| |
Snort it is a multi-platform, intrusion detection system real-time traffic analysis. Snort is a libpcap-based packet sniffer and can be used as a lightweight network intrusion detection system.
snort has three operating modes:
1, sniffer
Sniffer mode: reads the data packets from the network as a continuous stream displayed on the terminal.
2, packet logger
Packet logger: the data packet is recorded onto the hard disk.
3, the network intrusion detection system.
Network Intrusion Detection: It is configurable (it will be relatively more complex).
working principle:
Because the data can capture packets on the network, but it can be distinguished from sniffer based on custom rules and make the appropriate treatment. The mechanism according to the following rules have five kinds of responses.
Activation (alarm and start another dynamic rule chain)
Dynamic (calls by other rules package)
Alert (alarm)
Pass (ignored)
Log (but no alarm recording network traffic)
Snort through TCP / IP network layer, data link layer 5 structure crawl network packets, when the need to capture card is set to promiscuous mode, according to different operating systems using libpcap or winpcap function captures packets from the network ; then the captured data packet to packet decoder to decode.
Snort running:
Mainly through the plug-in work together to make it powerful, so select the appropriate database at deployment, Web servers, graphics software and version is also very important.
insufficient:
Snort reason that he is a lightweight means that his function is still not perfect, and such other products as linkage could be improved; Snort plug-in to work each function, installation complexity, each plug-in software versions and other issues because sometimes influence program runs; Snort for all data traffic according to the rules of the match, and sometimes will produce a lot of false positives due process.
Intrusion Detection System: IDS
IPS: IPS
IDS protection is detected, IPS is protection;
SessionWall: CA company produced, graphical interface, you can monitor traffic and comprehensive program accordingly by an alarm and obstruction rules.
RealSecure: ISS RealSecure is a real-time monitoring software, which includes the console, a network engine and system agents three parts. RealSecure templates include security incident template, templates, and user-defined connection event event template.
IDS can essentially be divided into two categories: network-based IDS (NIDS) and host-based IDS (HIDS) both IDS.
Called HIDS (software) snort host-based (for not being detected by firewall intrusion). You need to be installed to be protected hosts (you can view traffic logs, user behavior and some files)
Network-based call NIDS (hardware) Digital H3C have (hardware), installation and switches needed to bind;
working principle:
IDS listening port :( collect its concerns packets
Compare feature: IDS traffic statistics extracted characteristic value, and the signature match;
Alarm: the higher the degree of match message to Liu that would be considered offensive, IDS will alarm.
(Information collection --- Analysis - Detecting whether the alarm)
Detection of host-based applications; only installed on important hosts above.
Network-based intrusion detection: will be deployed on a network device.
platform:
Linux5.4
Packages:
adodb514.zip
(Intermediate assembly for a PHP function to access a database, a database support for php optimization;)
base-1.4.5.tar.gz
(Snort IDS is a warning to view Web applications)
snort-2.8.0.1-1.RH5.i386.rpm
(Intrusion Detection System)
snort-mysql-2.8.0.1-1.RH5.i386.rpm
(Snort and database to the device)
snortrules-snapshot-2.8.tar.gz
(Intrusion detection rule base)
installation:
rpm -ivh snort-2.8.0.1-1.RH5.i386.rpm
Installation can be completed directly with the line;
In the terminal can execute instructions directly: snort -v
If the external network ping time, where there will be records show; (pause ctrl + Z)
Kill this process: pkill -9 snort
Then you can then check whether the use of jobs to be killed;
You can also use snort -vde (but not a MAC address)
Information recording: snort -vde l ./ & / dev / null & can be recorded,
Intrusion rule base application:
cd / etc / snort / rules / (in this folder)
Then import rules, because it is a compressed package, directly extract to / etc / snort / directory on it:
tar -zxvf snortrules-snapshot-2.8.tar.gz -C / etc / snort /
After importing the view to cd / setc / snort / rules / directory; there will be a lot of the rules.
(Old version of the software is relatively very little intrusion rules library resources will be significantly different from the old as much as possible to update)
Under part of the rule is the protocol:
Snort currently analyzes for suspicious packages ip protocol has four: TCP, UDP, ICMP, IP;
(Perhaps soon there will be the development of ARP, IGRP, GRE, OSPF, RIP, IPX)
If the detected files want to record data inside; so the intrusion detection system set up to install the software, or more:
mysql, apache, php, libpcap (linux network packet capture function package), adodb (the database can optimize), snort (main), base (basic analysis and security engine), - acid to code project basis, to provide web front end.
Because the installation of these things as much as possible is to use yum to install:
Edit the local yum:
vim /etc/yum.repos.d/rhel-debuginfo.repo
[Rhel-server]
name = Red Haterprise Linux server
baseurl = file: /// mnt / cdrom /
enabled = 1
gpgcheck = 1
gpgkey = file: /// mnt / cdrom / RPM-GPG-KEY-RedHat-relase
Mount disc yum install:
mkdir / mnt / cdrom
mount / dev / cdrom / mnt / cdrom /
yum install:
Installation is complete open a variety of services, and then set chkconfig:
chkconfig httpd on
For mysql need to set a password (the default installation is a root user with no password)
mysqladmin-u root -p password '123'
Further added snort database and tables in the data:
(Since we expect the detected information into mysql database inside, into what the database, but also in further settings)
Connect to the database: mysql -u root -p
create database snort;
(New snort database)
use snort;
(Using the snort database)
show tables;
(Add in this table, each see a table, we must add the frame of a table; but here it can be directly imported to create the table are some of the fields and the like)
chkconfig mysql on
(Still using the chkconfig settings)
Then also want to snort detection protocol data is to be placed in a database, and therefore also install a stuff:
It is snort-mysql-2.8.0.1-1.RH5.i386.rpm package
(A device connected to the database snort)
vim /etc/snort/snort.conf
Or may be used to see if jobs are running;
Upgrade Installation pear
(Ie: PHP Extension and Application Library)
pear install --force PEAR-1.8.1 (system connected to the Internet, you can directly upgrade)
pear upgrade pear (then updated)
Then install some modules; (some modules graphical interface)
Install adodb
adodb514.zip (it is used to support a database for php optimization)
Extracting first: unzip adodb514.zip
Then it moves to the next / var / www / html / adodb directory.
mv adodb5 / var / www / html / adodb (easy to do can also change the name of)
base installation
tar -zxvf base-1.4.5.tar.gz -C / var / www / html /
To facilitate the operation may change my name: After direct access to physical directory http://0.0.0.0/base
mv base-1.4.5 / base
And then re-enter this directory, you also need to copy some files.
Then there base_conf.php configuration files in / var / www / html / change inside;
Before you change permissions settings still need to make under the base directory: chmod o + w base /
That's it:
(In fact, this can be set directly into the page, and then set the form of this document; through direct physical access http://192.168.1.101/base/setup/index.php disposed in; but it may be some default settings log several times too high, so also you need to edit php.ini etc directory change my)
Tips such as this:
Then you need vim /etc/php.ini
Since this change, we also need to restart apache and then re-enter:
A total of five installation; language setting, adodb path:
Then set up a number of related database:
User interface management settings and password:
Then it enters the basic analysis and security engine :( create base AG)
Part 5 to: see some protocol detection.
(Of course, this is because the data did not run)
Restarts, to be a Ping operation, the new refresh the page:
Or use the tools to be a port scan test:
The above is a brief intrusion detection system IDS build process under linux environment. |
|
|
|