Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ IDS Intrusion Detection System built (Linux)     - Installation and management of Linux applications (Linux)

- How to remove the files inside the privacy of data on Linux (Linux)

- The basic principles for the protection of a good linux server security (Linux)

- To install Python-Pip and Fabric under CentOS / Ubuntu (Linux)

- To repair Shell script by default open in Ubuntu (Linux)

- Linux three ways to set environment variables (Linux)

- Linux basic introductory tutorial ---- Software Installation under Linux (Linux)

- Linux installation and configuration curl command tool (Linux)

- Growth since Oracle set the table space (Database)

- How do you know your public IP terminal in Linux (Linux)

- LAN in Ubuntu shared folders to Windows (Linux)

- Linux operating tips: Can not open file for writing or operation not permitted solution (Linux)

- Linux platform host to prevent hacking skills (Linux)

- Ubuntu install the camera driver (Linux)

- How to manage the time and date at systemd Linux systems (Linux)

- The difference between vi and nano (Linux)

- Sshuttle A VPN-based transparent proxy that uses ssh (Server)

- Linux iptables firewall settings whitelist (RHEL 6 and CentOS 7) (Linux)

- Android Studio simple setup (Linux)

- Loop arrays in C language is not easy to find a bug (Programming)

  IDS Intrusion Detection System built (Linux)
  Add Date : 2018-11-21      
  Snort it is a multi-platform, intrusion detection system real-time traffic analysis. Snort is a libpcap-based packet sniffer and can be used as a lightweight network intrusion detection system.

snort has three operating modes:
1, sniffer
Sniffer mode: reads the data packets from the network as a continuous stream displayed on the terminal.
2, packet logger
Packet logger: the data packet is recorded onto the hard disk.
3, the network intrusion detection system.
Network Intrusion Detection: It is configurable (it will be relatively more complex).

working principle:
Because the data can capture packets on the network, but it can be distinguished from sniffer based on custom rules and make the appropriate treatment. The mechanism according to the following rules have five kinds of responses.
Activation (alarm and start another dynamic rule chain)
Dynamic (calls by other rules package)
Alert (alarm)
Pass (ignored)
Log (but no alarm recording network traffic)

Snort through TCP / IP network layer, data link layer 5 structure crawl network packets, when the need to capture card is set to promiscuous mode, according to different operating systems using libpcap or winpcap function captures packets from the network ; then the captured data packet to packet decoder to decode.

Snort running:
Mainly through the plug-in work together to make it powerful, so select the appropriate database at deployment, Web servers, graphics software and version is also very important.

Snort reason that he is a lightweight means that his function is still not perfect, and such other products as linkage could be improved; Snort plug-in to work each function, installation complexity, each plug-in software versions and other issues because sometimes influence program runs; Snort for all data traffic according to the rules of the match, and sometimes will produce a lot of false positives due process.

Intrusion Detection System: IDS

IDS protection is detected, IPS is protection;
SessionWall: CA company produced, graphical interface, you can monitor traffic and comprehensive program accordingly by an alarm and obstruction rules.
RealSecure: ISS RealSecure is a real-time monitoring software, which includes the console, a network engine and system agents three parts. RealSecure templates include security incident template, templates, and user-defined connection event event template.
IDS can essentially be divided into two categories: network-based IDS (NIDS) and host-based IDS (HIDS) both IDS.
Called HIDS (software) snort host-based (for not being detected by firewall intrusion). You need to be installed to be protected hosts (you can view traffic logs, user behavior and some files)
Network-based call NIDS (hardware) Digital H3C have (hardware), installation and switches needed to bind;

working principle:
IDS listening port :( collect its concerns packets
Compare feature: IDS traffic statistics extracted characteristic value, and the signature match;
Alarm: the higher the degree of match message to Liu that would be considered offensive, IDS will alarm.
(Information collection --- Analysis - Detecting whether the alarm)
Detection of host-based applications; only installed on important hosts above.
Network-based intrusion detection: will be deployed on a network device.

(Intermediate assembly for a PHP function to access a database, a database support for php optimization;)
(Snort IDS is a warning to view Web applications)
(Intrusion Detection System)
(Snort and database to the device)
(Intrusion detection rule base)

rpm -ivh snort-
Installation can be completed directly with the line;
In the terminal can execute instructions directly: snort -v
If the external network ping time, where there will be records show; (pause ctrl + Z)
Kill this process: pkill -9 snort
Then you can then check whether the use of jobs to be killed;
You can also use snort -vde (but not a MAC address)
Information recording: snort -vde l ./ & / dev / null & can be recorded,

Intrusion rule base application:
cd / etc / snort / rules / (in this folder)
Then import rules, because it is a compressed package, directly extract to / etc / snort / directory on it:
tar -zxvf snortrules-snapshot-2.8.tar.gz -C / etc / snort /
After importing the view to cd / setc / snort / rules / directory; there will be a lot of the rules.
(Old version of the software is relatively very little intrusion rules library resources will be significantly different from the old as much as possible to update)

Under part of the rule is the protocol:
Snort currently analyzes for suspicious packages ip protocol has four: TCP, UDP, ICMP, IP;
(Perhaps soon there will be the development of ARP, IGRP, GRE, OSPF, RIP, IPX)
If the detected files want to record data inside; so the intrusion detection system set up to install the software, or more:
mysql, apache, php, libpcap (linux network packet capture function package), adodb (the database can optimize), snort (main), base (basic analysis and security engine), - acid to code project basis, to provide web front end.
Because the installation of these things as much as possible is to use yum to install:
Edit the local yum:
vim /etc/yum.repos.d/rhel-debuginfo.repo
name = Red Haterprise Linux server
baseurl = file: /// mnt / cdrom /
enabled = 1

gpgcheck = 1
gpgkey = file: /// mnt / cdrom / RPM-GPG-KEY-RedHat-relase

Mount disc yum install:
mkdir / mnt / cdrom
mount / dev / cdrom / mnt / cdrom /
yum install:

Installation is complete open a variety of services, and then set chkconfig:

chkconfig httpd on
For mysql need to set a password (the default installation is a root user with no password)
mysqladmin-u root -p password '123'
Further added snort database and tables in the data:

(Since we expect the detected information into mysql database inside, into what the database, but also in further settings)
Connect to the database: mysql -u root -p

create database snort;
(New snort database)

use snort;
(Using the snort database)
show tables;
(Add in this table, each see a table, we must add the frame of a table; but here it can be directly imported to create the table are some of the fields and the like)

chkconfig mysql on
(Still using the chkconfig settings)

Then also want to snort detection protocol data is to be placed in a database, and therefore also install a stuff:
It is snort-mysql- package
(A device connected to the database snort)
vim /etc/snort/snort.conf

Or may be used to see if jobs are running;

Upgrade Installation pear
(Ie: PHP Extension and Application Library)
pear install --force PEAR-1.8.1 (system connected to the Internet, you can directly upgrade)
pear upgrade pear (then updated)
Then install some modules; (some modules graphical interface)

Install adodb
adodb514.zip (it is used to support a database for php optimization)
Extracting first: unzip adodb514.zip
Then it moves to the next / var / www / html / adodb directory.
mv adodb5 / var / www / html / adodb (easy to do can also change the name of)

base installation
tar -zxvf base-1.4.5.tar.gz -C / var / www / html /
To facilitate the operation may change my name: After direct access to physical directory
mv base-1.4.5 / base
And then re-enter this directory, you also need to copy some files.

Then there base_conf.php configuration files in / var / www / html / change inside;
Before you change permissions settings still need to make under the base directory: chmod o + w base /
That's it:

(In fact, this can be set directly into the page, and then set the form of this document; through direct physical access disposed in; but it may be some default settings log several times too high, so also you need to edit php.ini etc directory change my)
Tips such as this:

Then you need vim /etc/php.ini

Since this change, we also need to restart apache and then re-enter:
A total of five installation; language setting, adodb path:

Then set up a number of related database:

User interface management settings and password:

Then it enters the basic analysis and security engine :( create base AG)

Part 5 to: see some protocol detection.

(Of course, this is because the data did not run)
Restarts, to be a Ping operation, the new refresh the page:

Or use the tools to be a port scan test:

The above is a brief intrusion detection system IDS build process under linux environment.
- Linux Getting Started tutorial: Experience VirtualBox Virtual Machine chapter (Linux)
- Learning UNIX good habits (Linux)
- Command filter MySQL slow query log (Database)
- Regular expressions in Perl (Programming)
- Install Ubuntu text editor KKEdit 0.2.10 (Linux)
- Nginx server load balancing dual-system availability (Server)
- Virtual Judge structures under Ubuntu 14.04 (Server)
- DNF Command Tutorial (Linux)
- Linux System Getting Started Learning: rename multiple files in Linux (Linux)
- iptraf: A Practical TCP / UDP network monitoring tools (Linux)
- Oracle Linux 5.5 (64bit) Install Oracle 11gR2 RAC detailed tutorial (Database)
- Linux installation beautify early experience (Linux)
- PULL operation mechanism parsing XML Comments (Programming)
- wget command Walkthrough (Linux)
- Java in several ways of using MongoDB (Programming)
- Linux environment installation of rvm and ruby (Linux)
- CentOS6 installation configuration rsh (Server)
- Python implementation restart the router (Programming)
- CentOS directory structure Explanation (Linux)
- Oracle to start to solve the error ORA-27102 (Database)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.