At that time, I did this experiment to attend the student academic forum held by the College. The article is a bit long. Please give your valuable comments.
Test the IDS in Linux
IDSInstrusion Detection System), the intrusion Detection System that we call at ordinary times, is widely used in the security Detection and defense of various operating systems, as well as the extent and frequency of network attacks. Provides detailed information and evidence for future network security management.
Due to restrictions, we can only use SNORT as the IDS of this experiment.
Some functions of Snort:
1. Real-time communication analysis and information package records
2. Check the packaging Payload
3. Protocol Analysis and Content Query matching
4. detects buffer overflow, secret port scanning, CGI attacks, SMB detection, and operating system intrusion attempts
5. Real-Time alerts for system logs, specified files, Unix sockets, or WinPopus through Samba
Next, I will take REDHAT 7.3 as an example to describe the debugging and testing report of a complete intrusion detection system.
1. Local Environment
OS: REDHAT 7.3
HardWare: CPU: P3 800. 256MB--SDRAM. 20G/7200 -- HARDDISC
IDS: SNORT-1.9 + Libpcap
Ii. debugging methods
First, install SNORT in the local environment. SNORT is a free IDS software. We will use it for system detection this time.
The local machine has obtained the SNORT-1.9 version.
First, in order to more easily customize the subsequent detection rules and debugging needs, we will use the method of manually compiling the source file (scorcus) for installation. (Version Description: SNORT-1.9.0.tar.gz)
The local installation permission must be: ROOT. If not ROOT. The SU command must be used to switch the local system administrator. |: ROOT
# Su
# Passwd:
After we confirm to log on from the ROOT, we must release the source file, because when using snort, we need the Libpcap package file, so before testing on the local machine, we must ensure that Libpcap is in the system. If you do not know whether the localhost already has Libacap, you can use the following command to query it:
If:
/usr/lib/Libacap.1.9.0/usr/lib/Libpcap.a |
If you do not receive any prompts, it indicates that the Libpcap library file has not been installed. Perform the following operations: libpcap0.6.2.tar.gz)
cd /usr/src/ids[root@kykin-L-linux ids]# tar –zxvf libpcap-0.6.2.tar.gz[root@kykin-L-linux ids]# lslibpcap-0.6.2 libpcap-0.6.2.tar.gz snort-1.9.0 snort-1.9.0.tar.gz |
This operation completely releases libpcap to the local folder.
Continue:
[root@kykin-L-linux ids]# cd libpcap-0.6.2[root@kykin-L-linux libpcap-0.6.2]# lsaclocal.m4 configure.in lbl pcap-enet.c README.linuxbpf CREDITS libpcap.a pcap.h savefile.cbpf_dump.c CVS LICENSE pcap-int.h savefile.obpf_dump.o etherent.c llc.h pcap-linux.c scanner.cbpf_filter.c etherent.o Makefile pcap-linux.o scanner.lbpf_filter.o ethertype.h Makefile.in pcap-namedb.h scanner.obpf_image.c FILES mkdep pcap-nit.c sll.hbpf_image.o gencode.c nametoaddr.c pcap-nit.h SUNOS4CHANGES gencode.h nametoaddr.o pcap-null.c TODOconfig.cache gencode.o net pcap.o tokdefs.hconfig.guess grammar.c nlpid.h pcap-pf.c VERSIONconfig.h grammar.o optimize.c pcap-pf.h version.cconfig.h.in grammar.y optimize.o pcap-snit.c version.oconfig.log inet.c pcap.3 pcap-snoop.cconfig.status inet.o pcap-bpf.c ppp.hconfig.sub INSTALL pcap.c READMEconfigure install-sh pcap-dlpi.c README.aix |
These source files are the Libpcap files to be compiled. Continue:
[root@kykin-L-linuxlibpcap-0.6.2]# ./configure --prefix=/usr/local/libpcap-0.6.2 |
Compile the Libpcap file to the/usr/local/libpcap-0.6.2 directory)
[root@kykin-L-linuxlibpcap-0.6.2]# make[root@kykin-L-linuxlibpcap-0.6.2]# makeinstall |
After executing the above steps, we have installed Libpcap in the system.
Next, we will complete SNORT installation and debugging
For testing purposes, we do not need to write the SNORT log file to the local MYSQL database, so the operation steps for the MYSQL database are temporarily omitted)
[root@kykin-L-linux ids]#tar –zxvf snort-1.9.0.tar.gz[root@kykin-L-linux ids]# cd snort-1.9.0[root@kykin-L-linux snort-1.9.0]# lsacconfig.h config.h.in contrib Makefile snort.8aclocal.m4 config.log COPYING Makefile.am srcChangeLog config.status doc Makefile.in stamp-hconfig.cache config.sub etc missing stamp-h.inconfig.guess configure install-sh mkinstalldirs templatesconfig.h configure.in LICENSE rules[root@kykin-L-linux snort-1.9.0]# ./configure --prefix=/usr/local/snort19[root@kykin-L-linux snort-1.9.0]#make[root@kykin-L-linux snort-1.9.0]#makeinstall |