>> After stateless packet filter firewalls, like ACLs, weed out undesirable traffic goinginto a network, there will still be malicious packets inside.First off, firewalls are just a single part of a more complex defense and depth architecture.Malicious packets can, and will, regularly evade firewalls.Secondly, malicious traffic that originates from inside the network is never checkedby a network-based firewall which sits on the perimeter of the network,because the malicious traffic is already inside the network!IDS's, Intrusion Detection Systems, and IP's,Intrusion Prevention Systems, help mitigate these two issues.And IDS is out of band, and simply gets copies of network traffic.It can be a system getting copies of traffic to inspect through port mirroring,where a switch is configured to send all traffic to the IDS.Instead of port mirroring, done at the switch, a network tap, which is a hardware device,that provides a way to access the data flowing across a network, can be used.An IPS is inline, so original traffic must pass through the IPS.And could potentially bring it down, causing a denial of serviceas opposed to the out of band IDS.Furthermore, since the IDS is out of band, it doesn't add latency.An IPS adds some latency since it is in line with the traffic that has to go through.An IPS can stop malicious traffic as soon as it sees it though, whereas an IDS can't.Both an IDS and an IPS, however, could automatically notify other devices,like firewalls, to block certain traffic earlier based on observed packets.IDS's and IPS's could each be network-based or host-based.IDS's and IP's both require more logic and learning than firewalls.They have to make decisions where certain lines were crossed, and then take appropriate actions.One of the most popular IDS's used today is Snort,which could be used as either an IDS or an IPS.Snort is supported on many hardware platforms and operating systems,including Windows, Mac, Linux, and Unix.In this unit, we'll take a look at how Snort works,how to configure rules, and how to test them.Snort's website describes the softwareas an open source network intrusion prevention system capableof performing real-time traffic analysis and packet logging on IP networks.It can perform protocol analysis, content searching/matching,and can be used to detect a variety of attacks and probes, such as buffer overflows,stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.In fact, in 2009, Snort, upon entering InfoWorld's Open Source Hall of Fame,was described as one of the greatest pieces of open source software of all time!
转载于:https://www.cnblogs.com/sec875/articles/10028723.html
相关资源:Snort_2_8_6_Installer.exe