Home | hacker invade | crack analyzes | hacker course | Exploit | encryption decipher | network management | System crack | the virus to be related | invades the examination | firewall
You are here: hacking technology > invades the examination > Content
Hot Articles
Based on CallStack count
Security precious book m
Bypasses the web key wor
How to use double WAN ro
Only opens 80 port's saf
pcshare official net exa
Uses IDS/IPS effectively
The invasion examination
pcshare official net exa
Making network security
The invasion examination
Serv-U bounce attack and
IDS invasion examination
php.ini explains in deta
Invasion examination + f
Recommend Articles
Only opens 80 port's saf
Bypasses the web key wor
Bypasses the CallStack f
Security precious book m
Based on CallStack count
pcshare official net exa
SQL Server SA idle talk
Honey jar and honey net
The invasion examines th
Four next generation inv
An accidental invasion e
The invasion examines (I
How to use IDS to invade
The invasion examination
A winding safe examinati
New Articles
To a Jinshan poisonous t
I to a some hacker techn
Carries on the safe exam
To some senior Technical
To a some agricultural s
health.china.com's frien
To a Jiangxi some teleco
To Tsinghua University's
To Tsinghua University's
To a some software compa
Uses Snort1.7
After the system suffers
The distributional invas
Surveys the LKM back doo
After one time by DNS at
Uses Snort1.7
  Add date: 11/10/2008   Publishing date: 11/10/2008   Hits: 2
Total 4 pages, Current page:1, Jump to page:
 
Uses Snort1.7
westfox (westfoxcs@263.net) 06/08/2001

1. Synopsis
2. Installs (Linux) and the disposition
3. Uses Snort
4. Invasion examination
5. Snort Addons
6. Reference

1. Synopsis

Snort is an open sound code network invasion examination system. The Snort function includes
1) Uses the Libpcap capture data link layer the grouping and carries on the agreement stack analysis (the TCP/IP agreement).
2) Uses the Misused examination model in internal Snort to carry on the invasion examination, namely comes the real-time match through a complete invasion rule storehouse and surveys the invasion behavior. This regular storehouses were comprehensive, have contained the survey buffer overflow, the port scanning, CGI attack and so on, middle punished at the same time unceasingly in renews. If you use nmap or Trin00 and so on carry on the attack, possibly you by the snort discovery easily. Snort also permits the user convenient compilation and joins own rule.
3) The diary may save the Tcpdump binary system form, either ASCII form, either database form (including MySQL, PostgreSQL), even includes the XML form.

2. Installs (Linux) and the disposition

Take the Linux platform as the example, the installment is very simple,
$tar xzvf snort-1.7.tar.gz
$cd snort-1.7
$. /configure
$make
After Make, will produce snort under the current directory to be possible the execution document.

the snort configuration files cause snort.conf, the disposition to contain four steps

1) establishes the network correlated variable,
IDS needs to differentiate “in the net” and outside the net, for instance I in subnet IP am 202.197.40.91, then the disposition is
var HOME_NET 202.197.40.0 /24      # in net
var EXTERNAL_NET any      # outside the net, key words any here expresses outside HOME_NET all addresses
var DNS_SERVERS 202.197.32.12    #DNS server

2) disposes the pretreatment
The pretreatment is snort when the capture grouping to groups some which does " the pretreatment " the movement, for instance the survey too small IP fragment, reorganizes the IP grouping, reorganizes the TCP text and so on, the snort pretreatment procedure is the spp_*.c form, for instance spp_defrag.c realizes reorganizes the IP package. The user may pretreat the disposition parameter, like
preprocessor minfrag: 128
The establishment fragment is smaller than 128 bytes for illegal.

3) disposes the output plug-in unit (output plugins)
The Snort plug-in unit structure allows the exploiter to expand snort the function. Outputs the plug-in unit to be responsible for the information the output, you may choose the ASCII text document memory diary, may also choose saves to the MySQL database, may also use the IAP agreement to pass to the information supervisor Manager (to see also snortnet).
This is a MySQL example
output database: log, mysql, user=westfox dbname=detector host=localhost password=t123 port=1234
The above example indicated that uses MYSQL RDBMS, database named detector, user westfox, password t123, this locality saves, MySQL the Server port number is 1234.

 
Other pages: : 1 * 2 * 3 * 4 * Next>>
Prev:After the system suffers the invasion, uses TCT to carry on restores urgently and analyzes Next:To a some software company's safe examination (chart)

Comment:

Category: Home > invades the examination
Home