| Intrusion detection System (IDS) is the processing system of identifying and responding to the malicious use behavior of computer and network system resources, it is like radar alert, without affecting the network performance, the network carries on the vigilance, the detection, collects the information from several key points of the computer network, through
This information is analyzed to see if there are any security policy violations and signs of attack on the network, extending the security management capabilities of the system administrator and improving the integrity of the information security infrastructure. In general, IDs are added as firewalls, so IDs are typically behind firewalls, which enable real-time detection of network activity and the recording and suppression of network activity based on conditions.Intrusion detection System IDs can be divided into host-based intrusion detection system and network-based intrusion detection system according to different emphases of work. Intrusion detection system is generally divided into two parts is a part of the detection (Sensor), part of the processing of alarm results of the console. The composition of different intrusion detection is not quite the same basically has the console and sensor two basic parts, host-based intrusion detection in most of the host installed an agent to collect system information to sensor report.
The detection information sources of intrusion detection system are sensor by the detection part of the IDs.
Network-based intrusion detection, mainly through the interception of network packets analysis, to find the attack characteristics and bad intentions of the packet. Detection of network-based intrusion detection systems in the network part of the Sensor is generally arranged in the mirror port of a switch (or a normal hub arbitrary port), listen to all the packets flowing through the network, find the matching packets, to get the intrusion of the information source.
The sensor of host-based intrusion detection system is not possible to obtain information directly from internal system, it is to be done through a prior agent, installed in the need to detect the host, these agents mainly collect system and network log files, directories and files in the unwanted changes in the implementation of the expected behavior, Physical form of intrusion information. Detection terminal of network-based intrusion detection system sensor is generally arranged in the core switch of the network, or the mirror port of the switch of the Department exchange (take the mirror port of the sensor on the core Exchange machine or the mirror port of the departmental switch, mainly by the network traffic and the number of clients, As well as the processing power of intrusion detection and the frequency of network attack, it is on the network management machine, install the Intrusion detection system console, do the alarm processing, in the important server or have the necessary client Installation Agent system and network log System information, search for the attack characteristics of the packet. The technician analyzes and monitors the detection information from the host and the network. Snort is currently the most widely used IDs product, it is positioned as a lightweight intrusion detection system, it has the following features:
(1) It is a lightweight network intrusion detection system, the so-called lightweight refers to the software in the operation of only a very small amount of network resources, the original network performance has little impact.
(2) from the data source, it is a network intrusion detection software, that is, it as a sniffer to the same network of other hosts to capture the traffic, and then analysis.
(3) Its work uses the misuse detection model, namely first establishes the intrusion behavior characteristic to cry, then in the detection process, will collect the packet and the characteristic code R to compare, obtains whether invades the conclusion.
(4) It is the open source code network intrusion detection system written in C language. The source code can be freely read, spread and modify, any programmer can be free to add functionality, modify errors, arbitrary propagation. This enables it to be developed rapidly and popularized.
(5) It is a cross-platform software, supported by a wide range of operating systems, such as Windows,linux,SunOS, etc. are supported. It's easy to install under Windows: First download the network Packet Capture tool WINPCAP (www.winpcap.org) in Windows, and then download the snort installation package and double-click the installation directly.
(6) Snort has three main modes: packet sniffers, packet recorders, or sophisticated intrusion detection systems.
Some of the features of snort:
Real-time communication analysis and packet recording.
Packaging Payload Inspection.
Protocol analysis and content query matching.
Detect buffer overflow, secret port scan, CGI attack, SMB detection, operating system intrusion attempt.
Real-time alerting of system logs, designated files, Unix sockets, or winpopus through Samba. Snort can work in 3 modes of work, respectively, as follows:
1) Sniffer sniffer:
Command: snort-v [-d][-x] Snort uses the LIBPCAP Packet Capture library, which is the library that Tcpdump uses. In this mode, snort reads and resolves the network groupings in the shared channel using the promiscuous mode of the network interface. BPF expressions can be used to filter traffic.
-V Verbose
-D Dump application-tier data
-X Dumps the original package starting at the link layer
2) packet Log mode
Command: Snort-l dir [-H Hn][-b]
In this mode, the parsed groupings are recorded in ASCII format.
-L directory snort will put the log in this directory
-h x.x.x.x Set local subnet number
-B log uses tcpdump binary format
3 Intrusion Detection mode
Command: Snort-c snort.conf [-L dir]
You must load the rule library to enter intrusion detection mode. That
#./snort-c snort.conf
Snort puts the alert information in the/var/log/snort directory and can change the directory with the-l option. When we adopt intrusion detection mode, we must load the rule library to detect, and after loading the rule library, snort network data and rule set are matched in pattern to detect possible intrusion attempts. This article describes the installation and configuration of snort under the Linux platform (here is Redhat 9.0), and finally configures a acid Web intrusion Event Database analysis console for snort. You need to install a variety of software build support environments in a Linux environment before you can use snort. The relevant software and their roles are listed in table 1.
Table 1 software required to install snort
| software name |
download Web site |
effect |
| Apache |
http://httpd.apache.org/ |
Linux under Aapche server |
| P HP |
http://php.net/ |
php script support |
| MySQL |
http://www.mysql.cn/ |
database support |
| libpcap |
http://www.tcpdump.org/ |
Network grab tool |
| snort |
http://www.snort.org |
The Snort installation package under Windows |
| ACID |
http://www.cert.org/kb/acid |
Intrusion Detection Database analysis console based on PHP |
| ADOdb |
http://adodb.sourceforge.net |
provide PHP with a unified database connection function |
| jpgraph |
http://www.aditus.nu/jpgraph |
PHP Graphics gallery |
1. Install zlib1.1.4
Tar-xzvf ZL ib- xx.tar.gz
CD zlib-xx
/configure;
Make install
CD ...
2. Install LibPcap0.7.2
TAR-XZVF libpcap.tar.gz
CD libpcap-xx
/configure
Make
Make install
CD ...
3. Install MySQL4.0.12
TAR-XZVF mysql-xx.tar.gz
CD mysql-xx
/configure--prefix=/usr/local/mysql
Make
Make install
CD scripts
/mysql_install_db
chown-r root/usr/local/mysql
Chown-r mysql/usr/local/ Mysql/var
Chgrp-r mysql/usr/local/mysql
CD./SUPPORT-FILES/MY-MEDIUM.CNF/ETC/MY.CNF
to/etc/ Add two lines to the ld.so.conf:/usr/local/mysql/lib/mysql
/usr/local/lib
to load the storage, perform
Ldconfig–v
to test whether MySQL is working:
4. Installation of Apache2.0.45 and PHP4.3.1
TAR-ZXVF httpd-2.0.xx.tar.gz
CD httpd_2.xx.xx
/configure--prefix=/www--enable-so
Make
Make install
Cd..
TAR-ZXVF php-4.3.x.tar.gz
CD php-4.3.x
/configure--prefix=/www/php--with-apxs2=/www/bin/apxs--with-config-filepath=/www/php--enable-sockets-- With-mysql=/usr/local/mysql--with-zlibdir=/
Usr/local--WITH-GD
CP Php.ini-dist/www/php/php.ini
Edit httpd.conf (/www/conf):
Join two lines
LoadModule Php4_module modules/libphp4.so
AddType application/x-httpd-php. php
The relevant contents of httpd.conf are as follows:
#
# LoadModule Foo_module modules/mod_foo.so
LoadModule Php4_module modules/libphp4.so
# AddType allows to tweak mime.types without actually it, or? $
# make certain the files to be certain types.
#
AddType Application/x-tar. tgz
AddType image/x-icon. ico
AddType application/x-httpd-php. php
Test Apache and PHP:
5. Install Snort2.0
5.1 Setting up snort profiles and log directories
Mkdir/etc/snort
Mkdir/var/log/snort
TAR-ZXVF snort-2.x.x.tar.gz
CD snort-2.x.x
/configure--with-mysql=/usr/local/mysql
Make
Make install
5.2 Installation rules and configuration files
CD rules (under the Snort installation directory)
CP */etc/snort
CD./etc
CP Snort.conf/etc/snort
CP *.config/etc/snort
5.3 Modification snort.conf (/etc/snort/snort.conf)
var home_net 10.2.2.0/24
var rule_path./rules modified to Var rule_path/etc/snort/
To change the logging database:
Output Database:log, MySQL, User=root Password=your_password
Dbname=snort Host=localhost
5.4 Set Snort to self start:
Under the Snort installation directory
Cd/contrib.
CP S99snort/etc/init.d/snort
Vi/etc/init.d/snort
Modify Snort as follows:
Config=/etc/snort/snort.conf
#SNORT_GID =nogroup (note out)
#8194 $SNORT _path/snort-c $CONFIG-i $IFACE? $OPTIONS
chmod 755/etc/init.d/snort
Cd/etc/rc3.d
Ln-s/etc/init.d/snort S99snort
Ln-s/etc/init.d/snort K99snort
Cd/etc/rc5.d
Ln-s/etc/init.d/snort S99snort
Ln-s/etc/init.d/snort K99snort
6 Set up the snort database in MySQL, the results are as follows:
7. Install ADODB
CP adodb330.tgz/www/htdocs/
Cd/www/htdocs
TAR-XZVF adodb330.tgz
RM-RF adodb330.tgz
8. Install Jggraph
CP Jpgraph-1.11.tar.gz/www/htdocs
Cd/www/htdocs
TAR-XZVF jpgraph-1.xx.tar.gz
RM-RF jpgrap-1.xx.tar.gz
CD jpgraph-1.11
RM-RF README
RM-RF QPL.txt
9. Installation configuration Data Console acid
CP Acid-0.0.6b23.tar.gz/www/htdocs
Cd/www/htdocs
Tar-xvzf acid-0.9.6b23.tar.gz
RM-RF acid-0.9.6b23.tar.gz
Cd/www/htodcs/acid/
Edit acid_conf.php, modify the related configuration as follows:
#8194; $DBlib _path = "/www/htdocs/adodb";
#8194; $alert _dbname = "snort";
#8194; $alert _host = "localhost";
#8194; $alert _port = "";
#8194; $alert _user = "root";
#8194; $alert _password = "Your_password";
/* Archive DB Connection Parameters * *
#8194; $archive _dbname = "snort";
#8194; $archive _host = "localhost";
#8194; $archive _port = "";
#8194; $archive _user = "root";
#8194; $archive _password = "Your_password";
And a little further down
#8194; $ChartLib _path = "/WWW/HTDOCS/JPGRAPH-1.11/SRC";
/* File format of charts (' PNG ', ' jpeg ', ' gif ') * *
#8194; $chart _file_format = "png";
Enter the Web interface:
http://yourhost/acid/acid_main.php
Point "Setup Page" link->create Acid AG
Access to Http://yourhost/acid will see the acid interface.
Snort rules The Snort rule library is constantly updated and can be downloaded to the latest Snort rule library from www.snort.org. Snrot uses a simple lightweight rule description language to describe its rule configuration information, which is flexible and powerful. The snort rule must be written on a single line before version 1.8, and it can be folded in the current version with '/'.
Snort rules are divided into two logical parts: Rule headers and rule options. The rule header contains the action of the rule, protocol, source and destination IP address and netmask, and source and destination port information; The Rule Options section contains the contents of the alert message and the specific portion of the package to check. Here is a rule example:
Alert TCP any-> 192.168.1.0/24 (content: "|00 a5|"; msg: "Mountd access";) The part before the parentheses is the rule header, and the part in parentheses is the rule option. The word before the colon in the Rule Options section is called an option keyword. Note: Not all rules must include the Rule Options section, and the option section is only to make the definition of a package to be collected or alerted, or discarded, more restrictive. All elements that make up a rule must be true for the specified action to be taken. When multiple elements are placed together, they are considered to form a logical and (and) statement. Also, different rules in the Snort rule library file can be considered to constitute a large logical or (or) statement. The following figure is downloaded from the official website of http://www.snort.org community-rules-2.4
Part of the rule in Mysql.rules. We looked at one of the following:
Alert TCP $EXTERNAL _net any-> $SQL _servers 3306 (msg: "MYSQL root
Login attempt "; flow:to_server,established; Content: "|0a 00 00 01 85 04 00 00
80|root|00| "; Classtype:protocol-command-decode; sid:1775; Rev:2;) It means that when accessing the 3306 port of the MySQL server from any port on the external network, if the data flow The content is matched to 0A 00 (where the numbers represent 2 bytes
Code), then in the record or alarm "MYSQL root login attempt". By analyzing the snort rules, we can see that the most important thing in the snort rule, in addition to the IP address and the port number, is pattern-matching content, which is included in the keyword content. We want to commit the vulnerability attack code and the tool is used when the network detection features that match the snort format, should be the attack code in the Feature field. By analyzing the feature rules and the data on the Internet, we find that for the feature fields, the ethreal or other sniffer tools are used to intercept the packets, and then according to the decoding contents of the packets, the feature fields are analyzed and the rules of Snort are written. In the article "using Snort to detect ms05-051 attack on principle", the author gives the method and step of how to write rules for ms05-051 vulnerabilities and detect attacks by attacking code. As can be seen from the text, the main thing is to intercept the packet with Ethreal, extract the key points of the match, and then use the keyword in snort to write the rules, so that the rules of snort features. This article describes the installation and configuration of Snort under Linux, and explains the knowledge of the Snort rules library, and how to write your own rules in line with the snort format, and I hope you learn and understand snort help. |
