基于Snort的入侵检测应用系统设计与实施
|
摘要
近几年来,随着互联网技术的日益普及,电子商务,金融和商务,金融和政府正面临着遭受黑客、病毒的困扰。而且,随着系统的功能越复杂,遭到侵扰的可能性就越大。因此,不可忽视的网络安全问题也随之摆在我们面前,如何保证电子商务,金融和政府网络系统不被攻击和破坏,已经成为当前网络管理的重要任务。
而随着信息安全技术的进一步发展,各种安全解决方案,如防火墙技术、防黑客技术、加密技术以及对整个系统不安全因素的扫描、检测和警报、防治等等相继涌现和发展,其中以以入侵检测为代表的动态安全技术,则能够主动检测网络的易受攻击点和安全漏洞,并且通常能够先于人工探测到危险行为,入侵检测能够发现危险攻击的特征,进而探测出攻击行为发出警报,同时采取保护措施。入侵检测技术是继“防火墙”、“数据加密”等传统安全保护措施后,新一代的安全保障技术。
本文详细分析和研究了基于误用的开源入侵检测系统Snort,对它的工作原理、体系结构以及规则库进行了深入的剖析,发现了Snort系统在高速网络上检测性能的不足和缺点,并提出了利用规则优化技术和改进的多模式匹配算法来提升Snort性能。本文还根据中山市教育信息网络中心机房的实际需求,阐述了入侵检测系统的设计理念,在此基础上形成了一个基于Snort的入侵检测应用系统一体化设计实施方案,详细描述了系统的引擎设计,规则库设计,流量分析以及控制台设计等具体问题,对于需要使用入侵检测来提高系统安全的有关单位具有一定的参考和借鉴意义。
In the last few years, the intelligence that breadth take to connect into the technique is increasingly universal, and the residence is with the new hot point that the small area of residence will become people to consume. Therefore, can't the safe problem of family that neglect also immediately put in our in front, and how to guarantee the family network the system not quilt attack with break, and have already become the important mission that manage of current family network.
As information security technology for the further development of security solutions, such as firewall technology, anti-hacking technology, encryption technology, and the entire system factors of insecurity scanning, detection and alarm, control and so on have emerged and developed, with Intrusion Detection for a representative of the dynamic security technology, it can take the initiative to detect vulnerable point and the network security loopholes, and often can be detected before artificial risky behavior, intrusion detection can be found dangerous attack characteristics, thereby detect attacks issued alarm, while taking protective measures. Intrusion detection technology is the "firewall", "data encryption", and other traditional security protection measures, a new generation of security technology.
In this paper, detailed analysis and research based on the misuse of the open source Snort Intrusion Detection System, its working principle, the rules of architecture and conducted in-depth analysis, and found Snort system in the high-speed network detection performance deficiencies and shortcomings, and by optimizing the use of technology and improvement of the rules of multi-pattern matching algorithm to improve performance of Snort. In this paper, Zhongshan City, also in accordance with the Education Information Network Center Room actual demand, expounded Intrusion Detection System design concepts, based on this based on the formation of a Snort Intrusion Detection System Application Design implementation of the integration program, the system described in detail the design of the engine , rules for design, analysis and console design flow specific issues, such as the need to increase the use of intrusion detection system security-related units have some reference and learn.
而随着信息安全技术的进一步发展,各种安全解决方案,如防火墙技术、防黑客技术、加密技术以及对整个系统不安全因素的扫描、检测和警报、防治等等相继涌现和发展,其中以以入侵检测为代表的动态安全技术,则能够主动检测网络的易受攻击点和安全漏洞,并且通常能够先于人工探测到危险行为,入侵检测能够发现危险攻击的特征,进而探测出攻击行为发出警报,同时采取保护措施。入侵检测技术是继“防火墙”、“数据加密”等传统安全保护措施后,新一代的安全保障技术。
本文详细分析和研究了基于误用的开源入侵检测系统Snort,对它的工作原理、体系结构以及规则库进行了深入的剖析,发现了Snort系统在高速网络上检测性能的不足和缺点,并提出了利用规则优化技术和改进的多模式匹配算法来提升Snort性能。本文还根据中山市教育信息网络中心机房的实际需求,阐述了入侵检测系统的设计理念,在此基础上形成了一个基于Snort的入侵检测应用系统一体化设计实施方案,详细描述了系统的引擎设计,规则库设计,流量分析以及控制台设计等具体问题,对于需要使用入侵检测来提高系统安全的有关单位具有一定的参考和借鉴意义。
In the last few years, the intelligence that breadth take to connect into the technique is increasingly universal, and the residence is with the new hot point that the small area of residence will become people to consume. Therefore, can't the safe problem of family that neglect also immediately put in our in front, and how to guarantee the family network the system not quilt attack with break, and have already become the important mission that manage of current family network.
As information security technology for the further development of security solutions, such as firewall technology, anti-hacking technology, encryption technology, and the entire system factors of insecurity scanning, detection and alarm, control and so on have emerged and developed, with Intrusion Detection for a representative of the dynamic security technology, it can take the initiative to detect vulnerable point and the network security loopholes, and often can be detected before artificial risky behavior, intrusion detection can be found dangerous attack characteristics, thereby detect attacks issued alarm, while taking protective measures. Intrusion detection technology is the "firewall", "data encryption", and other traditional security protection measures, a new generation of security technology.
In this paper, detailed analysis and research based on the misuse of the open source Snort Intrusion Detection System, its working principle, the rules of architecture and conducted in-depth analysis, and found Snort system in the high-speed network detection performance deficiencies and shortcomings, and by optimizing the use of technology and improvement of the rules of multi-pattern matching algorithm to improve performance of Snort. In this paper, Zhongshan City, also in accordance with the Education Information Network Center Room actual demand, expounded Intrusion Detection System design concepts, based on this based on the formation of a Snort Intrusion Detection System Application Design implementation of the integration program, the system described in detail the design of the engine , rules for design, analysis and console design flow specific issues, such as the need to increase the use of intrusion detection system security-related units have some reference and learn.
引文
[1]宋劲松.Snort2.0入侵检测.北京:国防工业出版社,2004.1,12-17
[2]吴溥峰,孙默许诚.Snort入侵检测实用解决方案.北京:机械工业出版社,2005.1,23-25
[3]陈金柱,李逸波等.Snort入侵检测系统规则集的优化.中国信息安全组织,2004.3,11-13
[4] MareNorton,DanielRoelker.SNORT2.0RULEOPTIMIZER,Soureefire.Ine2003.2,153-157
[5] Nitesh Dhanjani.Linux与Unix安全手册.北京:清华大学出版社,2004.7,163-171
[6] RobFliCkenger.LinuxServerHaeks.北京:清华大学出版社,2004.5,132-135
[7] MartinRoeseh.Snort一LightweightIntrusionDeteetionforNetworkS,2002.4,45-52
[8] Soureefire,ine.SnortUsersManual2.3.2,Soureefire,ine,2005.4,32-36
[9]朱奋起,陈宇,李雪莹等.基于数据分流实现高速网入侵检测的研究与实践.成都:计算机应用研究杂志社,2004.5,149-151
[10]杨孔雨,王秀峰.计算机智能及免疫理论在入侵检测的应用研究.成都:计算机应用研究杂志社,2004.5,152-154
[11]李健,张国印,顾国昌等.网络扫描技术实现及其在网络安全中的应用.成都:计算机应用研究杂志社,2004.2,101-105
[12]杨小平,苏静.基于协议分析的入侵检测技术研究.成都:计算机应用研究杂志社,2004.2,108-110
[13]孟宪福.基于CORBA代理防火墙研究与实现.成都:计算机应用研究杂志社,2004.3,225-227
[14]鲁云平,陈蜀宇,姚雪梅.免疫原理在入侵检测技术中的研究.成都:计算机应用研究杂志社,2004.3,228-229
[15]杨奕.基于入侵诱骗技术的网络安全研究与实现.成都:计算机应用研究杂志社,2004.3,230-232
[16]李钟华,李伟华,刘尊.大规模网络入侵预警隔离体系研究.成都:计算机应用研究杂志社,2004.12,100-101
[17]褚永刚,吕慧勤,杨义先等.大规模分布式入侵检测系统的体系结构模型.成都:计算机应用研究杂志社,2004.12,105-106
[18]侍伟敏,杨义先,杨亚飞等.大规模分布式IDS中安全部件间互动的API设计.成都:计算机应用研究杂志社,2004.12,107-108
[19]朱良根,张玉清,雷振甲.DOS攻击及其防范.成都:计算机应用研究杂志社,2004.7,82-84
[20]胡笑蕾,胡华平,宋世杰.数据挖掘算法在入侵检测系统中的应用.成都:计算机应用研究杂志社,2004.7,88-90
[21]谢洁锐,刘财兴,肖德琴等.具有入侵功能检测功能的防火墙设计.成都:计算机应用研究杂志社,2004.7,91-92
[22]郑挺,胡华平.入侵检测系统报警信息融合模型的设计与实现.成都:计算机应用研究杂志社,2004.7,95-98
[23]马欣,张玉清,顾新等.自动入侵响应技术研究.成都:计算机应用研究2004.4,91-94
[24]曾志强,杨向荣,沈钧毅.模糊数据挖掘和遗传算法在入侵检测中的应用.成都:计算机应用研究杂志社,2004.4,95-97
[25]李玉娟,李传林.一种新的基于Agent的入侵检测系统模型.成都:计算机应用研究杂志社,2004.4,104-105
[26]朱建明,马建峰.基于多代理的入侵检测数据收集模型.成都:计算机应用研究杂志社, 2004.1,103-104
[27]胡敏,潘雪梅,平玲娣.基于数据挖掘的实时入侵检测技术的研究.成都:计算机应用研究杂志社,2004.1,105-108
[28]丁剑,齐竞艳,吕志军等.一种基于概率的实时扫描检测方法.成都:计算机应用研究杂志社,2004.1,109-111
[29]徐辉,潘爱民.一种增强的Linux系统安全审计机制.成都:计算机应用研究杂志社,2004.11,150-153
[30]瞿钮,武舒凡,胡建武.防火墙包过滤技术发展研究.成都:计算机应用研究杂志社,2004.9,144-146
[31]马传龙,邓亚军.Honeynets及其最新技术.成都:计算机应用研究杂志社,2004.7,11-13
[32]孙淑华,马恒太,张楠等.后门植入、隐藏与检测技术研究.成都:计算机应用研究杂志社,2004.7,78-81
[33]汪静,王能.入侵检测系统设计方案的改进.成都:计算机应用研究杂志社,2004.7,208-210
[34]于洪奎,王成耀,王继龙.基于WMI工技术的无代理主机入侵检测系统模型设计.成都:计算机应用研究杂志社,2004.12,284-285
[35]杜彦辉,马锐,刘玉树.分布式拒绝服务攻击的形式化描述.成都:计算机应用研究杂志社,2004.3,214-216
[36]徐鸣涛,陆松年,杨树堂.IP返回跟踪DoS攻击的三种数据包标记算法.成都:计算机应用研究杂志社,2004.3,235-236
[37]徐鸣涛,陆松年,杨树堂.五种IP返回跟踪拒绝服务攻击方法的比较.成都:计算机应用研究杂志社,2004.3,237-238
[38]唐海娜,李俊.网络性能检测技术综述.成都:计算机应用研究杂志社,2004.8,10-13
[39]卜宏,郭晓芳,赵静凯.分布式环境下的访问控制.成都:计算机应用研究杂志社,2004.8,89-91
[40]赵新辉,李祥.捕获网络数据包的方法.成都:计算机应用研究杂志社,2004.8,242-243
[41]彭蔓蔓,喻飞,李仁发.一种基于网络处理器的入侵检测系统.成都:计算机应用研究杂志社,2004.4,115-117
[42]臧文科,刘希玉,胡明峰.一种基于标志的用户权限控制模型.成都:计算机应用研究杂志社,2004.4,124-126
[43]蔡文强.基于Windows2000登陆脚本关键策略的实现方法.成都:计算机应用研究杂志社, 2004.4,230-232
[44]万国根,秦志光,刘锦德.网络内容安全分析及审计技术研究.成都:计算机应用研究杂志社,2004.4,117-118
[45] Scott C.Sanchez, CISSP.IDS Zone Theory Diagram,2000,23
[2]吴溥峰,孙默许诚.Snort入侵检测实用解决方案.北京:机械工业出版社,2005.1,23-25
[3]陈金柱,李逸波等.Snort入侵检测系统规则集的优化.中国信息安全组织,2004.3,11-13
[4] MareNorton,DanielRoelker.SNORT2.0RULEOPTIMIZER,Soureefire.Ine2003.2,153-157
[5] Nitesh Dhanjani.Linux与Unix安全手册.北京:清华大学出版社,2004.7,163-171
[6] RobFliCkenger.LinuxServerHaeks.北京:清华大学出版社,2004.5,132-135
[7] MartinRoeseh.Snort一LightweightIntrusionDeteetionforNetworkS,2002.4,45-52
[8] Soureefire,ine.SnortUsersManual2.3.2,Soureefire,ine,2005.4,32-36
[9]朱奋起,陈宇,李雪莹等.基于数据分流实现高速网入侵检测的研究与实践.成都:计算机应用研究杂志社,2004.5,149-151
[10]杨孔雨,王秀峰.计算机智能及免疫理论在入侵检测的应用研究.成都:计算机应用研究杂志社,2004.5,152-154
[11]李健,张国印,顾国昌等.网络扫描技术实现及其在网络安全中的应用.成都:计算机应用研究杂志社,2004.2,101-105
[12]杨小平,苏静.基于协议分析的入侵检测技术研究.成都:计算机应用研究杂志社,2004.2,108-110
[13]孟宪福.基于CORBA代理防火墙研究与实现.成都:计算机应用研究杂志社,2004.3,225-227
[14]鲁云平,陈蜀宇,姚雪梅.免疫原理在入侵检测技术中的研究.成都:计算机应用研究杂志社,2004.3,228-229
[15]杨奕.基于入侵诱骗技术的网络安全研究与实现.成都:计算机应用研究杂志社,2004.3,230-232
[16]李钟华,李伟华,刘尊.大规模网络入侵预警隔离体系研究.成都:计算机应用研究杂志社,2004.12,100-101
[17]褚永刚,吕慧勤,杨义先等.大规模分布式入侵检测系统的体系结构模型.成都:计算机应用研究杂志社,2004.12,105-106
[18]侍伟敏,杨义先,杨亚飞等.大规模分布式IDS中安全部件间互动的API设计.成都:计算机应用研究杂志社,2004.12,107-108
[19]朱良根,张玉清,雷振甲.DOS攻击及其防范.成都:计算机应用研究杂志社,2004.7,82-84
[20]胡笑蕾,胡华平,宋世杰.数据挖掘算法在入侵检测系统中的应用.成都:计算机应用研究杂志社,2004.7,88-90
[21]谢洁锐,刘财兴,肖德琴等.具有入侵功能检测功能的防火墙设计.成都:计算机应用研究杂志社,2004.7,91-92
[22]郑挺,胡华平.入侵检测系统报警信息融合模型的设计与实现.成都:计算机应用研究杂志社,2004.7,95-98
[23]马欣,张玉清,顾新等.自动入侵响应技术研究.成都:计算机应用研究2004.4,91-94
[24]曾志强,杨向荣,沈钧毅.模糊数据挖掘和遗传算法在入侵检测中的应用.成都:计算机应用研究杂志社,2004.4,95-97
[25]李玉娟,李传林.一种新的基于Agent的入侵检测系统模型.成都:计算机应用研究杂志社,2004.4,104-105
[26]朱建明,马建峰.基于多代理的入侵检测数据收集模型.成都:计算机应用研究杂志社, 2004.1,103-104
[27]胡敏,潘雪梅,平玲娣.基于数据挖掘的实时入侵检测技术的研究.成都:计算机应用研究杂志社,2004.1,105-108
[28]丁剑,齐竞艳,吕志军等.一种基于概率的实时扫描检测方法.成都:计算机应用研究杂志社,2004.1,109-111
[29]徐辉,潘爱民.一种增强的Linux系统安全审计机制.成都:计算机应用研究杂志社,2004.11,150-153
[30]瞿钮,武舒凡,胡建武.防火墙包过滤技术发展研究.成都:计算机应用研究杂志社,2004.9,144-146
[31]马传龙,邓亚军.Honeynets及其最新技术.成都:计算机应用研究杂志社,2004.7,11-13
[32]孙淑华,马恒太,张楠等.后门植入、隐藏与检测技术研究.成都:计算机应用研究杂志社,2004.7,78-81
[33]汪静,王能.入侵检测系统设计方案的改进.成都:计算机应用研究杂志社,2004.7,208-210
[34]于洪奎,王成耀,王继龙.基于WMI工技术的无代理主机入侵检测系统模型设计.成都:计算机应用研究杂志社,2004.12,284-285
[35]杜彦辉,马锐,刘玉树.分布式拒绝服务攻击的形式化描述.成都:计算机应用研究杂志社,2004.3,214-216
[36]徐鸣涛,陆松年,杨树堂.IP返回跟踪DoS攻击的三种数据包标记算法.成都:计算机应用研究杂志社,2004.3,235-236
[37]徐鸣涛,陆松年,杨树堂.五种IP返回跟踪拒绝服务攻击方法的比较.成都:计算机应用研究杂志社,2004.3,237-238
[38]唐海娜,李俊.网络性能检测技术综述.成都:计算机应用研究杂志社,2004.8,10-13
[39]卜宏,郭晓芳,赵静凯.分布式环境下的访问控制.成都:计算机应用研究杂志社,2004.8,89-91
[40]赵新辉,李祥.捕获网络数据包的方法.成都:计算机应用研究杂志社,2004.8,242-243
[41]彭蔓蔓,喻飞,李仁发.一种基于网络处理器的入侵检测系统.成都:计算机应用研究杂志社,2004.4,115-117
[42]臧文科,刘希玉,胡明峰.一种基于标志的用户权限控制模型.成都:计算机应用研究杂志社,2004.4,124-126
[43]蔡文强.基于Windows2000登陆脚本关键策略的实现方法.成都:计算机应用研究杂志社, 2004.4,230-232
[44]万国根,秦志光,刘锦德.网络内容安全分析及审计技术研究.成都:计算机应用研究杂志社,2004.4,117-118
[45] Scott C.Sanchez, CISSP.IDS Zone Theory Diagram,2000,23