모의해킹 및 보안
Snort 기반 IPS/IDS 구축 실습
잉여토끼
2024. 10. 29. 17:59
pfSence Snort Module, Security Onion Sguil, Snort을 사용하여 Snort 기반의 IPS/IDS 구축.
네트워크 토폴로지 랩
- pfSence : Inline IPS
- Security Onion : Mirroring IDS
- ESW3에서 SPAN을 설정. mirroring sorce --> f1/1, mirroring destination : f1/15(mirroring port)
- Security Onion/Ubnuntu Snort의 snort rule은 다음과 같이 설정
- alert icmp any any -> any any (msg:"icmp";, sid:100002;)
- pfSence에서의 snort rule은 다음과 같이 설정
- drop icmp 172.17.20.101 any -> any any (msg:"Drop ICMP";, sid:100001;)
네트워크 장비 설정 확인
R1
R1 sh runBuilding configuration...
Current configuration : 1540 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
ip source-route
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
voice dsp waitstate 0
!
!
!
!
!
!
!
!
!
!
!
!
!
memory-size iomem 0
archive
log config
hidekeys
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface FastEthernet0/0
ip address 172.16.0.1 255.255.0.0
duplex half
!
interface Serial1/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
interface Ethernet2/0
ip address 172.17.0.1 255.255.0.0
duplex half
!
interface Ethernet2/1
no ip address
shutdown
duplex half
!
interface Ethernet2/2
no ip address
shutdown
duplex half
!
interface Ethernet2/3
no ip address
shutdown
duplex half
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
no cdp log mismatch duplex
!
!
!
!
!
!
!
control-plane
!
!
!
mgcp fax t38 ecm
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end
ESW1
R1 sh runBuilding configuration...
Current configuration : 2551 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname ESW1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip routing
no ip icmp rate-limit unreachable
no ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
vtp file nvram:vlan.dat
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface FastEthernet0/0
description *** Unused for Layer2 EtherSwitch ***
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description *** Unused for Layer2 EtherSwitch ***
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
duplex full
speed 100
!
interface FastEthernet1/1
duplex full
speed 100
!
interface FastEthernet1/2
duplex full
speed 100
!
interface FastEthernet1/3
duplex full
speed 100
!
interface FastEthernet1/4
duplex full
speed 100
!
interface FastEthernet1/5
duplex full
speed 100
!
interface FastEthernet1/6
duplex full
speed 100
!
interface FastEthernet1/7
duplex full
speed 100
!
interface FastEthernet1/8
duplex full
speed 100
!
interface FastEthernet1/9
duplex full
speed 100
!
interface FastEthernet1/10
duplex full
speed 100
!
interface FastEthernet1/11
duplex full
speed 100
!
interface FastEthernet1/12
duplex full
speed 100
!
interface FastEthernet1/13
duplex full
speed 100
!
interface FastEthernet1/14
duplex full
speed 100
!
interface FastEthernet1/15
duplex full
speed 100
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner exec ^C
***************************************************************
This is a normal Router with a SW module inside (NM-16ESW)
It has been preconfigured with hard coded speed and duplex
To create vlans use the command "vlan database" from exec mode
After creating all desired vlans use "exit" to apply the config
To view existing vlans use the command "show vlan-switch brief"
Warning: You are using an old IOS image for this router.
Please update the IOS to enable the "macro" command!
***************************************************************
^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
ESW2
R2 sh runBuilding configuration...
Current configuration : 2551 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname ESW2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip routing
no ip icmp rate-limit unreachable
no ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
vtp file nvram:vlan.dat
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface FastEthernet0/0
description *** Unused for Layer2 EtherSwitch ***
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description *** Unused for Layer2 EtherSwitch ***
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
duplex full
speed 100
!
interface FastEthernet1/1
duplex full
speed 100
!
interface FastEthernet1/2
duplex full
speed 100
!
interface FastEthernet1/3
duplex full
speed 100
!
interface FastEthernet1/4
duplex full
speed 100
!
interface FastEthernet1/5
duplex full
speed 100
!
interface FastEthernet1/6
duplex full
speed 100
!
interface FastEthernet1/7
duplex full
speed 100
!
interface FastEthernet1/8
duplex full
speed 100
!
interface FastEthernet1/9
duplex full
speed 100
!
interface FastEthernet1/10
duplex full
speed 100
!
interface FastEthernet1/11
duplex full
speed 100
!
interface FastEthernet1/12
duplex full
speed 100
!
interface FastEthernet1/13
duplex full
speed 100
!
interface FastEthernet1/14
duplex full
speed 100
!
interface FastEthernet1/15
duplex full
speed 100
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner exec ^C
***************************************************************
This is a normal Router with a SW module inside (NM-16ESW)
It has been preconfigured with hard coded speed and duplex
To create vlans use the command "vlan database" from exec mode
After creating all desired vlans use "exit" to apply the config
To view existing vlans use the command "show vlan-switch brief"
Warning: You are using an old IOS image for this router.
Please update the IOS to enable the "macro" command!
***************************************************************
^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
ESW3
R3 sh runBuilding configuration...
Current configuration : 2641 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname ESW3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
monitor session 1 source interface Fa1/1
monitor session 1 destination interface Fa1/15
memory-size iomem 5
no ip routing
no ip icmp rate-limit unreachable
no ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
vtp file nvram:vlan.dat
!
!
ip tcp synwait-time 5
!
!
!
!
!
interface FastEthernet0/0
description *** Unused for Layer2 EtherSwitch ***
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description *** Unused for Layer2 EtherSwitch ***
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
duplex full
speed 100
!
interface FastEthernet1/1
duplex full
speed 100
!
interface FastEthernet1/2
duplex full
speed 100
!
interface FastEthernet1/3
duplex full
speed 100
!
interface FastEthernet1/4
duplex full
speed 100
!
interface FastEthernet1/5
duplex full
speed 100
!
interface FastEthernet1/6
duplex full
speed 100
!
interface FastEthernet1/7
duplex full
speed 100
!
interface FastEthernet1/8
duplex full
speed 100
!
interface FastEthernet1/9
duplex full
speed 100
!
interface FastEthernet1/10
duplex full
speed 100
!
interface FastEthernet1/11
duplex full
speed 100
!
interface FastEthernet1/12
duplex full
speed 100
!
interface FastEthernet1/13
duplex full
speed 100
!
interface FastEthernet1/14
duplex full
speed 100
!
interface FastEthernet1/15
duplex full
speed 100
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner exec ^C
***************************************************************
This is a normal Router with a SW module inside (NM-16ESW)
It has been preconfigured with hard coded speed and duplex
To create vlans use the command "vlan database" from exec mode
After creating all desired vlans use "exit" to apply the config
To view existing vlans use the command "show vlan-switch brief"
Warning: You are using an old IOS image for this router.
Please update the IOS to enable the "macro" command!
***************************************************************
^C
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
end
Ubuntu Snort
Security Onion Sguil
172.17.20.101은 pfSence가 설정되기 전까지 패킷을 확인하고 Alert하는것을 볼 수 있으나 이후 설정이 끝난 뒤에는 패킷이 들어오는것을 확인 할 수 없음.
pfSence
172.17.20.101에서 출발하는 icmp 패킷이 Drop된것을 확인