From the reality, the prices of the popular IDS products in the market range from 100,000 to millions. This relatively expensive cheese is widely criticized and the result is: generally, small and medium-sized enterprises do not have the ability to implement IDS products. They focus on the reinforcement of routers, firewalls, and switches above Layer 3. Although many large and medium-sized enterprises already have IDS products, however, IDS's natural defects make it seem useless. However, we cannot get tired of it, because IDS is a necessary process. IPS with IDS functions are likely to replace the single IDS market dominance in a few years, from passive combat to active defense is the trend of the times.
In fact, the technical means of IDS are not very mysterious. Next, this article will introduce you to a simple basic architecture of IDS with the context of "easy to understand. From the perspective of market distribution and difficulty, it is more appropriate to select NIDS as an example for deployment. This document describes the entire intrusion detection process on a Windows platform. Due to the limited length, it is presented from the perspective of qualitative analysis.
Prerequisites
IDS: Intrusion Detection System (Intrusion Detection System), a smart combination of software and hardware for Intrusion Detection and analysis by collecting network System information.
Two organizations that standardize IDS: the Intrusion Detection Working Group (IDWG, Intrusion Detection workgroup) and Common Intrusion Detection Framework (CIDF, general Intrusion Detection Framework ).
IDS classification: Network IDS (Network-Based), Host-Based IDS (Host-Based), Hybrid IDS (Hybrid), Les IDS (console), and File Integrity Checkers (File Integrity checker), Honeypots (honeypot ). Event Generation System
According to the general idea of the intrusion detection system (IDS), CIDF has all the elements and the simplest intrusion detection components. According to the CIDF specification, the Data to be analyzed by IDS is collectively referred to as an Event. An Event may be a Data Packets (Data packet) in the network ), it may also be Information obtained from System Log or other methods ).
If there is no data flow (or data is collected), IDS is a tree without roots and is useless.
As a grass-roots organization of IDS, an event-generating system is capable of collecting all defined events and passing them to other components. In Windows, the basic practice is to use Winpcap and Windump.
We all know that for event generation and event analysis systems, software and programs on Linux and Unix platforms are popular. In fact, on Windows platforms, there is also a tool similar to Libpcap (which is an essential software for Unix or Linux to capture network packets from the kernel), that is, Winpcap.
Winpcap is a free set of Network Interface APIs based on Windows. It sets the NIC to "hybrid" mode and processes packets captured by the Network cyclically. Its technology is simple and portable, and has nothing to do with the network card, but the efficiency is not high, suitable for networks below 100 mbps
The corresponding Windows-based network sniffing tool is Windump (a Linux/Unix-based Tcpdump transplanted on Windows). This software must be based on the Winpcap interface (here someone calls it Winpcap as follows: data sniffing driver ). Use Windump to display the packet header that matches the rule. You can use this tool to find network problems or monitor network conditions. It can effectively monitor security and insecure behaviors from the network to a certain extent.
These two software can be found online for free, and readers can also view related software usage tutorials.
[Content navigation] |
Page 1: prerequisites |
Page 2nd: Steps |
Page 1: Event Analysis System |
Page 1: Response System |
Page 5th: Event Database System |
|