>> Snort consists of many components.First a packet decoder, which determines the protocols used in the frame.Like ethernet at layer two, IP at layer three, and TCP at layer four.The decoder saves this information with the upper layer data, like DNS, DHCP, FTP, SSH,HTTP, SSL TLS, and it's size, but doesn't try to decode it at all at this point.The decoder also looks for errors, or anomalies, in the fields of these headers.If Snort is running in inline IPS mode,rules configured in the Snort.conf configuration file can even cause packets to be dropped,because they're malicious or malformed.For example, if the ethernet type field indicates an IPv4 packet is encapsulated insidethe frame, but the size of the IP header that captured is less than the 20 byte minimum lengthfor an IPv4 header, Snort will generate an alert and move the packet out of the decoding phase.The second component consists of multiple preprocessors, which arrangeand modify packets before being sent to the detection engine for analysis.Some preprocessors detect some basic anomalies by defragmenting packetsthat hackers fragmented for deception purposes.They could also perform HTTP URL decoding, if hackers used hexadecimal charactersin the URL for deception purposes.Preprocessors are specialized.Some can detect and log port scanning activities, while others can detect anomaliesin ARP frames to identify ARP spoofing.A preprocessor can arrange a string so that it is detectable by the IDS.A string of scripts/bad hacker can be arranged many different ways!The preprocessor won't be fooled,and will rearrange small variations made by hackers to escape detection.The third component, the detection engine, is, in fact, the heart and soul of Snort.It analyzes all packets for indications of intrusion using certain predefined rules.Rules can be applied to all protocols at all layers!The packet at layer three, the segment or datagram at layer four,and the payload inside the layer four header.Unlike ACL behavior, if a packet doesn't meet a predefined rule, it's ignored.In the first version of Snort, like ACLs, the first rule to match was used,which would log the packet and generate an alert.The packet wasn't put up against other Snort rules.Snort Version 2 changed that behavior.Now all rules are put up against the packet before generating an alert and log entry.If Snort is running as an IPS, the packet can be dropped as well.After checking all rules, if there are multiple matches, the highest priority rule is used.There are some factors that could influence how the time critical detection engine behaves,including number of rules, the power of the machine on which Snort is running,the speed of the internal bus used in the Snort machine, and the load on the network.The fourth component, the logging and alerting system will hear from the detection engineabout an intrusion and generate a log entry and alert for the network engineers.The fifth component, output modules or plug-ins control the type of output producedby the logging and alerting system.Options include generating log reports, logging alert reports in a file, sending SNMP,Simple Network Management Protocol, traps, logging to a Mysql database,sending a message to a SYSlog server, generating XML, Extensible Markup Language output,modifying configurations on routers and firewalls, and sending SMB,Server Message Block messages to Windows machines.
转载于:https://www.cnblogs.com/sec875/articles/10028728.html
相关资源:JAVA上百实例源码以及开源项目