"; flags:A+;)
#
# Include classification & priority settings
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\etc\classification.config
#
include classification.config
#
# Include reference systems
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\etc\reference.config
#
include reference.config
####################################################################
# Step #5: Configure snort with config statements
#
# See the snort manual for a full set of configuration references
#
# config flowbits_size: 64
#
# New global ignore_ports config option from Andy Mullican
#
# config ignore_ports: <tcp|udp> <list of ports separated by whitespace>
# config ignore_ports: tcp 21 6667:6671 1356
# config ignore_ports: udp 1:17 53
####################################################################
# Step #6: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org
#
# The snort web site has documentation about how to write your own custom snort
# rules.
#=========================================
# Include all relevant rulesets here
#
# The following rulesets are disabled by default:
#
# web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
# chat, multimedia, and p2p
#
# These rules are either site policy specific or require tuning in order to not
# generate false positive alerts in most enviornments.
#
# Please read the specific include file for more information and
# README.alert_order for how rule ordering affects how alerts are triggered.
#=========================================
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
# include $RULE_PATH/spyware-put.rules
include $RULE_PATH/experimental.rules
# Include any thresholding or suppression commands. See threshold.conf in the
# <snort src>/etc directory for details. Commands don't necessarily need to be
# contained in this conf, but a separate conf makes it easier to maintain them.
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\etc\threshold.conf
# Uncomment if needed.
# include threshold.conf
在文件的最后可以看到,除了几个注释的之外,snort几乎把所有的rules都include了,这里我们以其中的scan.rules为例进行分析,首先提取其中的内容
# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules"). The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
# Reserved. All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights). In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
#
#
# $Id: scan.rules,v 1.38 2007/02/01 22:19:13 vrtbuild Exp $
#-----------
# SCAN RULES
#-----------
# These signatures are representitive of network scanners. These include
# port scanning, ip mapping, and various application scanners.
#
# NOTE: This does NOT include web scanners such as whisker. Those are
# in web*
#
alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:613; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:616; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flow:stateless; flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flow:stateless; flags:S; seq:1958810375; reference:arachnids,236; classtype:attempted-recon; sid:622; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; flow:stateless; flags:SF; id:39426; reference:arachnids,441; classtype:attempted-recon; sid:630; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:8;)
alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"SCAN Amanda client version request"; content:"Amanda"; nocase; classtype:attempted-recon; sid:634; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"SCAN XTACACS logout"; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|"; reference:arachnids,408; classtype:bad-unknown; sid:635; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"SCAN cybercop udp bomb"; content:"cybercop"; reference:arachnids,363; classtype:bad-unknown; sid:636; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends Scanner UDP Probe"; content:"|0A|help|0A|quite|0A|"; reference:arachnids,308; reference:url,www.netiq.com/products/vsm/default.asp; classtype:attempted-recon; sid:637; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; classtype:network-scan; sid:1638; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SCAN UPnP service discover attempt"; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:1917; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; classtype:network-scan; sid:1918; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"SCAN UPnP service discover attempt"; flow:to_server,established; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:8081; rev:1;)
下面是对文件的分析
# ===============================
# 扫描检测规则(Scan Rules)
# 用于检测端口扫描 / 主机探测 / 工具扫描
# ===============================
# 1 检测 myscan 工具扫描(特征端口+SYN)
alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (
msg:"SCAN myscan"; # 告警信息
flow:stateless; # 无状态检测(适合扫描)
ack:0; # ACK=0(初始SYN包)
flags:S; # SYN包
ttl:>220; # TTL异常(扫描工具特征)
reference:arachnids,439;
classtype:attempted-recon; # 侦察行为
sid:613;
rev:6;
)
# 2 ident 服务版本探测(113端口)
alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (
msg:"SCAN ident version request";
flow:to_server,established; # 已建立连接
content:"VERSION|0A|"; # 请求版本字符串
depth:16; # 前16字节匹配
reference:arachnids,303;
classtype:attempted-recon;
sid:616;
rev:4;
)
# ❗下面这些规则被注释掉(默认关闭)
# 原因:误报高 / 过于泛化 / 旧规则
# FIN 扫描(nmap -sF)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (
# msg:"SCAN FIN";
# flow:stateless;
# flags:F,12;
# sid:621;
# )
# NULL 扫描(nmap -sN)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (
# msg:"SCAN NULL";
# flow:stateless;
# ack:0;
# flags:0;
# seq:0;
# sid:623;
# )
# XMAS 扫描(nmap -sX)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (
# msg:"SCAN XMAS";
# flow:stateless;
# flags:SRAFPU,12;
# sid:625;
# )
# 3 Cybercop OS 探测(特征payload + TCP标志位)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (
msg:"SCAN cybercop os PA12 attempt";
flow:stateless;
flags:PA12; # PUSH + ACK
content:"AAAAAAAAAAAAAAAA"; # 特征payload
depth:16;
reference:arachnids,149;
classtype:attempted-recon;
sid:626;
rev:8;
)
# 4 Cybercop OS 探测变种
alert tcp $EXTERNAL_NET any -> $HOME_NET any (
msg:"SCAN cybercop os SFU12 probe";
flow:stateless;
ack:0;
flags:SFU12;
content:"AAAAAAAAAAAAAAAA";
depth:16;
reference:arachnids,150;
classtype:attempted-recon;
sid:627;
rev:8;
)
# 5 Amanda备份系统扫描(UDP)
alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (
msg:"SCAN Amanda client version request";
content:"Amanda"; # 关键字符串
nocase; # 忽略大小写
classtype:attempted-recon;
sid:634;
rev:2;
)
# 6 XTACACS协议异常(可能扫描/异常行为)
alert udp $EXTERNAL_NET any -> $HOME_NET 49 (
msg:"SCAN XTACACS logout";
content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|";
reference:arachnids,408;
classtype:bad-unknown;
sid:635;
rev:3;
)
# 7 UDP flood / cybercop 探测
alert udp $EXTERNAL_NET any -> $HOME_NET 7 (
msg:"SCAN cybercop udp bomb";
content:"cybercop";
reference:arachnids,363;
classtype:bad-unknown;
sid:636;
rev:1;
)
# 8 Webtrends 扫描器探测
alert udp $EXTERNAL_NET any -> $HOME_NET any (
msg:"SCAN Webtrends Scanner UDP Probe";
content:"|0A|help|0A|quite|0A|";
reference:arachnids,308;
classtype:attempted-recon;
sid:637;
rev:5;
)
# 9 SSH 扫描(版本映射)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (
msg:"SCAN SSH Version map attempt";
flow:to_server,established;
content:"Version_Mapper";
nocase;
classtype:network-scan;
sid:1638;
rev:5;
)
# 10 ICMP 扫描(SolarWinds)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (
msg:"SCAN SolarWinds IP scan attempt";
itype:8; # Echo Request(ping)
icode:0;
content:"SolarWinds.Net"; # 特征字符串
classtype:network-scan;
sid:1918;
rev:6;
)
# 11 HTTP服务扫描(Cybercop)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (
msg:"SCAN cybercop os probe";
flow:stateless;
ack:0;
flags:SFP;
content:"AAAAAAAAAAAAAAAA";
depth:16;
reference:arachnids,145;
classtype:attempted-recon;
sid:1133;
rev:12;
)
# 12 UPnP 扫描
alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (
msg:"SCAN UPnP service discover attempt";
flow:to_server,established;
content:"M-SEARCH ";
depth:9;
content:"ssdp|3A|discover";
classtype:network-scan;
sid:8081;
rev:1;
)
总之,这个规则集,主要通过TCP标志位(如FIN/NULL/XMAS)、特征字符串和特定端口行为来识别网络扫描和探测活动。
3.学习中遇到的问题及解决
3.1 Snort版本与教程版本不同导致教程无法通用
我的snort是直接在kali中直接用apt install安装的,默认安装的版本是snort3,但教程使用的snort版本是snort2,因此教程无法通用,但大致逻辑不变,可以通过查询手册或使用大模型帮助寻找相似命令即可。同时出了命令外,默认规则与配置也不相同,通过查询资料以及询问大模型即可解决
3.2 Honeywall版本太低,没有安装vmtools,无法直接将相应的配置文件导出到宿主机中
大致的解决逻辑:
- 手动安装vmtools:vmware上选择安装vmtools,把/dev/cdrom mount到本地目录,把VMwaretools.tar.gz复制出来,用命令tar -zxvf VMwaretools.tar.gz解压 ./命令直接安装即可
- 创建共享文件夹:VMware上虚拟机配置选择共享文件夹,设置好目录即可
- touch一个文件,使用cat命令和>重定向到文件中,直接在宿主机查看即可
4.实践总结
通过本次实验,加深了对网络安全防护体系中防火墙与入侵检测系统协同工作的理解。在实践过程中,不仅掌握了 iptables 的基本配置方法,还理解了不同策略在实际网络环境中的应用场景。同时,通过使用 Snort 进行流量分析与规则编写,提升了对网络攻击特征的识别能力。
此外,通过对蜜网网关配置的分析,认识到真实安全环境中往往采用记录+控制相结合的策略:一方面尽可能捕获攻击行为用于分析,另一方面通过限速与规则约束防止攻击扩散。这种设计思路对理解实际网络安全防御体系具有重要意义。
在实验过程中也遇到了一些问题,例如工具版本差异和环境配置不完善等,但通过查阅资料与实践探索均得以解决,整体提升了自主学习与问题解决能力。
浙公网安备 33010602011771号