Guide to Linux Snort intrusion detection system (1)

We all know that the enterprise's current network threats mainly come from two locations: internal and external. All external threats can be blocked by the firewall, but internal attacks cannot be prevented. Because the company's internal staff have a deep understanding of the system and have legal access permissions, internal attacks are more likely to succeed.

IDS provides protection for information and has become an important part of deep defense policies. IDS is similar to anti-theft alarm devices in the real world. They monitor intrusions and send alerts to specific clients when suspicious behaviors are detected. IDS can be divided into two types: Host IDS (HIDS) and network IDS (NIDS ). HIDS is installed on a monitored host and has the permission to access sensitive files. HIDS uses this access privilege to monitor abnormal behavior. NIDS exist in the network to protect a large number of network facilities by capturing traffic sent to other hosts.

Both HIDS and NIDS have their own advantages and disadvantages. The complete security solution should include these two IDS, which is hard to achieve. People who do not know this field often think that IDS is like a omnipotent key to solve all security problems. For example, some organizations have spent a lot of money to purchase commercial IDS. Due to improper configuration, these companies have even false positives, which immediately fills the database with a large amount of packet loss and then crashes. This kind of attitude makes people think that everything is fine as long as IDS are randomly placed on the Internet, and there is no need to worry about any problems. In fact, this is far from the case. No one will think that the Email server can operate correctly directly on the Internet. Similarly, you also need to properly plan IDS policies and placement of sensors. The following describes how to correctly install and maintain IDS by taking the installation and maintenance of open-source software Snort as an example.

Install Snort

1. Installation preparation

Before installation, we need to know what we need to monitor. The ideal situation is to monitor everything. All network devices and any external-to-enterprise connections are monitored by Snort. Although this plan is very likely to be achieved for a small company with only dozens of machines, when large enterprises connect to Tiantai network equipment, this becomes an arduous task.

To enhance the security of snort detection, it is best to provide an independent smart switch for the monitoring network segment. If you need to configure distributed configurations, you can connect the server and the console to a switch, 2. Other sensors are placed in different physical locations, but the cost increases. Snort IDS maintenance problems cannot be avoided. Sooner or later, you will need to update Snort features and write custom rules, so you also need a professional who knows how to maintain IDS.