Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ IDS Intrusion Detection System built (Linux)     - Linux Getting Started Tutorial: Ubuntu laptop screen brightness adjustment (Linux)

- Install Visual Studio Code in Ubuntu (Linux)

- Linux installation Jetty deployment under RedHat5 8 (Linux)

- linux remote control software (Linux)

- OpenStack package problems and solutions under CentOS6 (Linux)

- Use OpenSSL carried BASE64 encoding and decoding (Linux)

- Linux variable learning experience (Linux)

- Linux command line ten magic usage (Linux)

- Linux / CentOS 7.0 installation and configuration under Tomcat 8.0 (Server)

- Share Practical Tutorial GitHub (Linux)

- Three details reflect the Unix system security (Linux)

- Dynamic programming Android (Programming)

- MySQL uses Federate engine mapping table to achieve operation of the local remote operation table (Database)

- Getting Started with Linux: Nginx Web Server How to Block Specific User Agents (UA) (Server)

- Android Studio Clear Project or Rebuild Project Error (Linux)

- Ora-00600 [fast hot Atkins soft _ that _ Oh, of course not _less_ profile] (Database)

- Tsung first test installation (Linux)

- Install Redis 2.6 5.5 32 position CentOS error resolved (Linux)

- Samhain: Powerful intrusion detection system under Linux (Linux)

- The first IOS Objective-C program (Programming)

  IDS Intrusion Detection System built (Linux)
  Add Date : 2018-11-21      
  Snort it is a multi-platform, intrusion detection system real-time traffic analysis. Snort is a libpcap-based packet sniffer and can be used as a lightweight network intrusion detection system.

snort has three operating modes:
1, sniffer
Sniffer mode: reads the data packets from the network as a continuous stream displayed on the terminal.
2, packet logger
Packet logger: the data packet is recorded onto the hard disk.
3, the network intrusion detection system.
Network Intrusion Detection: It is configurable (it will be relatively more complex).

working principle:
Because the data can capture packets on the network, but it can be distinguished from sniffer based on custom rules and make the appropriate treatment. The mechanism according to the following rules have five kinds of responses.
Activation (alarm and start another dynamic rule chain)
Dynamic (calls by other rules package)
Alert (alarm)
Pass (ignored)
Log (but no alarm recording network traffic)

Snort through TCP / IP network layer, data link layer 5 structure crawl network packets, when the need to capture card is set to promiscuous mode, according to different operating systems using libpcap or winpcap function captures packets from the network ; then the captured data packet to packet decoder to decode.

Snort running:
Mainly through the plug-in work together to make it powerful, so select the appropriate database at deployment, Web servers, graphics software and version is also very important.

Snort reason that he is a lightweight means that his function is still not perfect, and such other products as linkage could be improved; Snort plug-in to work each function, installation complexity, each plug-in software versions and other issues because sometimes influence program runs; Snort for all data traffic according to the rules of the match, and sometimes will produce a lot of false positives due process.

Intrusion Detection System: IDS

IDS protection is detected, IPS is protection;
SessionWall: CA company produced, graphical interface, you can monitor traffic and comprehensive program accordingly by an alarm and obstruction rules.
RealSecure: ISS RealSecure is a real-time monitoring software, which includes the console, a network engine and system agents three parts. RealSecure templates include security incident template, templates, and user-defined connection event event template.
IDS can essentially be divided into two categories: network-based IDS (NIDS) and host-based IDS (HIDS) both IDS.
Called HIDS (software) snort host-based (for not being detected by firewall intrusion). You need to be installed to be protected hosts (you can view traffic logs, user behavior and some files)
Network-based call NIDS (hardware) Digital H3C have (hardware), installation and switches needed to bind;

working principle:
IDS listening port :( collect its concerns packets
Compare feature: IDS traffic statistics extracted characteristic value, and the signature match;
Alarm: the higher the degree of match message to Liu that would be considered offensive, IDS will alarm.
(Information collection --- Analysis - Detecting whether the alarm)
Detection of host-based applications; only installed on important hosts above.
Network-based intrusion detection: will be deployed on a network device.

(Intermediate assembly for a PHP function to access a database, a database support for php optimization;)
(Snort IDS is a warning to view Web applications)
(Intrusion Detection System)
(Snort and database to the device)
(Intrusion detection rule base)

rpm -ivh snort-
Installation can be completed directly with the line;
In the terminal can execute instructions directly: snort -v
If the external network ping time, where there will be records show; (pause ctrl + Z)
Kill this process: pkill -9 snort
Then you can then check whether the use of jobs to be killed;
You can also use snort -vde (but not a MAC address)
Information recording: snort -vde l ./ & / dev / null & can be recorded,

Intrusion rule base application:
cd / etc / snort / rules / (in this folder)
Then import rules, because it is a compressed package, directly extract to / etc / snort / directory on it:
tar -zxvf snortrules-snapshot-2.8.tar.gz -C / etc / snort /
After importing the view to cd / setc / snort / rules / directory; there will be a lot of the rules.
(Old version of the software is relatively very little intrusion rules library resources will be significantly different from the old as much as possible to update)

Under part of the rule is the protocol:
Snort currently analyzes for suspicious packages ip protocol has four: TCP, UDP, ICMP, IP;
(Perhaps soon there will be the development of ARP, IGRP, GRE, OSPF, RIP, IPX)
If the detected files want to record data inside; so the intrusion detection system set up to install the software, or more:
mysql, apache, php, libpcap (linux network packet capture function package), adodb (the database can optimize), snort (main), base (basic analysis and security engine), - acid to code project basis, to provide web front end.
Because the installation of these things as much as possible is to use yum to install:
Edit the local yum:
vim /etc/yum.repos.d/rhel-debuginfo.repo
name = Red Haterprise Linux server
baseurl = file: /// mnt / cdrom /
enabled = 1

gpgcheck = 1
gpgkey = file: /// mnt / cdrom / RPM-GPG-KEY-RedHat-relase

Mount disc yum install:
mkdir / mnt / cdrom
mount / dev / cdrom / mnt / cdrom /
yum install:

Installation is complete open a variety of services, and then set chkconfig:

chkconfig httpd on
For mysql need to set a password (the default installation is a root user with no password)
mysqladmin-u root -p password '123'
Further added snort database and tables in the data:

(Since we expect the detected information into mysql database inside, into what the database, but also in further settings)
Connect to the database: mysql -u root -p

create database snort;
(New snort database)

use snort;
(Using the snort database)
show tables;
(Add in this table, each see a table, we must add the frame of a table; but here it can be directly imported to create the table are some of the fields and the like)

chkconfig mysql on
(Still using the chkconfig settings)

Then also want to snort detection protocol data is to be placed in a database, and therefore also install a stuff:
It is snort-mysql- package
(A device connected to the database snort)
vim /etc/snort/snort.conf

Or may be used to see if jobs are running;

Upgrade Installation pear
(Ie: PHP Extension and Application Library)
pear install --force PEAR-1.8.1 (system connected to the Internet, you can directly upgrade)
pear upgrade pear (then updated)
Then install some modules; (some modules graphical interface)

Install adodb
adodb514.zip (it is used to support a database for php optimization)
Extracting first: unzip adodb514.zip
Then it moves to the next / var / www / html / adodb directory.
mv adodb5 / var / www / html / adodb (easy to do can also change the name of)

base installation
tar -zxvf base-1.4.5.tar.gz -C / var / www / html /
To facilitate the operation may change my name: After direct access to physical directory
mv base-1.4.5 / base
And then re-enter this directory, you also need to copy some files.

Then there base_conf.php configuration files in / var / www / html / change inside;
Before you change permissions settings still need to make under the base directory: chmod o + w base /
That's it:

(In fact, this can be set directly into the page, and then set the form of this document; through direct physical access disposed in; but it may be some default settings log several times too high, so also you need to edit php.ini etc directory change my)
Tips such as this:

Then you need vim /etc/php.ini

Since this change, we also need to restart apache and then re-enter:
A total of five installation; language setting, adodb path:

Then set up a number of related database:

User interface management settings and password:

Then it enters the basic analysis and security engine :( create base AG)

Part 5 to: see some protocol detection.

(Of course, this is because the data did not run)
Restarts, to be a Ping operation, the new refresh the page:

Or use the tools to be a port scan test:

The above is a brief intrusion detection system IDS build process under linux environment.
- How to convert images, audio and video formats on Ubuntu (Linux)
- LogStash log analysis display system (Linux)
- Git Getting Started tutorial (Linux)
- Java learning problems encountered (Programming)
- Linux Network Programming - signal blocking and shielding (block, unblock) (Programming)
- MySQL various log summary (Database)
- How to install GIMP 2.8.16 in Ubuntu 16.04,15.10,14.04 (Linux)
- Drawing from the Android source code analysis View (Programming)
- How to use the internal network IP forwarding to connect to the Internet on Linux (Linux)
- MySQL completely uninstall and install Configuring Character Sets under Linux (Database)
- Increase ssh security service under Linux (Linux)
- Gentoo: startx problem appears Failed to load module (Linux)
- Smooth upgrade to OpenSSH 6.7 Procedure (Linux)
- Java integrated development environment common set of operations (Linux)
- How to remove the Linux memory Cache, Buffer and swap space (Linux)
- Install Linux Mint 17: 20 things to do (Linux)
- Questions about Linux compiler u-boot (Programming)
- The traffic monitoring system: cacti (Linux)
- C language to view various types of data size (Programming)
- The ORA-01113 error is handled with BBED without archiving (Database)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.