Snort+base to build IDs intrusion detection system

Snort is an IDs (intrusion detection System) software developed by the U.S. Sourcefire Company under the GPL v2

Snort has three modes of operation: sniffer, packet recorder, network intrusion detection system mode. The sniffer mode simply reads the packet from the network and displays it as a continuous stream on the terminal. The packet logger mode logs the packet to the hard disk. Network intrusion detection mode analyzes the data stream in order to match some user-defined rules and take certain actions according to the test results. Network intrusion Detection System mode is the most complex, and is configurable.

Snort can be used to monitor a variety of packets, such as port scans, and also provides a variety of plug-ins that log logs in XML or database form.

As a common network intrusion detection system (NIDS), snort can analyze real-time network traffic and record all kinds of attack behavior and related network packets. Base (Basic analysis and Security Engine) is a highly efficient snort analysis query system that is widely used in PHP. Although the two installation configuration is somewhat complicated, but because of its more flexible, good scalability, as long as the configuration used properly, but also suitable for the construction of campus network intrusion detection platform.

Snort supports a variety of operating systems (Windows/linux/solaris, etc.), source code and installation packages can be obtained from http://www.snort.org, since the snort version has been continuously updated, the following is an example of version 2.8.5. For comprehensive performance and functionality considerations, it is not recommended to install snort under Windows. A choice of Linux distributions, recommended CentOS, Fedora, Redhat. Although Snort has RPM packages available, installation is easier, but compiling from source code is more flexible and easier to optimize.

Some of the features of snort:

-Real-time communication analysis and packet recording

-Packaging payload Inspection

-Protocol analysis and content query matching

-Detect buffer overflows, secret port scans, CGI attacks, SMB probes, operating system intrusion attempts

-Real-time police for system logs, designated files, Unix sockets, or Winpopus via Samba

Snort has three main modes: packet sniffers, packet recorders, or sophisticated intrusion detection systems. Following the most important practice of development/free software, snort supports various forms of plug-ins, extensions, and customizations, including database or XML records, small-frame detection, and statistical anomaly detection.

Packet payload detection is one of the most useful features of snort, which means that many additional kinds of hostile behavior can be detected.

Download Address:

1. http://www.snort.org/registration can be downloaded to Snortrules-snapshot

2. http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/rules/can be downloaded to a third party's rules file rules.tar.gz, this series of updates are also more frequent, The snortrules-snapshot-2.8.tar.gz is downloaded at 51cto.

3.BASE can obtain version from http://sourceforge.net/projects/secureideas/or use software snortcenter is a web-based snort probe and rule management system, Used to remotely modify the configuration of the Snort probe, start, stop probes, edit, and distribute snort signature rules. http://users.telenet.be/larc/download/

4.Adodb can be downloaded from http://sourceforge.net/projects/adodb/. ADODB is the abbreviation for Active data Objects data base, which is an intermediate function component of PHP Access database

5.[root@localhost centos6]# RPM-IVH snort-2.8.5.1-1.fc13.i686.rpm//install Snort packet Presence dependency system

Warning:snort-2.8.5.1-1.fc13.i686.rpm:header V3 rsa/sha256 Signature, key ID E8e40fde:nokey

error:failed dependencies:

libgnutls.so.26 is needed by snort-2.8.5.1-1.fc13.i686

Libpcap >= 0.4 is needed by snort-2.8.5.1-1.fc13.i686

Libpcap.so.1 is needed by snort-2.8.5.1-1.fc13.i686

Libprelude.so.2 is needed by snort-2.8.5.1-1.fc13.i686

[root@localhost centos6]# rpm-q libpcap//query Libpcap not installed

Package Libpcap is not installed

[root@localhost centos6]# yum-y Install libpcap//installation LIBPCAP Package

[Root@localhost centos6]# RPM-IVH snort-2.8.5.1-1.fc13.i686.rpm//Two dependencies in secondary installation snort

Warning:snort-2.8.5.1-1.fc13.i686.rpm:header V3 rsa/sha256 Signature, key ID E8e40fde:nokey

error:failed dependencies:

libgnutls.so.26 is needed by snort-2.8.5.1-1.fc13.i686

Libprelude.so.2 is needed by snort-2.8.5.1-1.fc13.i686

[root@localhost centos6]# yum-y Install libgnutls26//installation LIBGNUTLS26 Package