alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:”SCAN myscan”; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:613; psad_id:100065; psad_dl:2;)<\/p><\/blockquote>\n
\uc774 \uc2a4\ub178\ud2b8 \uaddc\uce59\uc5d0\ub294 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \uacc4\uce35 \ub370\uc774\ud130\ub97c \uac80\uc0ac\ud558\ub294 \ubd80\ubd84\uc774 \uc5c6\uc73c\uba70, \uc2a4\ub178\ud2b8 \uaddc\uce59\uc9d1\ud569\uc5d0\ub294 \uc774\ub7f0 \uaddc\uce59\uc774 \uc57d 150\uac1c \uc815\ub3c4 \uc788\ub2e4. psad\ub294 \/etc\/psad\/signatures \ud30c\uc77c\ub85c\ubd80\ud130 \uc774\ub7ec\ud55c \uaddc\uce59\uc758 \uc218\uc815\ub41c \ubc84\uc804\uc744 \ub4e4\uc5ec\uc628\ub2e4. BAD-TRAFFIC data in TCP SYN packet(\uc544\ub798 \ucc38\uc870)\uacfc \uac19\uc740 \/etc\/psad\/signature \ud30c\uc77c\uc758 \uc11c\uba85\uc744 \ud558\ub098 \ubb34\uc791\uc704\ub85c \uc0b4\ud3b4\ubcf4\uba74 psad\uac00 \ucd94\uac00\uc801\uc778 \ud0a4\uc6cc\ub4dc\ub97c \uc0ac\uc6a9\ud574\uc11c \uc77c\ubc18\uc801\uc778 \uc2a4\ub178\ud2b8 \uaddc\uce59 \uad6c\ubb38\uc744 \ud655\uc7a5\ud588\uc74c\uc744 \uc54c \uc218 \uc788\ub2e4.<\/p>\n
![\"\"](\"http:\/\/pchero21.com\/wp-content\/uploads\/1\/XYwyDs1n3Y.png\")
\uc774\uc640 \uac19\uc740 \ud0a4\uc6cc\ub4dc \ucca8\uac00\ub294 \uc11c\uba85\uc744 psad\uc640 \ud638\ud658\ub418\uac8c \ud574\uc8fc\ub294 \ud2b9\uc815 \uc815\ubcf4\ub97c \uc11c\uba85\uc5d0 \ucd94\uac00\ud55c\ub2e4. \uc2a4\ub178\ud2b8 \uaddc\uce59\uc5d0 \ucd94\uac00\ub41c \ubaa8\ub4e0 psad \ud0a4\uc6cc\ub4dc \ucca8\uac00\uc758 \uc815\uc758\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n
– psad_id : \uc774 \ud0a4\uc6cc\ub4dc\ub294 \uc11c\uba85\uc744 \ucd94\uc801\ud558\uace0 psad\uac00 \uc0c8\ub85c\uc6b4 \uc11c\uba85\uc744 \ucd94\uac00\ud560 \uc218 \uc788\uac8c \uc720\uc77c\ud55c ID \uc22b\uc790\ub97c \uc815\uc758\ud55c\ub2e4. psad_id \ud56d\ubaa9\uc740 \uc2a4\ub178\ud2b8\uc758 sid \ud56d\ubaa9\uacfc \uc720\uc0ac\ud558\ub2e4. \ubaa8\ub4e0 psad_id \uac12\uc740 6\uc790\ub9ac\uc774\uba70, \uc2a4\ub178\ud2b8 sid \uac12\uacfc \uad6c\ubcc4\ud558\uae30 \uc704\ud574 10000\uc5d0\uc11c \uc2dc\uc791\ud55c\ub2e4. ID \uac12\uc744 \uc815\uc758\ud558\ub294 \uc774\ub7f0 \ubc29\ubc95\uc740 \uc11c\uba85 ID \uac12\uc774 7\uc790\ub9ac\uba70, \uc77c\ubc18\uc801\uc73c\ub85c \uc11c\uba85\uc774 \uc0dd\uc131\ub41c \uc5f0\ub3c4\uc218\ub85c \uc2dc\uc791\ud558\ub294 \ube14\ub9ac\ub529 \uc2a4\ub178\ud2b8 \ud504\ub85c\uc81d\ud2b8(http:\/\/www.bleedingsnort.com)\uc640 \uc720\uc0ac\ud558\ub2e4.<\/p>\n
– psad_dl : \uc774 \ud0a4\uc6cc\ub4dc\ub294 psad\uac00 \uc11c\uba85\uc744 \ucd09\ubc1c\ud55c IP \uc8fc\uc18c\uc5d0 \ud560\ub2f9\ud574\uc57c \ud558\ub294 \uc704\ud5d8 \uc218\uc900\uc744 \uba85\uc2dc\ud55c\ub2e4. psad_dl \ud56d\ubaa9\uc740 1 ~ 5 \uc0ac\uc774\uc758 \uac12\uc744 \ucde8\ud55c\ub2e4.<\/p>\n
– psad_dsize : \uc774 \ud0a4\uc6cc\ub4dc\ub294 iptables LEN \ud56d\ubaa9\uc758 \uac12\uc5d0\uc11c \ud5e4\ub354\uc758 \uae38\uc774\ub97c \ube7c\ub294 \ubc29\ubc95\uc73c\ub85c \ud328\ud0b7 \ud398\uc774\ub85c\ub4dc \ud06c\uae30\uc5d0 \ub300\ud55c \ub9e4\uce6d \uae30\uc900\uc744 \uba85\uc2dc\ud55c\ub2e4. \uc774 \uc635\uc158\uc740 \uc2a4\ub178\ud2b8\uc758 dsize\uc640 \uc720\uc0ac\ud558\uc9c0\ub9cc iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\uc758 LEN \ud56d\ubaa9\uc740 \uae30\ub85d\ub41c \ud328\ud0b7\uc758 \uc804\uccb4 \uae38\uc774\ub85c IP \ud5e4\ub354\uae4c\uc9c0 \ud3ec\ud568\ud558\uae30 \ub54c\ubb38\uc5d0 psad\ub294 \ud5e4\ub354 \uae38\uc774\ub97c \ube7c\uc57c \ud55c\ub2e4. \uc608\ub97c \ub4e4\uc5b4 \ud398\uc774\ub85c\ub4dc \ud06c\uae30\uac00 1000 \ubc14\uc774\ud2b8\ubcf4\ub2e4 \ud070\uc9c0 \uac80\uc0ac\ud558\ub824\uba74 \uc11c\uba85\uc5d0 psad_dsize:>1000 \ub97c \ucd94\uac00\ud55c\ub2e4.<\/p>\n
– psad_derived_sids : psad\ub294 \uc774 \ud0a4\uc6cc\ub4dc\ub97c \uc774\uc6a9\ud574\uc11c \ud2b9\uc815 psad \uc11c\uba85\uc774 \uc720\ub3c4\ub41c \uc6d0\ubcf8 \uc2a4\ub178\ud2b8 sid \uac12\uc744 \ucd94\uc801\ud560 \uc218 \uc788\ub2e4. \uc77c\ubd80 psad \uc11c\uba85\uc740 \uba87 \uac00\uc9c0 \uc2a4\ub178\ud2b8 \uaddc\uce59\uc744 \ud569\uccd0\uc11c \uc0dd\uc131\ub418\uba70, \uc774 \ud0a4\uc6cc\ub4dc\uac00 \uc774\ub7ec\ud55c \uc2a4\ub178\ud2b8 \uaddc\uce59\uc744 \uae30\ub85d\ud55c\ub2e4.<\/p>\n
– psad_ip_len : \uc774 \ud0a4\uc6cc\ub4dc\ub294 iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\uc758 LEN \ud56d\ubaa9\uc5d0 \ub300\ud55c \ub9e4\uce6d \uae30\uc900\uc744 \uba85\uc2dc\ud55c\ub2e4.(\uc774\ub294 psad_dsize \uc640 \ube44\uc2b7\ud558\uc9c0\ub9cc \ub124\ud2b8\uc6cc\ud06c\uc640 \uc804\uc1a1 \uacc4\uce35 \ud5e4\ub354\uc758 \uae38\uc774\ub97c \ube7c\uc9c0 \uc54a\ub294\ub2e4). psad_dsize\uc640 \ub9c8\ucc2c\uac00\uc9c0\ub85c psad_ip_len \ud0a4\uc6cc\ub4dc\ub3c4 n:m, n<, n> \uacfc \uac19\uc740 \ud615\uc2dd\uc758 \ubc94\uc704 \ub9e4\uce6d\uc744 \uc9c0\uc6d0\ud55c\ub2e4. \uc608\ub97c \ub4e4\uc5b4 LEN \ud56d\ubaa9\uc774 100\ubc14\uc774\ud2b8\uc5d0\uc11c 200\ubc14\uc774\ud2b8 \uc0ac\uc774\uc778\uc9c0 \uac80\uc0ac\ud558\ub824\uba74 psad_ip_len: 100:200 \ub97c \uc11c\uba85\uc5d0 \ucd94\uac00\ud55c\ub2e4.<\/p><\/blockquote>\n
** LAND \uacf5\uaca9 \ud0d0\uc9c0<\/p>\n
LAND \uacf5\uaca9\uc740 \uc624\ub798\ub41c \uace0\uc804\uc801 \uacf5\uaca9\uc73c\ub85c \uc708\ub3c4\uc6b0 \uc2dc\uc2a4\ud15c\uc744 \ubaa9\ud45c\ub85c \ud558\ub294 \uc11c\ube44\uc2a4 \uac70\ubd80 \uacf5\uaca9\uc774\ub2e4. LAND \uacf5\uaca9\uc5d0\ub294 \uc790\uc2e0\uc758 \ubaa9\uc801\uc9c0 IP \uc8fc\uc18c\uc640 \ub3d9\uc77c\ud55c \ucd9c\ubc1c\uc9c0 IP \uc8fc\uc18c\ub97c \uac00\uc9c0\ub294 TCP SYN \ud328\ud0b7\uc744 \uc0dd\uc131\ud558\ub294 \uac83\uc774 \ud3ec\ud568\ub41c\ub2e4. \uc2a4\ub178\ud2b8 \uc11c\uba85 \uc9d1\ud569\uc5d0\uc11c LAND \uacf5\uaca9 \ud0d0\uc9c0\uc758 \ud575\uc2ec\uc740 sameip \ud328\ud0b7 \ud5e4\ub354 \uac80\uc0ac\ub2e4. \uc2a4\ub178\ud2b8 \uaddc\uce59 ID 527( \uc6d0\ub798 \uc2a4\ub178\ud2b8\uc758 \/etc\/psad\/snort_rules\/bad-traffic.rules \ud30c\uc77c\uc5d0 \uc874\uc7ac)\uc758 \uc218\uc815\ub41c \ubc84\uc804\uc744 \ud1b5\ud574 psad\ub294 iptables \ub85c\uadf8\uc5d0\uc11c LAND \uacf5\uaca9\uc744 \ud0d0\uc9c0\ud560 \uc218 \uc788\ub2e4.<\/p>\n
alert ip any any -> any any (msg:”BAD-TRAFFIC same SRC\/DST”; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org\/advisories\/CA-1997-28.html; classtype:bad-unknown; sid:527; psad_id:100103; psad_dl:2;)<\/p><\/blockquote>\n
psad\ub294 iptables \ub85c\uadf8\uc5d0\uc11c SRC\uc640 DST \ud56d\ubaa9\uc774 \ub3d9\uc77c\ud55c\uc9c0 \ud655\uc778\ud558\ub294 \ubc29\ubc95\uc73c\ub85c sameip \uac80\uc0ac\ub97c \uc218\ud589\ud55c\ub2e4. \uadf8\ub7ec\ub098 \uae0d\uc815 \uc624\ub958\ub97c \uc904\uc774\uae30 \uc704\ud574 \ub8e8\ud504\ubc31(loopback) \uc778\ud130\ud398\uc774\uc2a4\uc5d0 \ub300\ud574 \uae30\ub85d\ub41c \ud2b8\ub798\ud53d\uc740 \uc774 \uac80\uc0ac\uc5d0\uc11c \uc81c\uc678\ud55c\ub2e4.<\/p>\n
SRC\uc640 DST \ud56d\ubaa9\uc740 \ud56d\uc0c1 iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\uc5d0 \uc758\ud574 \ud3ec\ud568\ub418\ubbc0\ub85c psad\uac00 LAND \uacf5\uaca9\uacfc \uad00\ub828\ub41c \ud2b8\ub798\ud53d\uc744 \ud0d0\uc9c0\ud558\uac8c \ud558\uae30 \uc704\ud55c LOG \uaddc\uce59\uc744 \ub9cc\ub4e4 \ub54c\ub294 \ud2b9\ubcc4\ud55c \uba85\ub839 \ud589 \uc635\uc158\uc744 \uc785\ub825\ud560 \ud544\uc694\uac00 \uc5c6\ub2e4. <\/p>\n
** \uc708\ub3c4\uc6b0 \uba54\uc2e0\uc800 \ud31d\uc5c5 \uc2a4\ud338 \ud0d0\uc9c0<\/p>\n
\uc2a4\ud338\uc740 \uc778\ud130\ub137 \uacf5\uac04 \uc5b4\ub514\uc5d0\ub098 \uc874\uc7ac\ud558\ub294 \ubb38\uc81c\ub85c \ubaa8\ub450\uac00 \uc774 \uace8\uce6b\uac70\ub9ac\uc758 \uc601\ud5a5\uc744 \uccb4\uac10\ud558\uace0 \uc788\ub2e4. \uc790\uc2e0\uc758 \uc2a4\ud338\uc744 \uc880 \ub354 \ub9ce\uc740 \uc0ac\uc6a9\uc790\uac00 \ubcf4\uac8c \ud558\uae30 \uc704\ud574 \uc2a4\ud328\uba38(\uc2a4\ud338 \uc804\uc1a1\uc790)\uac00 \uc8fc\ub85c \uc0ac\uc6a9\ud558\ub294 \ubc29\ubc95 \uc911 \ud558\ub098\ub294 \uc708\ub3c4\uc6b0 \uba54\uc2e0\uc800 \uc11c\ube44\uc2a4\ub97c \ud1b5\ud574 \uc2a4\ud338\uc744 \uc9c1\uc811 \uc804\uc1a1\ud558\ub294 \uac83\uc774\ub2e4. \uc774 \ud2b8\ub798\ud53d\uc774 \uc678\ubd80 \ub124\ud2b8\uc6cc\ud06c\ub85c\ubd80\ud130 \uc624\ub294 \uacbd\uc6b0 \uc774\ub97c \ud0d0\uc9c0\ud558\ub294 \uac83\uc740 \ub9e4\uc6b0 \uc4f8\ubaa8 \uc5c6\uc74c\uc5d0\ub3c4 \ubd88\uad6c\ud558\u3131(\uc2a4\ud338 \uba54\uc2dc\uc9c0\ub294 \uc2a4\ud478\ud551\ub420 \uc218 \uc788\uc73c\uba70, \uba54\uc2dc\uc9c0\uac00 \ud06c\uc9c0 \uc54a\ub294 \ud55c \uc774\ub97c \uc804\uc1a1\ud558\ub294 \ub370\ub294 UDP \ud328\ud0b7 \ud558\ub098\ub9cc \ud544\uc694\ud558\uae30 \ub54c\ubb38\uc774\ub2e4) \ub0b4\ubd80 \ub124\ud2b8\uc6cc\ud06c\uc5d0\uc11c \uc804\uc1a1\ub418\ub294 \uc2a4\ud338 \uba54\uc2dc\uc9c0\ub97c \ud0d0\uc9c0\ud558\ub294 \uac83\uc740 \uc911\uc694\ud560 \uc218 \uc788\ub2e4. \uc778\ud2b8\ub77c\ub137\uc774\uc11c \uc774\ub7f0 \ud2b8\ub798\ud53d\uc744 \uc0dd\uc131\ud558\ub294 \uc2dc\uc2a4\ud15c\uc740 \uc6d0\uaca9\uc5d0\uc11c \uc2dc\uc2a4\ud15c\uc744 \uc81c\uc5b4\ud558\uace0 \uc788\ub294 \ub204\uad70\uac00\uc5d0 \uc758\ud574 \uc774\ubbf8 \uce68\ud22c\ub2f9\ud574\uc11c \uc2a4\ud338\uc744 \uc874\uc1a1\ud558\ub294 \ub370 \uc774\uc6a9\ub418\ub294 \uc911\uc77c \uc218\ub3c4 \uc788\ub2e4.<\/p>\n
psad\ub294 (\ub0b4\ubd80 \uc8fc\uc18c\uc5d0\uc11c \uc804\uc1a1\ub410\ub294\uc9c0\uc640 \ubb34\uad00\ud558\uac8c) INPUT \uccb4\uc778\uc5d0 \uae30\ub85d\ub41c \ud328\ud0b7\uc744 \ud648 \ub124\ud2b8\uc6cc\ud06c\uc5d0\uc11c \ub77c\uc6b0\ud305\ub41c \uac83\uc73c\ub85c \ucde8\uae09\ud558\uae30 \ub54c\ubb38\uc5d0 \ub2e4\uc74c\uacfc \uac19\uc740 \uc11c\uba85\uc740 \uc708\ub3c4\uc6b0 \ud31d\uc5c5 \uc2a4\ud338 \uc2dc\ub3c4\uac00 \ubc29\ud654\ubcbd\uc73c\ub85c \ub77c\uc6b0\ud305\ub420 \ub54c \uc774\ub97c \ud0d0\uc9c0\ud55c\ub2e4(\ubaa9\uc801\uc9c0 \ud3ec\ud2b8 \ubc94\uc704 1026 ~ 1029\ub97c \uac00\uc9c0\ub294 UDP\uc640 psad_size \uac80\uc0ac\ub97c \uc774\uc6a9\ud558\ub294 100\ubc14\uc774\ud2b8 \ucd08\uacfc\uc758 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \uacc4\uce35 \ub370\uc774\ud130 \ud06c\uae30 \ubd80\ubd84\uc5d0 \uc8fc\ubaa9\ud558\uc790).<\/p>\n
alert udp $EXTERNAL_NET any -> $HOME_NET 1026:1029 (msg:”MISC Windows popup spam attempt”; classtype:misc-activity; reference:url,www.linklogger.com\/UDP1026.htm; psad_dsize:>100; psad_id:100196; psad_dl:2;)<\/p><\/blockquote>\n
* psad \uc11c\uba85 \uac31\uc2e0<\/p>\n
psad \ubc30\ud3ec\ub294 \uc8fc\ub85c psad tar \uc555\ucd95 \ud30c\uc77c\uc774\ub098 RPM \ud30c\uc77c\uc5d0 “signatures” \ud30c\uc77c\ub85c\uc11c \uac31\uc2e0\ub41c \uc11c\uba85 \uc9d1\ud569\uc744 \ud3ec\ud568\ud55c\ub2e4. \uadf8\ub7ec\ub098 \uc11c\uba85 \uac1c\ubc1c\uc740 \uc9c4\ud589 \uc911\uc778 \uacfc\uc815\uc774\uba70, \uc5b4\ub5a4 \uacbd\uc6b0\uc5d0\ub294 psad\uc758 \ub2e4\uc74c \ubc30\ud3ec\uac00 \ub098\uc624\uae30 \uc804\uc5d0 \uc0c8\ub85c\uc6b4 \uc11c\uba85\uc774 \uac1c\ubc1c\ub418\uae30\ub3c4 \ud55c\ub2e4.<\/p>\n
\uc0ac\uc6a9\uc790\uac00 \ucd5c\ub300\ud55c \ube68\ub9ac \uc11c\uba85\uc744 \uc774\uc6a9\ud560 \uc218 \uc788\uac8c \ud558\uae30 \uc704\ud574 http:\/\/www.cipherdyne.org\/psad\/signatures \uc5d0\uc11c \ucd5c\uc2e0 \uc11c\uba85 \uc9d1\ud569\uc744 \ubc30\ud3ec\ud55c\ub2e4. psad –sig-update \uba85\ud615 \ud589 \uc778\uc790\ub97c \uc774\uc6a9\ud558\uba74 psad\ub294 \ub2e4\uc74c\uacfc \uac19\uc774 \uc774 \ud30c\uc77c\uc744 \ubc1b\uc544\uc11c \ud30c\uc77c\uc2dc\uc2a4\ud15c\uc758 \/etc\/psad\/signatures \uc5d0 \uc704\uce58\uc2dc\ud0a8\ub2e4.<\/p>\n
\uc704\uc5d0\uc11c \uc54c \uc218 \uc788\ub4ef\uc774 \ucd5c\uc2e0 \uc11c\uba85 \uc9d1\ud569\uc774 \ub2e4\uc6b4\ub85c\ub4dc\ub410\uc73c\uba70, \uc0ac\uc6a9\uc790\ub294 init \uc2a4\ud06c\ub9bd\ud2b8(\/etc\/init.d\/psad restart)\ub97c \uc774\uc6a9\ud574\uc11c psad \ub97c \uc7ac\uc2dc\uc791\ud558\uac70\ub098 \uc2e4\ud589 \uc911\uc778 psad \ub370\ubaac\uc5d0 HUP \uc2e0\ud638(psad -H)\ub97c \uc804\uc1a1\ud574\uc11c \uc0c8\ub85c\uc6b4 \uc11c\uba85 \uc9d1\ud569\uc744 \ub4e4\uc5ec\uc624\uac8c \ud560 \uc218 \uc788\ub2e4.<\/p>\n* OS \ud551\uac70\ud504\ub9b0\ud305<\/p>\n
\ub124\ud2b8\uc6cc\ud06c \ud2b8\ub798\ud53d\uc744 \ud1b5\ud574 \uc6b4\uc601\uccb4\uc81c\ub97c \uc6d0\uaca9\uc73c\ub85c \ud551\uac70\ud504\ub9b0\ud305\ud558\ub294 \uae30\uc220\uc5d0\ub294 \uba87 \uac00\uc9c0\uac00 \uc788\uc73c\uba70, \ud06c\uac8c \ub2a5\ub3d9\ud615\uacfc \uc218\ub3d9\ud615\uc758 \ub450 \ubd84\ub958\ub85c \ub098\ub20c \uc218 \uc788\ub2e4.<\/p>\n
– \uc6b4\uc601\uccb4\uc81c \ud551\uac70\ud504\ub9b0\ud305\uc774\ub77c\ub294 \uc6a9\uc5b4\ub294 \ub2e4\uc18c \uc798\ubabb\ub41c \ud45c\ud604\uc774\ub2e4. \uc0ac\uc2e4 \uc774 \uc6a9\uc5b4\uac00 \uc758\ubbf8\ud558\ub294 \uac83\uc740 \ub124\ud2b8\uc6cc\ud06c \uc2a4\ud0dd \ud551\uac70\ud504\ub9b0\ud305\uc774\uae30 \ub54c\ubb38\uc774\ub2e4. \ub124\ud2b8\uc6cc\ud06c \uc2a4\ud0dd\uc774 OS \ub9c8\uc790 \ub2e4\ub974\uae30 \ub54c\ubb38\uc5d0 \ub124\ud2b8\uc6cc\ud06c \uc2a4\ud0dd\uc744 \ud551\uac70\ud504\ub9b0\ud305\ud574\uc11c \uc774\uc5d0 \ub300\uc751\ub418\ub294 \uc6b4\uc601\uccb4\uc81c\ub97c \uc720\ucd94\ud560 \uc218 \uc788\ub2e4.<\/p><\/blockquote>\n
** Nmap\uc744 \uc774\uc6a9\ud55c \ub2a5\ub3d9\uc801 OS \ud551\uac70\ud504\ub9b0\ud305<\/p>\n
\uc0ac\uc6a9\uc790\uac00 \uae30\uc5ec\ud558\ub294 1600\uac1c \uc774\uc0c1\uc758 OS \ud551\uac70\ud504\ub9b0\ud2b8 \ub370\uc774\ud130 \ubca0\uc774\uc2a4\ub97c \uc774\uc6a9\ud558\uba74 Nmap\uc758 -O \uc635\uc158\uc740 \uac00\uc7a5 \uc798 \uc54c\ub824\uc9c4 \ub2a5\ub3d9\uc801 OS \ud551\uac70\ud504\ub9b0\ud305 \uad6c\ud604\uc774\ub2e4. Nmap\uc740 \uc8fc\ub85c TCP\uc758 \ud2c0\uc9d5\uc801\uc778 \ub3d9\uc791\uc744 \uc774\uc6a9\ud574\uc11c \uc6d0\uaca9 \uc6b4\uc601\uccb4\uc81c\ub97c \ucd94\uce21\ud558\ub294\ub370, \ub2e4\uc74c\uacfc \uac19\uc740 \uac83\uc774 \uc788\ub2e4.<\/p>\n
– Nmap\uc774 \uc804\uc1a1\ud55c SYN \ud328\ud0b7\uc5d0 \ub300\ud55c \uc751\ub2f5\uc73c\ub85c \ubaa9\ud45c \uc2a4\ud0dd\uc774 TCP \ud5e4\ub354\uc758 \uc635\uc158 \ubd80\ubd84\uc744 \uad6c\uc131\ud558\ub294 \ubc29\uc2dd
– \ub2eb\ud78c \ud3ec\ud2b8\ub85c UDP \ud328\ud0b7\uc744 \uc804\uc1a1\ud574\uc11c \ubaa9\ud45c \uc2dc\uc2a4\ud15c\uc73c\ub85c\ubd80\ud130 \uc54c\uc544\ub0b8 ICMP \ud3ec\ud2b8 \ub3c4\ub2ec \ubd88\uac00 \uba54\uc2dc\uc9c0\uc758 \ud2b9\uc131\uc744 \ud1b5\ud574 \uc54c\uc544\ub0b4\ub294 \ubc29\uc2dd. \uc6b4\uc601\uccb4\ub294 ICMP \ud3ec\ud2b8 \ub3c4\ub2ec \ubd88\uac00 \uba54\uc2dc\uc9c0\uc5d0 \ub2eb\ud78c \ud3ec\ud2b8\ub85c \uc804\uc1a1\ub41c \uc6d0\ubcf8 UDP \ud328\ud0b7\uc758 \uc77c\ubd80\ub97c \ubc29\ud658\ud574\uc57c \ud558\uc9c0\ub9cc \ub9ce\uc740 \uc2a4\ud0dd\uc774 \uc774\ub97c \uc644\uc804\ud558\uac8c \uc218\ud589\ud558\uc9c0\ub294 \uc54a\ub294\ub2e4. \uccb4\ud06c\uc12c, IP ID \uac12, \ucd1d IP \uae38\uc774 \ud56d\ubaa9 \ub4f1\uc774 \uc65c\uace1\ub420 \uc218 \uc788\ub2e4. \uc774 \uac12\ub4e4\uc774 \uc65c\uace1\ub418\ub294 \uc815\ub3c4\uc640 \ubc29\uc2dd\uc740 \uc6d0\uaca9 \uc2a4\ud0dd\uc758 \ud551\uac70\ud504\ub9b0\ud305\uc744 \ub3d5\ub294 \ucc99\ub3c4\ub85c \uc774\uc6a9\ub420 \uc218 \uc788\ub2e4.<\/p><\/blockquote>\n<\/p>\n
– Xprobe\ub3c4 \ud765\ubbf8\ub85c\uc6b4 \ub2a5\ub3d9\uc801 OS \ud551\uac70 \ud504\ub9b0\ud130\ub2e4(http:\/\/www.sys-security.com). Xprobe\ub294 \ud551\uac70 \ud504\ub9b0\ud305\uc744 \ubcf4\uc870\ud558\uae30 \uc704\ud574 \uad49\uc7a5\ud788 \ub9ce\uc740 ICMP\uc744 \uc0ac\uc6a9\ud55c\ub2e4. \uc5b4\ub5a4 \uacbd\uc6b0 Xprobe\ub294 OS \ub97c \ud551\uac70\ud504\ub9b0\ud305\ud560 \ub54c Nmap \ubcf4\ub2e4 \ud6e8\uc52c \uc801\uc740 \ud328\ud0b7\uc744 \uc804\uc1a1\ud558\uae30\ub3c4 \ud55c\ub2e4. \ub54c\ub54c\ub85c Nmap\uc740 \ud558\ub098\uc758 \uc6d0\uaca9 \ud638\uc2a4\ud2b8\uc5d0 \ub300\ud55c \ud551\uac70\ud504\ub9b0\ud2b8\ub97c \uc0dd\uc131\ud558\ub294 \ub370 1400\uac1c \uc815\ub3c4\uc758 \ud328\ud0b7\uc744 \uc0dd\uc131\ud560 \uc218 \uc788\ub2e4. \ub2a5\ub3d9\uc801 \ud551\uac70\ud504\ub9b0\ud305 \uae30\uc220\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \uc815\ubcf4\ub294 \ub17c\ubb38 [Remote OS Detection via TCP\/IP Stack FingerPrinting] (http:\/\/www.insecure.org)\uacfc [The Present and Future of Xprobe2-The Next Generation of Active Operating System Fingerprinting](http:\/\/www.sys-security.com)\uc5d0\uc11c \ucc3e\uc544\ubcfc \uc218 \uc788\ub2e4.<\/p><\/blockquote>\n
* DShield \ubcf4\uace0<\/p>\n
DShiled \ubd84\uc0b0 \uce68\uc785 \ud0d0\uc9c0 \uc2dc\uc2a4\ud15c(http:\/\/www.dshield.org)\uc740 \ubcf4\uc548 \uc774\ubca4\ud2b8 \ub370\uc774\ud130\ub97c \uc218\uc9d1\ud558\uace0 \ubcf4\uace0\ud558\ub294 \ub370 \uc788\uc5b4 \uc911\uc694\ud55c \ub3c4\uad6c\ub2e4. DShield\ub294 \uce68\uc785 \ud0d0\uc9c0 \uc2dc\uc2a4\ud15c, \ub77c\uc6b0\ud130, \ubc29\ud654\ubcbd \ub4f1\uc744 \ud3ec\ud568\ud574\uc11c \ub2e4\uc591\ud55c \uacf5\uac1c \uc18c\uc2a4\uc640 \uc0c1\uc6a9 \uc18c\ud504\ud2b8\uc6e8\uc5b4\uac00 \uc81c\uacf5\ud558\ub294 \ub370\uc774\ud130\uc5d0 \ub300\ud55c \uc911\uc559\uc9d1\uc911\uc2dd \uc800\uc7a5\uc18c \uc5ed\ud560\uc744 \uc218\ud578\ud55c\ub2e4.<\/p>\n
\uc774\ub7ec\ud55c \uc81c\ud488\uc758 \ub2e4\uc218\uac00 \uba54\uc77c\uc774\ub098 \uc6f9 \uc778\ud130\ud398\uc774\uc2a4\ub97c \ud1b5\ud574 DShield \uc5d0\uac8c \ubcf4\uc548 \uacbd\uace0\ub97c \uc81c\ucd9c\ud560 \uc218 \uc788\ub2e4. \uc774\ubca4\ud2b8 \ub370\uc774\ud130\ub97c DShield \uc5d0\uac8c \uc81c\ucd9c\ud560 \uc218 \uc788\ub294 \ud074\ub77c\uc774\uc5b8\ud2b8 \ud504\ub85c\uadf8\ub7a8\uc758 \uc804\uccb4 \ubaa9\ub85d\uc740 http:\/\/www.dshield.org\/howto.php \uc5d0\uc11c \ucc3e\uc544\ubcfc \uc218 \uc788\ub2e4.<\/p>\n
DSheild \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub294 \uc804\uc5ed \uc790\uc6d0\uc73c\ub85c \uc124\uacc4\ub410\ub2e4. \uc989, \uc5b4\ub5a4 IP \uc8fc\uc18c\uac00 \uac00\uc7a5 \ub9ce\uc740 \uc218\uc758 \uc784\uc758 \ubaa9\ud45c\ub97c \uacf5\uaca9 \uc911\uc778\uc9c0, \uac00\uc7a5 \uc77c\ubc18\uc801\uc73c\ub85c \uacf5\uaca9\ub418\ub294 \ud3ec\ud2b8\uc640 \ud504\ub85c\ud1a0\ucf5c\uc774 \ubb34\uc5c7\uc778\uc9c0 \ub4f1\uc744 \uc54c\uae30 \uc704\ud574 \ub204\uad6c\ub098 DShield \ub370\uc774\ud130\ubca0\uc774\uc2a4\ub97c \uc774\uc6a9\ud560 \uc218 \uc788\ub2e4.<\/p>\n
DShield \uc5d0 \uc81c\ucd9c\ud558\ub294 \uc774\ubca4\ud2b8 \ub370\uc774\ud130\uc758 \ud615\ud0dc\ub294 \uc911\uc694\ud558\ub2e4. \ubc29\ud654\ubcbd\uc774\ub098 \uce68\uc785 \ud0d0\uc9c0 \uc2dc\uc2a4\ud15c\uc774 \uae30\ub85d\ud55c \uc774\ubca4\ud2b8 \ub370\uc774\ud130 \uc911 \uc77c\ubd80\ub294 \uacf5\uac1c\uc801\uc778 \uc778\ud130\ub137\uc0c1\uc5d0\uc11c \uc545\uc758\uc801\uc778 \ud2b8\ub798\ud53d\uc744 \uc758\ubbf8\ud558\ub294 \uac83\uc774 \uc544\ub2d0 \uc218 \uc788\uc73c\ubbc0\ub85c DShield \ub370\uc774\ud130\ubca0\uc774\uc2a4\uc5d0 \ud3ec\ud568\uc2dc\ud0a4\ub294 \uac83\uc774 \ubd80\uc801\uc808\ud558\ub2e4. \uc774\ub7f0 \ub370\uc774\ud130\ub294 RFC 1918 \uc8fc\uc18c \uacf5\uac04\uc758 \ub0b4\ubd80 \ub124\ud2b8\uc6cc\ud06c\uc5d0 \uc874\uc7ac\ud558\ub294 \ud638\uc2a4\ud2b8 \uac04 \uacf5\uaca9, \ub85c\uceec \ubcf4\uc548\uc744 \uac80\uc0ac\ud558\uae30 \uc704\ud574 \uc2e4\uc988 \uc5c5(https:\/\/www.grc.com)\uacfc \uac19\uc740 \uc678\ubd80 \uc0ac\uc774\ud2b8\ub85c\ubd80\ud130 \uc694\uccad\ub41c \ud3ec\ud2b8 \uc2a4\uce94 \ub4f1\uc774 \uc788\ub2e4.<\/p>\n
psad \ub294 \uc790\ub3d9\uc801\uc73c\ub85c \uc2a4\uce94 \ub370\uc774\ud130\ub97c DShield\uc5d0\uac8c \uba54\uc77c\ub85c \uc81c\ucd9c\ud560 \uc218 \uc788\ub2e4. DShield \uc6f9\uc0ac\uc774\ud2b8\uc5d0 \uac00\uc785\ud558\uba74 \/etc\/psad\/psad.conf \uc758 DSHIELD_USER_ID \ubcc0\uc218\ub97c \uc218\uc815\ud574\uc11c \uba54\uc77c \uc81c\ucd9c\uc5d0 \uc0ac\uc6a9\uc790\uba85\uc744 \ud3ec\ud568\uc2dc\ud0ac \uc218\ub3c4 \uc788\uc9c0\ub9cc DShield \ub294 \uc775\uba85 \ucd9c\ucc98\ub85c\ubd80\ud130\uc758 \ub85c\uadf8\uc815\ubcf4\ub3c4 \uc218\uc6a9\ud558\ubbc0\ub85c \uad73\uc774 \uac00\uc785\ud560 \ud544\uc694\ub294 \uc5c6\ub2e4. \uae30\ubcf8\uc801\uc73c\ub85c DShield \ubcf4\uace0\uac00 \ud65c\uc131\ud654\ub418\uba74 psad\ub294 6\uc2dc\uac04\ub9c8\ub2e4 \uc81c\ucd9c \uba54\uc77c\uc744 \uc804\uc1a1\ud558\uc9c0\ub9cc \uc774 \uac04\uaca9\uc740 DSHIELD_ALERT_INTERVAL \ubcc0\uc218\ub97c \uc870\uc808\ud574 \ubcc0\uacbd\ud560 \uc218 \uc788\ub2e4(psad\ub294 RFC 1918 \uc8fc\uc18c\ub098 \/etc\/psad\/auto_dl \uc5d0\uc11c \uc704\ud5d8 \uc218\uc900\uc774 0\uc73c\ub85c \uc124\uc815\ub410\uae30 \ub54c\ubb38\uc5d0 \ubb34\uc2dc\ud574\uc57c \ud558\ub294 \uc8fc\uc18c\ub85c\ubd80\ud130 \uc2dc\uc791\ub418\ub294 \uc2a4\uce94 \ub370\uc774\ud130\ub97c \ud3ec\ud568\uc2dc\ud0a4\uc9c0 \uc54a\ub294\ub2e4).<\/p>\n
psad \uc5d0\uc11c DShield \ubcf4\uace0\uac00 \uae30\ubcf8\uc801\uc73c\ub85c \ud65c\uc131\ud654\ub300 \uc788\uc9c0\ub294 \uc54a\uc9c0\ub9cc psad \uc124\uce58 \ud504\ub85c\uadf8\ub7a8\uc778 install.pl \uc740 \uc774\ub97c \ud65c\uc131\ud654\ud560\uc9c0 \ubb3b\ub294\ub2e4. \ubcf4\uc548 \uc815\ucc45\uc5d0\uc11c \uba85\uc2dc\uc801\uc73c\ub85c DShield\ub85c\uc758 \ubcf4\uc548 \uc774\ubca4\ud2b8 \ub370\uc774\ud130 \uc804\uc1a1\uc744 \uae08\uc9c0\ud558\uc9c0 \uc54a\ub294 \ud55c \uc774 \uae30\ub2a5\uc744 \ud65c\uc131\ud654\ud560 \uac83\uc744 \uacbd\ub825 \ucd94\ucc9c\ud55c\ub2e4.<\/p><\/blockquote>\n
* psad \uc0c1\ud0dc \ucd9c\ub825 \ubcf4\uae30<\/p>\n
psad\ub294 iptables \ub85c\uadf8\ub97c \uac10\uc2dc\ud558\uba74\uc11c \ub2e4\uc591\ud55c \ub370\uc774\ud130\ub97c \/var\/log\/psad \ub514\ub809\ud1a0\ub9ac\uc5d0 \uc800\uc7a5\ud558\uae30 \ub54c\ubb38\uc5d0 \uc0ac\uc6a9\uc790\ub294 \uc790\uc2e0\uc758 \uc2dc\uc2a4\ud15c\uc774 \uc5bc\ub9c8\ub098 \ub9ce\uc774 \uc2a4\uce94\ub410\ub294\uc9c0\uc5d0 \ub300\ud55c \uc815\ubcf4\ub97c \uc5bb\uae30 \uc704\ud574 \uc774 \ub514\ub809\ud1a0\ub9ac\ub97c \uc790\uc138\ud788 \uc0b4\ud3b4\ubcfc \uc218 \uc788\ub2e4.<\/p>\n
\ubb3c\ub860 \ub300\ubd80\ubd84\uc758 \uc0ac\ub78c\ub4e4\uc774 \uc218\uc5c6\uc774 \ub9ce\uc740 \/var\/log\/psad\/ip \ub514\ub809\ud1a0\ub9ac\uc640 \uadf8 \uc548\uc758 \ud30c\uc77c\uc744 \uc9c1\uc811 \ubd84\ub958\ud558\ub294 \uac83\uc744 \uc990\uae30\uc9c0 \uc54a\uae30 \ub54c\ubb38\uc5d0 psad\ub294 \uc2e4\ud589 \uc911\uc778 psad \ub370\ubaac\uc5d0 \ub300\ud55c \uc0c1\ud0dc \uc815\ubcf4\ub97c \ub85c\uceec \ud30c\uc77c\uc2dc\uc2a4\ud15c\uc5d0 \uc9c8\uc758\ud558\ub294 \uae30\ub2a5\uc744 \ud1b5\ud574 \uc774 \uacfc\uc815\uc744 \uc790\ub3c4\uc624\ud558\ud55c\ub2e4. \uc774\ub97c \uc704\ud574\uc11c\ub294 psad\ub97c \uc2e4\ud589\ud560 \ub54c \ubaa9\ub85d 7-1\uacfc \uac19\uc774 –Status \uba85\ub839 \ud589 \uc778\uc790\ub97c \uc785\ub825\ud574\uc57c \ud55c\ub2e4.<\/p>\n
[+] psadwatchd (pid: 29253) %CPU: 0.0 %MEM: 0.0
Running since: Sun Jul 4 13:29:20 2010<\/p>\n[+] kmsgsd (pid: 29251) %CPU: 0.0 %MEM: 0.0
Running since: Sun Jul 4 13:29:19 2010<\/p>\n[+] psad (pid: 29248) %CPU: 0.1 %MEM: 0.7
Running since: Sun Jul 4 13:29:19 2010
Command line arguments: -c \/etc\/psad\/psad.conf
Alert email address(es): root@localhost<\/p>\n[+] Version: psad v2.1.4<\/p>\n
[+] Top 50 signature matches:
“POLICY vncviewer Java applet communication attempt” (tcp), Count: 12, Unique sources: 1, Sid: 1846
“BACKDOOR DeepThroat 3.1 Server Response [3150]” (udp), Count: 12, Unique sources: 3, Sid: 1982
“BACKDOOR DeepThroat 3.1 Server Response [4120]” (udp), Count: 10, Unique sources: 1, Sid: 1984
“BACKDOOR DoomJuice file upload attempt” (tcp), Count: 8, Unique sources: 1, Sid: 2375
“MISC PCAnywhere communication attempt” (tcp), Count: 8, Unique sources: 1, Sid: 100073
“BACKDOOR netbus Connection Cttempt” (tcp), Count: 8, Unique sources: 1, Sid: 100028
“BACKDOOR DeepThroat 3.1 Server Response” (udp), Count: 6, Unique sources: 3, Sid: 195
“MISC HP Web JetAdmin communication attempt” (tcp), Count: 4, Unique sources: 1, Sid: 100084<\/p>\n[+] Top 25 attackers:
….<\/p>\n[+] Top 20 scanned ports:
….<\/p>\n[+] iptables log prefix counters:
….<\/p>\nDShield stats:
….<\/p>\n[+] IP Status Detail:
….<\/p>\n<\/blockquote>\n\uc704 \ucd9c\ub825\uc5d0\ub294 \ud604\uc7ac psad\uac00 \ucd94\uc801 \uc911\uc778 \ubaa8\ub4e0 \uacf5\uaca9\uc744 \ud2b9\uc9d5\uc5d0 \ub530\ub77c \ub098\ub208 \uc77c\ubd80 \uc9d1\ud569\uc744 \uc0ac\uc6a9\uc790\uc5d0\uac8c \uc54c\ub824\uc8fc\uac8c \uc124\uacc4\ub41c \uc5ec\ub7ec \ubd80\ubd84\uc774 \uc788\ub2e4(\uac00\uc7a5 \ub192\uc740 \uc218\uc900\uc758 \uc815\ubcf4\uac00 \uc704\ucabd\uc5d0 \uc704\uce58\ud55c\ub2e4). \uac01 \ubd80\ubd84\uc740 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n
– psad \ud504\ub85c\uc138\uc2a4 \uc0c1\ud0dc \uc815\ubcf4.
\uba3c\uc800 psad \ud504\ub85c\uc138\uc2a4 \uc0c1\ud0dc \uc815\ubcf4\ub97c \ubcfc \uc218 \uc788\uc73c\uba70 \uc5ec\uae30\uc5d0\ub294 \ud504\ub85c\uc138\uc2a4 ID, \ud504\ub85c\uc138\uc2a4\uac00 \uc2e4\ud589\ub41c \uc2dc\uac04, \ud604\uc7ac \uc0ac\uc6a9 \uc911\uc778 CPU\uc640 \uc8fc \uba54\ubaa8\ub9ac\uc758 %\uac00 \uc788\ub2e4. \ud2b9\ud788 psad \ub370\ubaac\uc758 \uacbd\uc6b0 \uc2e4\ud589 \uc2dc \uc8fc\uc5b4\uc9c4 \uba85\ub839 \ud589 \uc778\uc790\uac00 \uc788\ub2e4\uba74 \uc774\uac83\ub3c4 \ucd9c\ub825\uc5d0 \ud3ec\ud568\ub418\uba70, psad\uac00 \uacbd\uace0 \uba54\uc77c\uc744 \uc804\uc1a1\ud558\uac8c \uc124\uc815\ub41c \uba54\uc77c \uc8fc\uc18c\ub3c4 \ud3ec\ud568\ub41c\ub2e4.<\/p>\n– \uc11c\uba85 \ub9e4\uce6d \uc0c1\uc704 50\uac1c
\ub2e4\uc74c\uc73c\ub85c\ub294 \uc11c\uba85 \ub9e4\uce6d\uc758 \uc0c1\uc704 50\uac1c\uac00 \ub098\uc640 \uc788\ub2e4. 50\uac1c \uc774\uc0c1 \ucd9c\ub825\ub418\uac8c \ud558\ub824\uba74 \/etc\/psad\/psad.conf \ud30c\uc77c\uc758 STATUS_SIGS_THRESHOLD \ubcc0\uc218 \uac12\uc744 \uc99d\uac00\uc2dc\ud0a4\uba74 \ub41c\ub2e4.<\/p>\n– \uacf5\uaca9\uc790 \uc0c1\uc704 25\uac1c
\ub2e4\uc74c\uc73c\ub85c\ub294 \uacf5\uaca9 IP \uc8fc\uc18c\uc758 \uc0c1\uc704 25\uac1c\uac00 \ub098\uc5f4\ub3fc\uc788\ub2e4. psad\uac00 25\uac1c \uc774\uc0c1 \ucd9c\ub825\ub418\uac8c \ud558\ub824\uba74 psad.conf \ud30c\uc77c\uc758 STATUS_IP_THRESHOLD \ubcc0\uc218 \uac12\uc744 \uc99d\uac00\uc2dc\ud0a4\uba74 \ub41c\ub2e4. \uc0c1\uc704 \uacf5\uaca9\uc790\ub4e4\uc758 \ubaa9\ub85d\uc744 \uc54c\uba74 \uc0ac\uc6a9\uc790 \uc2dc\uc2a4\ud15c\uc5d0 \uc7a0\uc7ac\uc801\uc73c\ub85c \uc704\ud5d8\ud560 \uc218 \uc788\ub294 \uc778\ud130\ub137\uc0c1\uc758 IP \uc8fc\uc18c\uc5d0 \ub300\ud574 \uc880 \ub354 \ub098\uc740 \uacb0\uc815\uc744 \ud560 \uc218 \uc788\ub2e4.<\/p>\n– \uc2a4\uce94\ub41c \ud3ec\ud2b8 \uc0c1\uc704 20\uac1c
\ub2e4\uc74c\uc73c\ub85c\ub294 \uc0c1\uc704 20\uac1c\uc758 \uc2a4\uce94\ub41c TCP\uc640 UDP \ud3ec\ud2b8\uac00 \ub098\uc628\ub2e4. psad.conf \ud30c\uc77c\uc758 STATUS_PORT_THRESHOLD \ubcc0\uc218\ub97c \uc99d\uac00\uc2dc\ucf1c\uc11c 20\uac1c \uc774\uc0c1 \ucd9c\ub825\ud558\uac8c \ud560 \uc218 \uc788\ub2e4. \ud2b9\uc815 \uc11c\ube44\uc2a4\uc5d0 \ub300\ud574 \uc804\ud30c \uc911\uc778 \uc6dc\uc774 \uc788\ub2e4\uba74 \uc0c1\uc704 20\uac1c\uc758 \uc2a4\uce94\ub41c \ud3ec\ud2b8 \uc815\ubcf4\uac00 \ud574\ub2f9 \uc11c\ube44\uc2a4\uc5d0 \ub300\ud574 \uc99d\uac00\ub41c \uc6dc\uc758 \ud65c\ub3d9\uc744 \uc54c\uc544\ub0b4\ub294 \ub370 \ub3c4\uc6c0\uc774 \ub41c\ub2e4. \uc774\ub7f0 \uc6dc\uc744 \uc774\uc6a9\ud55c \uacf5\uaca9\ud55c \ucde8\uc57d\ud55c \ub124\ud2b8\uc6cc\ud06c\uc5d0 \uc2dc\uc2a4\ud15c\uc774 \uc874\uc7ac\ud558\ub294 \uacbd\uc6b0 \uc0c1\uc704 20\uac1c\uc758 \uc2a4\uce94\ub41c \ud3ec\ud2b8 \ubaa9\ub85d\uc740 \uc778\ud504\ub77c\uc2a4\ud2b8\ub7ed\ucc98\uc5d0\uc11c \ucde8\uc57d\uc810\uc744 \uc81c\uac70\ud558\ub294 \ub370 \ub3c4\uc6c0\uc774 \ub420 \uc218 \uc788\ub2e4.<\/p>\n– \ub85c\uae45 \uc811\ub450\uc5b4
\ub2e4\uc74c\uc5d0\ub294 psad\uac00 \ucd94\uc815 \uc911\uc778 \ub85c\uae45 \uc811\ub450\uc5b4\uac00 \uc788\ub2e4. fwsnort\ub97c \uc2e4\ud589\ud558\ub294 \uacbd\uc6b0 \uac01\uac01\uc758 fwsnort iptables \uaddc\uce59\uc774 \uc11c\ub85c \ub2e4\ub978 \uc2a4\ub178\ud2b8 \uc11c\uba85\uc5d0 \ub300\uc751\ub418\ub294 \uc790\uc2e0\ub9cc\uc758 \ub85c\uae45 \uc811\ub450\uc5b4\ub97c \uac00\uc9c0\uae30 \ub54c\ubb38\uc5d0 \uc774 \ubd80\ubd84\uc758 \uc591\uc774 \ub9ce\uc744 \uc218 \uc788\ub2e4. \uc774 \ubd80\ubd84\uc744 \ud1b5\ud574 iptables \uc815\ucc45\uc5d0\uc11c \uac00\uc7a5 \uc77c\ubc18\uc801\uc73c\ub85c \ucd09\ubc1c\ub418\ub294 \ub85c\uae45 \uc811\ub450\uc5b4\ub97c \uc54c \uc218 \uc788\ub2e4. \ub85c\uae45 \uc811\ub450\uc5b4\ub294 \uac00\uc7a5 \ub9ce\uc774 \ucd09\ubc1c\ub41c\ub294 \uc21c\uc73c\ub85c \uc815\ub82c\ub3fc\uc788\ub2e4.<\/p>\n– DShield \ud1b5\uacc4
\ub2e4\uc74c\uc740 DShield \ubd84\uc0b0 IDS\ub85c \uc804\uc1a1\ub41c \uba54\uc77c \uacbd\uace0\uc758 \uac2f\uc218\ub2e4. \ud568\uaed8 \ub098\uc640 \uc788\ub294 \uac83\uc740 psad\uac00 \uc218\uc9d1\ud574\uc11c \ucd94\uac00\uc801\uc778 \ubd84\uc11d\uc744 \uc704\ud574 DShield\ub85c \uc804\uc1a1\ud55c \ucd1d \ud328\ud0b7 \uc218\ub2e4.<\/p>\n– \uc790\ub3d9 \ucc28\ub2e8\ub41c IP \uc8fc\uc18c
\uc704\uc758 \uc608\uc81c\uc5d0\ub294 \ub098\uc624\uc9c0 \uc54a\uc9c0\ub9cc \ub2e4\uc74c\uc5d0\ub294 psad\uac00 \ucc28\ub2e8\ud55c IP \uc8fc\uc18c\uac00 \ub098\uc628\ub2e4. \uc790\ub3d9 \ucc28\ub2e8\uc744 \uc774\uc6a9\ud558\ub824\uba74 ENABLE_AUTO_IDS\ub97c Y\ub85c \uc124\uc815\ud574\uc57c \ud55c\ub2e4. \uc790\ub3d9 \uc751\ub2f5 \uc815\ubcf4\ub294 ENABLE_AUTO_IDS \uac00 N \uc73c\ub85c \uc124\uc815\ub41c \uacbd\uc6b0\uc5d0\ub3c4 \ud56d\uc0c1 \uc0c1\ud0dc \uc815\ubcf4 \ucd9c\ub825\uc5d0 \ud3ec\ud568\ub41c\ub2e4. \uc774\ub294 psad\uac00 \uc790\ub3d9 \uc751\ub2f5 \uae30\ub2a5\uc744 \ud65c\uc131\ud654\ud588\ub358 \uc774\uc804 \uc2e4\ud589(\ud604\uc7ac \uc2e4\ud589 \uc911\uc778 psad \uc778\uc2a4\ud134\uc2a4\uc5d0\uc11c\ub294 \ud65c\uc131\ud654\ud558\uc9c0 \uc54a\uc74c)\uc5d0\uc11c \uc5ec\ub7ec IP \uc8fc\uc18c\ub97c \ucc28\ub2e8\ud588\uc744 \uc218 \uc788\uae30 \ub54c\ubb38\uc774\ub2e4.
– \uc2a4\uce90\ub2dd IP \uc8fc\uc18c\uc758 \uc0c1\uc138 \uc815\ubcf4
\ub9c8\uc9c0\ub9c9\uc73c\ub85c\ub294 psad\uac00 \ud604\uc7ac \ucd94\uc801 \uc911\uc774\uba70 \uac01 \uc8fc\uc18c\ub85c\ubd80\ud130 \uac10\uc2dc\ub41c \uc218\uc0c1\ud55c \ud2b8\ub798\ud53d\uc758 \uc2ec\uac01\ub3c4\uac00 \ucd5c\uc18c DANGER_LEVEL_1 \ub85c \ud560\ub2f9\ub41c \ucd9c\ubc1c\uc9c0 \uc8fc\uc18c\uc758 \uc804\uccb4 \ubaa9\ub85d\uc73c\ub85c \uc2dc\uc791\ud55c\ub2e4. \uac01 IP \uc8fc\uc18c\ud589\uc5d0\ub294 \uc218\uc0c1\ud55c \ud328\ud0b7\uc744 \uae30\ub85d\ud55c iptables \uccb4\uc778\uacfc \uc785\ub825 \uc778\ud130\ud398\uc774\uc2a4, \ucd9c\ubc1c\uc9c0 IP \uc8fc\uc18c\ub85c\ubd80\ud130\uc758 TCP, UDP, ICMP \ud328\ud0b7\uc758 \uac1c\uc218, \ud604\uc7ac \uc704\ud5d8 \uc218\uc900, \uba54\uc77c \uacbd\uace0 \uac1c\uc218, \uc218\uc0c1\ud55c \ud2b8\ub798\ud53d\uc744 \uc0dd\uc131\ud55c \uc6b4\uc601\uccb4\uc81c\uc5d0 \ub300\ud55c \ucd94\uce21 \uac12\ub3c4 \ud568\uaed8 \ucd9c\ub825\ub41c\ub2e4.<\/p>\npsad\uac00 \/var\/log\/psad \ub514\ub809\ud1a0\ub9ac\uc5d0 \uc2a4\uce94 \uc815\ubcf4\ub97c \uc798 \uae30\ub85d\ud558\uc9c0\ub9cc \uc2e4\ud589 \uc911\uc778 psad \ub370\ubaac\uc774 \uc5b4\ub5bb\uac8c \uc218\ud589 \uc911\uc778\uc9c0\uc5d0 \ub300\ud55c \uc815\ubcf4\ub97c \uc5bb\ub294 \ub2e4\ub978 \ubc29\ubc95\uc774 \uc788\ub2e4. \uba85\ub839\uc5b4 psad -U \ub97c (root \uad8c\ud55c\uc73c\ub85c) \uc2e4\ud589\ud558\uba74 \ud604\uc7ac \uc2e4\ud589 \uc911\uc778 psad \uc778\uc2a4\ud134\uc2a4\uac00 \uc2a4\uce94 \uc815\ubcf4\ub97c \ub514\uc2a4\ud06c\uc5d0 \uae30\ub85d\ud558\uae30 \uc704\ud574 \ub0b4\ubd80\uc801\uc73c\ub85c \uc0ac\uc6a9\ud558\ub294 \uc8fc \ud574\uc2dc \uc790\ub8cc \uad6c\uc870\uc758 \ub0b4\uc6a9\uc744 \ub364\ud504\ud558\uae30 \uc704\ud574 Data::Dumper \ud384 \ubaa8\ub4c8\uc744 \uc0ac\uc6a9\ud558\uac8c \uc9c0\uc2dc\ud558\ub294 USRI \uc2e0\ud638\ub97c \uc218\uc2e0\ud55c\ub2e4. \uacb0\uacfc\ub294 \/var\/log\/psad\/scan_hasb.pid \uc5d0 \uae30\ub85d\ub418\uba70, \uc5ec\uae30\uc11c pid\ub294 \ud604\uc7ac \uc2e4\ud589 \uc911\uc778 psad \ub370\ubaac\uc758 \ud504\ub85c\uc138\uc2a4 ID\ub2e4. \uc774 \ucd9c\ub825\uc758 \uc608\ub294 http:\/\/www.cipherdyne.org\/LinuxFirewalls \uc5d0\uc11c \uad6c\ud560 \uc218 \uc788\ub2e4.<\/p><\/blockquote>\n
* \ud3ec\ub80c\uc2dd \ubaa8\ub4dc<\/p>\n
\ub9ce\uc740 \uc0ac\ub78c\ub4e4\uc774 iptables \ub85c\uadf8 \ub370\uc774\ud130\ub97c \ud3ec\ud568\ud558\ub294 \uc624\ub798\ub41c syslog \ud30c\uc77c\uc744 \uac00\uc9c0\uace0 \uc788\ub2e4. psad\ub97c \ud3ec\ub80c\uc2dd(forensics) \ubaa8\ub4dc\ub85c \uc0ac\uc6a9\ud558\uba74 \uc774\ub7f0 \uc624\ub798\ub41c \ub85c\uadf8 \ud30c\uc77c\uc744 \uc0ac\uc6a9\ud574\uc11c \uacfc\uac70\uc5d0 \ubc1c\uc0dd\ud588\ub358 \uc218\uc0c1\ud55c \ud2b8\ub798\ud53d\uc744 \uc54c\uc544\ub0bc \uc218 \uc788\ub2e4. \uc774 \uc815\ubcf4\ub294 \uc2e4\uc81c \uce68\uc785\uc744 \ucd94\uc801\ud558\ub294 \uc911\uc774\uac70\ub098 \uce68\ud22c \uc2dc\uc810\uc5d0 \uc5b4\ub5a4 IP \uc8fc\uc18c\uac00 \uc2dc\uc2a4\ud15c\uc744 \uc2a4\uce94\ud588\ub294\uc9c0 \uc54c\uc544\ubcf4\uace0\uc790 \ud560 \ub54c \ud2b9\ud788 \uc720\uc6a9\ud560 \uc218 \uc788\ub2e4. psad\ub97c \ud3ec\ub80c\uc2dd \ubaa8\ub4dc\ub85c \uc2e4\ud589\ud558\ub824\uba74 \uc544\ub798\uc640 \uac19\uc774 -A \uba85\ub839\ud589 \uc2a4\uc704\uce58\ub97c \uc9c0\uc815\ud55c\ub2e4(IP \uc8fc\uc18c\ub294 \ubaa8\ub450 \ubcc0\uacbd\ud558\uc600\ub2e4)<\/p>\n
root@seclab:\/etc\/psad# psad -A
[+] Entering analysis mode. Parsing \/var\/log\/messages
[+] Found 17130 iptables log messages out of 19807 total lines.
This may take a while…
[+] Processed 1000 packets…
[+] Processed 2000 packets…
[+] Processed 3000 packets…
[+] Processed 4000 packets…
[+] Processed 5000 packets…
[+] Processed 6000 packets…
[+] Processed 7000 packets…
[+] Processed 8000 packets…
[+] Processed 9000 packets…
[+] Processed 10000 packets…
[+] Processed 11000 packets…
[+] Processed 12000 packets…
[+] Processed 13000 packets…
[+] Processed 14000 packets…
[+] Processed 15000 packets…
[+] Processed 16000 packets…
[+] Processed 17000 packets…
[+] Assigning scan danger levels…
Level 1: 0 IP addresses
Level 2: 0 IP addresses
Level 3: 0 IP addresses
Level 4: 2 IP addresses
Level 5: 0 IP addresses<\/p>\nTracking 2 total IP addresses
[+] Version: psad v2.1.4<\/p>\n[+] Top 50 signature matches:
[NONE]<\/p>\n[+] Top 25 attackers:
117.17.X.X DL: 4, Packets: 8462, Sig count: 0
117.17.X.X DL: 4, Packets: 3033, Sig count: 0<\/p>\n[+] Top 20 scanned ports:
tcp 25 2044 packets<\/p>\nudp 57321 8460 packets
udp 1947 2952 packets
udp 5353 1262 packets
udp 67 1254 packets
udp 138 587 packets
udp 137 341 packets
udp 9999 212 packets
udp 11702 7 packets
udp 2343 7 packets<\/p>\n[+] iptables log prefix counters:
“DROP”: 17126
“DROP INVALID”: 4<\/p>\nTotal packet counters: tcp: 2044, udp: 15082, icmp: 0<\/p>\n
[+] IP Status Detail:<\/p>\n
SRC: 117.17.Z.Z, DL: 4, Dsts: 1, Pkts: 8462, Unique sigs: 0<\/p>\n
DST: 255.255.255.255
Scanned ports: UDP 2343-57321, Pkts: 8462, Chain: INPUT, Intf: eth0<\/p>\nSRC: 117.17.A.A, DL: 4, Dsts: 2, Pkts: 3033, Unique sigs: 0<\/p>\n
DST: 255.255.255.255
Scanned ports: UDP 1947-9999, Pkts: 2962, Chain: INPUT, Intf: eth0
DST: 224.0.0.251
Scanned ports: UDP 5353, Pkts: 71, Chain: INPUT, Intf: eth0<\/p>\nTotal scan sources: 2
Total scan destinations: 2<\/p>\n[+] These results are available in: \/var\/log\/psad\/analysis.out<\/p>\n
[+] Finished –Analyze cycle.<\/p><\/blockquote>\n
\uc704 \ucd9c\ub825\ubb3c\uc740 psad\uac00 \ub85c\uadf8 \ud30c\uc77c\ub85c\ubd80\ud130 \uad6c\ubb38 \ubd84\uc11d\ud55c iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\uc758 \ucd1d\uc218\ub97c \uc54c\ub824\uc8fc\ub294 \uc815\ubcf4\uac00 \ud3ec\ud568\ub41c\ub2e4. \ub610 \ucd9c\ub825\uc740 5\uac1c\uc758 \uc704\ud5d8 \uc218\uc900\uc5d0 \ud574\ub2f9\ud558\ub294 IP \uc8fc\uc18c\uc758 \ucd1d\uc218\ub3c4 \ub098\uc5f4\ud55c\ub2e4. \ud3ec\ub80c\uc2dd \ucd9c\ub825\uc758 \ub098\uba38\uc9c0 \ubd80\ubd84\uc740 \uc774\uc804 \uc808\uc758 –Status \ucd9c\ub825\uacfc \uc720\uc0ac\ud574\uc11c \uac00\uc7a5 \ub9ce\uc774 \uc2a4\uce94\ub41c \ud3ec\ud2b8, \uc0c1\uc704 \uacf5\uaca9\uc790, \uc11c\uba85 \ub9e4\uce6d \ub4f1\uc5d0 \ub300\ud55c \uc815\ubcf4\uac00 \ud3ec\ud568\ub41c\ub2e4.<\/p>\n
psad\ub294 \ud3ec\ub80c\uc2dd \ubaa8\ub4dc\uc77c \ub54c \uae30\ubcf8\uc801\uc73c\ub85c \/var\/log\/messages \ud30c\uc77c\ub85c\ubd80\ud130 iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub97c \uad6c\ubb38 \ubd84\uc11d\ud55c\ub2e4. \uc774 \uacbd\ub85c\ub294 \ub2e4\uc74c\uacfc \uac19\uc774 -m \uba85\ub839 \ud589 \uc778\uc790\ub97c \uc0ac\uc6a9\ud574\uc11c \ubcc0\uacbd\ud560 \uc218 \uc788\ub2e4.<\/p>\n
# psad -A -m \/some\/file\/path<\/p><\/blockquote>\n
* \uc0c1\uc138\/\ub514\ubc84\uadf8 \ubaa8\ub4dc<\/p>\n
psad\uac00 iptables \ub85c\uadf8 \uba54\uc2dc\uc9c0\ub97c \uac10\uc2dc\ud560 \ub54c psad\uc758 \ub0b4\ubd80 \ub3d9\uc791\uc744 \uc54c\uc544\ubcf4\ub824\uba74 –debug \uc2a4\uc704\uce58\ub97c \uc774\uc6a9\ud574\uc11c psad\ub97c \uc0c1\uc138 \ubaa8\ub4dc\ub85c \uc2e4\ud589\ud558\uba74 \ub41c\ub2e4.<\/p>\n
# psad –debug<\/p><\/blockquote>\n
\uc774 \uc2a4\uc704\uce58\ub97c \uc785\ub825\ud558\uba74 psad\ub294 \ub370\ubaac\uc774 \ub418\uc9c0 \uc54a\uc73c\uba70, \uc2e4\ud589 \ub3c4\uc911 STDERR\ub85c \uc815\ubcf4\ub97c \ud45c\uc2dc\ud560 \uc218 \uc788\uac8c \ub41c\ub2e4. \uc774 \uc815\ubcf4\uc5d0\ub294 MAC \uc8fc\uc18c\uc5d0\uc11c \uc218\ub3d9\uc801 OS \ud551\uac70\ud504\ub9b0\ud305 \uc815\ubcf4\uae4c\uc9c0 \ubaa8\ub4e0 \uac83\uc774 \ud3ec\ud568\ub41c\ub2e4.<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
* \uc2a4\ub178\ud2b8 \uaddc\uce59\uc744 \uc0ac\uc6a9\ud55c \uacf5\uaca9 \ud0d0. iptables \ub85c\uae45 \ud615\uc2dd\uc740 \ub9e4\uc6b0 \uc644\uc804\ud558\uae30 \ub54c\ubb38\uc5d0 psad\ub294 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \uacc4\uce35 \uae30\uc900\uc774 \uc5c6\ub294 \uc2a4\ub178\ud2b8 \uaddc\uce59\uacfc \ub9e4\uce6d\ub418\ub294 \ud2b8\ub798\ud53d\uc744 \ud0d0\uc9c0\ud560 \uc218 \uc788\ub2e4. \uc608\ub97c \ub4e4\uc5b4 \ub2e4\uc74c\uacfc \uac19\uc740 \uc2a4\ub178\ud2b8 \uaddc\uce59\uc744 \uc0dd\uac01\ud574\ubcf4\uc790. \uc774 \uaddc\uce59\uc740 \ucd9c\ubc1c\uc9c0 \ud3ec\ud2b8\uac00 10101\uc774\uace0 \uc2b9\uc778 \uac12\uc774 0\uc774\uba70 SYN … Continue reading
![\"\"](\"http:\/\/pchero21.com\/wp-content\/uploads\/1\/XG9KxEnDX4.png\")