&http://www.aliyun.com/zixun/aggregation/37954.html ">nbsp; The technology of IDs is not very mysterious, then this article will use a "trace" of the context, to introduce a simpler IDs entry-level architecture. From the point of view of market distribution and easy to start, it is more appropriate to choose NIDs as an example to deploy. In this paper, a complete Windows platform to penetrate the entire intrusion detection process, due to space limitations, the qualitative analysis point of view to state.
Preliminary knowledge
Ids:intrusion detection System (IDS), the intelligent combination of software and hardware for intrusion detection analysis by collecting network system information.
Two organizations that standardize IDs: intrusion detection sharable Group (IDWG, Intrusion detection workgroup) and common intrusion as the Internet standard-makers IETF Framework (CIDF, universal intrusion detection frameworks).
IDS Category: Receptacle IDs (network-based), host-based IDs (host-based), Hybrid IDs (hybrid), consoles IDs (console), File Integrity checkers (File Integrity checker), Honeypots (honeypot). Event Generation System
According to CIDF, the general model idea of intrusion detection system (IDS) is presented, with all the elements and the simplest intrusion detection components as shown in the figure. According to the CIDF specification, the data that IDs needs to analyze is collectively known as event (event), which may either be a data Packets (packet) in the network, or a information (information) obtained from other means, such as System log.
No data stream (or data collected), IDS is no root of the wood, completely useless.
As a grassroots organization of IDs, the event generation system is powerful, collecting all of the defined events and then uploading them to other components. In the Windows environment, it is now more basic to use WinPcap and windump.
As you know, for event generation and event analysis systems, software and programs that use Linux and Unix platforms are popular at the moment, and in Windows platforms there are tools like Libpcap (the prerequisite software for UNIX or Linux to capture network packets from the kernel)-WinPcap.
WinPcap is a free, windows-based network interface API that sets the NIC to "promiscuous" mode and then loops through the network capture packets. Its technology is simple, portable, and independent of the network card, but not efficient, suitable for the network below the Mbps based on Windows Network Sniffer tool is Windump (is the Linux/unix platform of the tcpdump in the portable version of Windows), This software must be based on the WinPcap interface (there is an image of WinPcap as the data sniffer driver). Using Windump, it can display the packet header of the matching rule. You can use this tool to find network problems or to monitor the situation on the network, to some extent to effectively monitor the security and unsafe behavior from the network.
Both of these software can be found on the Internet for free, and readers can also view the tutorial of related software use.
Here is a brief introduction to the steps to establish event detection and acquisition
1, assembly software and hardware system. Determine whether to use a common compatible or high performance dedicated server based on network busyness; Install NT core Windows operating system, recommend Windows Server 2003 Enterprise Edition, and use Windows Advanced if conditions are not met Server. The partition format is recommended for NTFS format.
2, the partition of the server should be reasonable and effective, the implementation of the installation of the program, data log storage, the best space between the two places in different partitions.
3, WinPcap simple implementation. First install its driver, you can go to its homepage or mirror site download WinPcap auto-installer (Driver DLLs), directly installed. Copyright Disclaimer: This site is from the network of articles.
Note: If you use WinPcap to do development, you also need to download the Developer ' s pack.
WinPcap includes three modules: the first module NPF (netgroups Packet Filter), a VxD (virtual device driver) file. The function is to filter the packets and pass them to the user state module intact. The second module, Packet.dll, provides a common interface for the WIN32 platform, which provides a more convenient and straightforward programming approach on top of Packet.dll. The third module, Wpcap.dll, is not dependent on any operating system, is the underlying dynamic link library, provides high-level, abstract functions. The specific use of the instructions on the major sites are involved, how to better use of winpcap needs a strong C environment programming ability.
4, the creation of Windump. After installation, run in Windows command prompt mode, the user can view the network status themselves, without repeating.
Event detection and acquisition can be achieved without software compatibility issues, installation, and configuration.