Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ IDS Intrusion Detection System built (Linux)     - Features and prevention methods elaborate network security grayware (Linux)

- How to build a container cluster (Server)

- Python Multithreaded Programming (Programming)

- CentOS 6.4 Telecom ADSL dial-up network configuration (Linux)

- Process safety monitoring and protection under the Linux operating system (Linux)

- Servlet life cycle code examples (Programming)

- Memcached source installation and configuration under CentOS 6.6 (Server)

- ORA-04031 Error Resolution (Database)

- Linux host dual LAN transceiver package ARP problem (Linux)

- Oracle 11g RAC manually playing GI PSU patch ( (Database)

- Under CentOS Linux automatic backup MySQL database daily (Database)

- Object Oriented Programming Java reflection (Programming)

- Some MySQL interview questions (Database)

- Ubuntu How to install and upgrade Linux Kernel 3.15 (Linux)

- CentOS 6.5 install Maven and Nexus warehouse agent (Server)

- The basic principle of pointers in C ++ (Programming)

- How to use the beta / unstable version of the software in Debian library (Linux)

- Easy to install CentOS 6.6 desktop environment (Linux)

- How to modify the SQL Server auto-increment value and the corresponding solution (Database)

- Doubly linked list basic operations (Linux)

  IDS Intrusion Detection System built (Linux)
  Add Date : 2018-11-21      
  Snort it is a multi-platform, intrusion detection system real-time traffic analysis. Snort is a libpcap-based packet sniffer and can be used as a lightweight network intrusion detection system.

snort has three operating modes:
1, sniffer
Sniffer mode: reads the data packets from the network as a continuous stream displayed on the terminal.
2, packet logger
Packet logger: the data packet is recorded onto the hard disk.
3, the network intrusion detection system.
Network Intrusion Detection: It is configurable (it will be relatively more complex).

working principle:
Because the data can capture packets on the network, but it can be distinguished from sniffer based on custom rules and make the appropriate treatment. The mechanism according to the following rules have five kinds of responses.
Activation (alarm and start another dynamic rule chain)
Dynamic (calls by other rules package)
Alert (alarm)
Pass (ignored)
Log (but no alarm recording network traffic)

Snort through TCP / IP network layer, data link layer 5 structure crawl network packets, when the need to capture card is set to promiscuous mode, according to different operating systems using libpcap or winpcap function captures packets from the network ; then the captured data packet to packet decoder to decode.

Snort running:
Mainly through the plug-in work together to make it powerful, so select the appropriate database at deployment, Web servers, graphics software and version is also very important.

Snort reason that he is a lightweight means that his function is still not perfect, and such other products as linkage could be improved; Snort plug-in to work each function, installation complexity, each plug-in software versions and other issues because sometimes influence program runs; Snort for all data traffic according to the rules of the match, and sometimes will produce a lot of false positives due process.

Intrusion Detection System: IDS

IDS protection is detected, IPS is protection;
SessionWall: CA company produced, graphical interface, you can monitor traffic and comprehensive program accordingly by an alarm and obstruction rules.
RealSecure: ISS RealSecure is a real-time monitoring software, which includes the console, a network engine and system agents three parts. RealSecure templates include security incident template, templates, and user-defined connection event event template.
IDS can essentially be divided into two categories: network-based IDS (NIDS) and host-based IDS (HIDS) both IDS.
Called HIDS (software) snort host-based (for not being detected by firewall intrusion). You need to be installed to be protected hosts (you can view traffic logs, user behavior and some files)
Network-based call NIDS (hardware) Digital H3C have (hardware), installation and switches needed to bind;

working principle:
IDS listening port :( collect its concerns packets
Compare feature: IDS traffic statistics extracted characteristic value, and the signature match;
Alarm: the higher the degree of match message to Liu that would be considered offensive, IDS will alarm.
(Information collection --- Analysis - Detecting whether the alarm)
Detection of host-based applications; only installed on important hosts above.
Network-based intrusion detection: will be deployed on a network device.

(Intermediate assembly for a PHP function to access a database, a database support for php optimization;)
(Snort IDS is a warning to view Web applications)
(Intrusion Detection System)
(Snort and database to the device)
(Intrusion detection rule base)

rpm -ivh snort-
Installation can be completed directly with the line;
In the terminal can execute instructions directly: snort -v
If the external network ping time, where there will be records show; (pause ctrl + Z)
Kill this process: pkill -9 snort
Then you can then check whether the use of jobs to be killed;
You can also use snort -vde (but not a MAC address)
Information recording: snort -vde l ./ & / dev / null & can be recorded,

Intrusion rule base application:
cd / etc / snort / rules / (in this folder)
Then import rules, because it is a compressed package, directly extract to / etc / snort / directory on it:
tar -zxvf snortrules-snapshot-2.8.tar.gz -C / etc / snort /
After importing the view to cd / setc / snort / rules / directory; there will be a lot of the rules.
(Old version of the software is relatively very little intrusion rules library resources will be significantly different from the old as much as possible to update)

Under part of the rule is the protocol:
Snort currently analyzes for suspicious packages ip protocol has four: TCP, UDP, ICMP, IP;
(Perhaps soon there will be the development of ARP, IGRP, GRE, OSPF, RIP, IPX)
If the detected files want to record data inside; so the intrusion detection system set up to install the software, or more:
mysql, apache, php, libpcap (linux network packet capture function package), adodb (the database can optimize), snort (main), base (basic analysis and security engine), - acid to code project basis, to provide web front end.
Because the installation of these things as much as possible is to use yum to install:
Edit the local yum:
vim /etc/yum.repos.d/rhel-debuginfo.repo
name = Red Haterprise Linux server
baseurl = file: /// mnt / cdrom /
enabled = 1

gpgcheck = 1
gpgkey = file: /// mnt / cdrom / RPM-GPG-KEY-RedHat-relase

Mount disc yum install:
mkdir / mnt / cdrom
mount / dev / cdrom / mnt / cdrom /
yum install:

Installation is complete open a variety of services, and then set chkconfig:

chkconfig httpd on
For mysql need to set a password (the default installation is a root user with no password)
mysqladmin-u root -p password '123'
Further added snort database and tables in the data:

(Since we expect the detected information into mysql database inside, into what the database, but also in further settings)
Connect to the database: mysql -u root -p

create database snort;
(New snort database)

use snort;
(Using the snort database)
show tables;
(Add in this table, each see a table, we must add the frame of a table; but here it can be directly imported to create the table are some of the fields and the like)

chkconfig mysql on
(Still using the chkconfig settings)

Then also want to snort detection protocol data is to be placed in a database, and therefore also install a stuff:
It is snort-mysql- package
(A device connected to the database snort)
vim /etc/snort/snort.conf

Or may be used to see if jobs are running;

Upgrade Installation pear
(Ie: PHP Extension and Application Library)
pear install --force PEAR-1.8.1 (system connected to the Internet, you can directly upgrade)
pear upgrade pear (then updated)
Then install some modules; (some modules graphical interface)

Install adodb
adodb514.zip (it is used to support a database for php optimization)
Extracting first: unzip adodb514.zip
Then it moves to the next / var / www / html / adodb directory.
mv adodb5 / var / www / html / adodb (easy to do can also change the name of)

base installation
tar -zxvf base-1.4.5.tar.gz -C / var / www / html /
To facilitate the operation may change my name: After direct access to physical directory
mv base-1.4.5 / base
And then re-enter this directory, you also need to copy some files.

Then there base_conf.php configuration files in / var / www / html / change inside;
Before you change permissions settings still need to make under the base directory: chmod o + w base /
That's it:

(In fact, this can be set directly into the page, and then set the form of this document; through direct physical access disposed in; but it may be some default settings log several times too high, so also you need to edit php.ini etc directory change my)
Tips such as this:

Then you need vim /etc/php.ini

Since this change, we also need to restart apache and then re-enter:
A total of five installation; language setting, adodb path:

Then set up a number of related database:

User interface management settings and password:

Then it enters the basic analysis and security engine :( create base AG)

Part 5 to: see some protocol detection.

(Of course, this is because the data did not run)
Restarts, to be a Ping operation, the new refresh the page:

Or use the tools to be a port scan test:

The above is a brief intrusion detection system IDS build process under linux environment.
- CentOS installation pycurl (Linux)
- Linux text processing tool of sed (Linux)
- Ubuntu will be written in a command file, executable file, source command (Linux)
- Sort search algorithm Java - application examples with recursive dichotomy (Programming)
- How do I switch from NetworkManager to systemd-network on Linux (Linux)
- Ubuntu GCC, G ++ and fortran Version Switch (Linux)
- Use install_updates upgrade GAMIT / GLOBK (Linux)
- Java exception handling mechanism (Programming)
- CentOS 7.1 install NTFS-3G (Linux)
- Oracle Database Performance Optimization of memory disk (Database)
- Ubuntu deployment Flask + UWSGI + Nginx Comments (Server)
- Upgrading to Debian 7.6 glibc 2.15 (Linux)
- ORA-00824: can not set sga_target due to existing problem-solving (Database)
- TOAD connect DB2 error SQL1460N solve (Database)
- Seven Steps to Help Google Chrome Speed - (Linux)
- Java programmers talk about those advanced knowledge and direction (Programming)
- Java precision four operations (Programming)
- Create, modify, delete users, user groups under linux (Linux)
- Oracle 11g can not export a variety of empty table solution (Database)
- Ubuntu in Vim editor display processing method Chinese garbled (Linux)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.