Snort is a multi-platform, real-time traffic analysis intrusion detection system. Snort is a packet sniffer Based on libpcap and can be used as a lightweight network intrusion detection system.
Snort has three working modes:
1. sniffer
Sniffing mode: reads data packets from the network and displays them as continuous streams on the terminal.
2. Data Packet Recorder
Data Packet RECORDER: records data packets to the hard disk.
3. network intrusion detection system.
Network Intrusion Detection: It is configurable (so it is relatively complicated ).
Working principle:
It is because it can capture packets on the network, but it is different from the sniffer That it can perform corresponding and processing according to custom rules. There are five response mechanisms according to the following rules.
Activation (alarm and start another dynamic rule chain)
Dynamic (called by other rule packages)
Alert (Alert)
Pass (ignore)
Log (no alarm but network traffic recorded)
Run Snort:
It is mainly achieved through the coordination of various plug-ins to make it powerful, so it is also important to select the appropriate database, Web server, graphics processing program software and version during deployment.
Disadvantages:
The reason why Snort is lightweight is that its functions are not complete enough. For example, it still needs to be improved in terms of interaction with other products. Snort works collaboratively with function plug-ins and is complicated to install, software plug-ins sometimes affect program running because of version and other problems. Snort matches all traffic data according to rules, and sometimes produces many false positives of legal programs.
Intrusion Detection System: IDS
Intrusion Protection System: IPS
IDS is a protection detection and IPS is a protection function;
SessionWall: A graphical interface produced by ca. It can comprehensively monitor traffic and programs through alarm and blocking rules.
RealSecure: ISS RealSecure is a real-time monitoring software that consists of three parts: console, network engine, and system proxy. RealSecure Templates include security event templates, connection event templates, and user-defined event templates.
In essence, IDS can be divided into two types: network IDS (NIDS) and Host IDS (HIDS.
Host-Based HIDS (software) snort (used for intrusion not detected by the firewall ). You need to install it on the protected host (you can view traffic, logs, user behavior, and some files)
All network-based NIDS (hardware) Digital China H3C products (Hardware Products) must be installed in conjunction with vswitches;
Working principle:
IDS listening port: (collect the packets it cares about)
Feature comparison: The traffic statistical feature value extracted by IDS and the feature database ratio;
Alert: the attacker Liu laithat has a higher matching degree will be considered an attack, and IDS will trigger an alert.
[Information Collection-analysis-detection of alarms]
Host-Based Application detection is only installed on important hosts.
Network-based Intrusion Detection: It must be deployed on network devices.
IDS deployment location (snort ):
(If you do not have IDS installed, you can only use the basic routing settings to protect the Intranet)
Applications in linux: (example)
Platform:
Linux5.4
Software Package:
Adodb514.zip
(An intermediate function component used by PHP to access the database and support a database optimized by php ;)
Base-1.4.5.tar.gz
(It is a Web application used to view Snort IDS alerts)
Snort-2.8.0.1-1.RH5.i386.rpm
(Intrusion Detection System)
Snort-mysql-2.8.0.1-1.RH5.i386.rpm
(Combining snort with database devices)
Snortrules-snapshot-2.8.tar.gz
(Intrusion detection rule repository)
For more details, please continue to read the highlights on the next page:
Snort + Base intrusion detection Configuration
Install Snort in Ubuntu 12.04
Snort enterprise deployment practices
Build an IDS Intrusion Detection System Using Snort and base
Linux Snort intrusion detection system Practice Guide
The whole process of Snort in Ubuntu is from compilation, installation to debugging.