Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ IDS Intrusion Detection System built (Linux)     - Customize the output format in Linux history (Linux)

- Ubuntu 14.10 installation SecureCRT 7.3 (Linux)

- IBM Data Studio to use ---- window displays all rows (Database)

- Oracle Linux 5.9 configuration Xmanager (Linux)

- Management and application Oracle external table (Database)

- Hazelcast integration with MongoDB (Database)

- 20 Linux commands interview questions and answers (Linux)

- Ten correct use Redis skills (Database)

- Security: set limits on password (Linux)

- LAMP and LNMP automated installation scripts (Server)

- Nginx introduced Dynamic Module Architecture (Server)

- Ubuntu 14.10 How to install office suite Calligra Suite 2.8.7 (Linux)

- Linux System Getting Started Learning: Disable HTTP forwarding wget in (Linux)

- Ubuntu 14.04 How to set up an SSH without password (Linux)

- ActionContext and ServletActionContext Summary (Programming)

- Eclipse Android development environment installation (Linux)

- When Linux Detailed time zone and common function of time (Linux)

- CentOS 7 install Hadoop-cdh-2.6 (Server)

- Install NetBeans IDE 8.0 on Ubuntu, Linux Mint, Elementary OS, and Debian (Linux)

- Java String type time compare the size (Programming)

 
         
  IDS Intrusion Detection System built (Linux)
     
  Add Date : 2018-11-21      
         
         
         
  Snort it is a multi-platform, intrusion detection system real-time traffic analysis. Snort is a libpcap-based packet sniffer and can be used as a lightweight network intrusion detection system.

snort has three operating modes:
1, sniffer
Sniffer mode: reads the data packets from the network as a continuous stream displayed on the terminal.
2, packet logger
Packet logger: the data packet is recorded onto the hard disk.
3, the network intrusion detection system.
Network Intrusion Detection: It is configurable (it will be relatively more complex).


working principle:
Because the data can capture packets on the network, but it can be distinguished from sniffer based on custom rules and make the appropriate treatment. The mechanism according to the following rules have five kinds of responses.
Activation (alarm and start another dynamic rule chain)
Dynamic (calls by other rules package)
Alert (alarm)
Pass (ignored)
Log (but no alarm recording network traffic)


Snort through TCP / IP network layer, data link layer 5 structure crawl network packets, when the need to capture card is set to promiscuous mode, according to different operating systems using libpcap or winpcap function captures packets from the network ; then the captured data packet to packet decoder to decode.


Snort running:
Mainly through the plug-in work together to make it powerful, so select the appropriate database at deployment, Web servers, graphics software and version is also very important.


insufficient:
Snort reason that he is a lightweight means that his function is still not perfect, and such other products as linkage could be improved; Snort plug-in to work each function, installation complexity, each plug-in software versions and other issues because sometimes influence program runs; Snort for all data traffic according to the rules of the match, and sometimes will produce a lot of false positives due process.


Intrusion Detection System: IDS
IPS: IPS


IDS protection is detected, IPS is protection;
SessionWall: CA company produced, graphical interface, you can monitor traffic and comprehensive program accordingly by an alarm and obstruction rules.
RealSecure: ISS RealSecure is a real-time monitoring software, which includes the console, a network engine and system agents three parts. RealSecure templates include security incident template, templates, and user-defined connection event event template.
IDS can essentially be divided into two categories: network-based IDS (NIDS) and host-based IDS (HIDS) both IDS.
Called HIDS (software) snort host-based (for not being detected by firewall intrusion). You need to be installed to be protected hosts (you can view traffic logs, user behavior and some files)
Network-based call NIDS (hardware) Digital H3C have (hardware), installation and switches needed to bind;


working principle:
IDS listening port :( collect its concerns packets
Compare feature: IDS traffic statistics extracted characteristic value, and the signature match;
Alarm: the higher the degree of match message to Liu that would be considered offensive, IDS will alarm.
(Information collection --- Analysis - Detecting whether the alarm)
Detection of host-based applications; only installed on important hosts above.
Network-based intrusion detection: will be deployed on a network device.

platform:
Linux5.4
Packages:
adodb514.zip
(Intermediate assembly for a PHP function to access a database, a database support for php optimization;)
base-1.4.5.tar.gz
(Snort IDS is a warning to view Web applications)
snort-2.8.0.1-1.RH5.i386.rpm
(Intrusion Detection System)
snort-mysql-2.8.0.1-1.RH5.i386.rpm
(Snort and database to the device)
snortrules-snapshot-2.8.tar.gz
(Intrusion detection rule base)

installation:
rpm -ivh snort-2.8.0.1-1.RH5.i386.rpm
Installation can be completed directly with the line;
In the terminal can execute instructions directly: snort -v
If the external network ping time, where there will be records show; (pause ctrl + Z)
Kill this process: pkill -9 snort
Then you can then check whether the use of jobs to be killed;
You can also use snort -vde (but not a MAC address)
Information recording: snort -vde l ./ & / dev / null & can be recorded,


Intrusion rule base application:
cd / etc / snort / rules / (in this folder)
Then import rules, because it is a compressed package, directly extract to / etc / snort / directory on it:
tar -zxvf snortrules-snapshot-2.8.tar.gz -C / etc / snort /
After importing the view to cd / setc / snort / rules / directory; there will be a lot of the rules.
(Old version of the software is relatively very little intrusion rules library resources will be significantly different from the old as much as possible to update)


Under part of the rule is the protocol:
Snort currently analyzes for suspicious packages ip protocol has four: TCP, UDP, ICMP, IP;
(Perhaps soon there will be the development of ARP, IGRP, GRE, OSPF, RIP, IPX)
If the detected files want to record data inside; so the intrusion detection system set up to install the software, or more:
mysql, apache, php, libpcap (linux network packet capture function package), adodb (the database can optimize), snort (main), base (basic analysis and security engine), - acid to code project basis, to provide web front end.
Because the installation of these things as much as possible is to use yum to install:
Edit the local yum:
vim /etc/yum.repos.d/rhel-debuginfo.repo
[Rhel-server]
name = Red Haterprise Linux server
baseurl = file: /// mnt / cdrom /
enabled = 1

gpgcheck = 1
gpgkey = file: /// mnt / cdrom / RPM-GPG-KEY-RedHat-relase

Mount disc yum install:
mkdir / mnt / cdrom
mount / dev / cdrom / mnt / cdrom /
yum install:

Installation is complete open a variety of services, and then set chkconfig:

chkconfig httpd on
For mysql need to set a password (the default installation is a root user with no password)
mysqladmin-u root -p password '123'
Further added snort database and tables in the data:

(Since we expect the detected information into mysql database inside, into what the database, but also in further settings)
Connect to the database: mysql -u root -p

create database snort;
(New snort database)

use snort;
(Using the snort database)
show tables;
(Add in this table, each see a table, we must add the frame of a table; but here it can be directly imported to create the table are some of the fields and the like)

chkconfig mysql on
(Still using the chkconfig settings)


Then also want to snort detection protocol data is to be placed in a database, and therefore also install a stuff:
It is snort-mysql-2.8.0.1-1.RH5.i386.rpm package
(A device connected to the database snort)
vim /etc/snort/snort.conf

Or may be used to see if jobs are running;

Upgrade Installation pear
(Ie: PHP Extension and Application Library)
pear install --force PEAR-1.8.1 (system connected to the Internet, you can directly upgrade)
pear upgrade pear (then updated)
Then install some modules; (some modules graphical interface)

Install adodb
adodb514.zip (it is used to support a database for php optimization)
Extracting first: unzip adodb514.zip
Then it moves to the next / var / www / html / adodb directory.
mv adodb5 / var / www / html / adodb (easy to do can also change the name of)

base installation
tar -zxvf base-1.4.5.tar.gz -C / var / www / html /
To facilitate the operation may change my name: After direct access to physical directory http://0.0.0.0/base
mv base-1.4.5 / base
And then re-enter this directory, you also need to copy some files.

Then there base_conf.php configuration files in / var / www / html / change inside;
Before you change permissions settings still need to make under the base directory: chmod o + w base /
That's it:


(In fact, this can be set directly into the page, and then set the form of this document; through direct physical access http://192.168.1.101/base/setup/index.php disposed in; but it may be some default settings log several times too high, so also you need to edit php.ini etc directory change my)
Tips such as this:

Then you need vim /etc/php.ini

Since this change, we also need to restart apache and then re-enter:
A total of five installation; language setting, adodb path:

Then set up a number of related database:

User interface management settings and password:

Then it enters the basic analysis and security engine :( create base AG)

Part 5 to: see some protocol detection.

(Of course, this is because the data did not run)
Restarts, to be a Ping operation, the new refresh the page:

Or use the tools to be a port scan test:

The above is a brief intrusion detection system IDS build process under linux environment.
     
         
         
         
  More:      
 
- Linux Network Programming - raw socket can do (Programming)
- To compile and install Redis Linux and master-slave replication configuration (Database)
- Linux System Getting Started Learning: The Linux logrotate (Linux)
- Linux `dirname $ 0` (Linux)
- To modify the existing user ID and comments GPG key (Linux)
- Intrusion prevention network server security maintenance tips (Linux)
- CentOS 7 Change Hostname (Linux)
- Linux systems for entry-learning: Install closed-source packages in Debian (Linux)
- DRBD daily management (Server)
- CentOS / Linux NIC set IP address configuration (Linux)
- About Linux iptables firewall interview questions and answers (Linux)
- Gnu Linux - Ubuntu System Clean-term consolidation (Linux)
- Two network security scanning tools under ubuntu (Linux)
- Use rfkill soft-switching and Bluetooth wireless capabilities in Linux (Linux)
- Resolve the host via KVM console can not connect clients (Linux)
- Linux / Raspberry Pi using the following command-line based web browser (Linux)
- DataGuard Standby backup error RMAN-06820 ORA-17629 to solve (Database)
- How do I cancel (almost) any operations in Git, (Linux)
- Ubuntu program using the Sound Recorder (Linux)
- How to ensure that the Internet will not be attacked (Linux)
     
           
     
  CopyRight 2002-2020 newfreesoft.com, All Rights Reserved.