网络攻击与防范5-入侵检测.ppt

* The Snort Detection Engine performs the following functions: Rule Parsing – rules are loaded into internal data structures (memory) and guide packet inspection Signature Detection – attack signatures are constructed by parsing Snort rules. Rules are divided into 2 sections: Rule Header – which contains information that governs whether or not the signature is applied (e.g. protocol/port information, IP data, etc.) Rule Option – containing the attack signature, priority level, and attack details (documentation) Rules are applied in accordance with rule priorities established by the Snort administrator – rule priorities govern the order in which rules are loaded into memory. Each packet is tested against increasingly specific signatures until there is a match (or the packet passes inspection). Unlike preprocessing, packets are not run against all signatures – the Detection Engine refines the signatures applied to the packet through a testing process to try to achieve the closest signature match. If the packet passes all the tests that are deemed applicable (descending down into a certain rule tree data structure), it is not exhaustively tested against other signatures that might yield a possible match. * * Queso scan, a tool similar to NMAP, /infocus/1225 * Output plug-ins are used to generate intrusion data in various formats for distribution to files, databases, or other resources (network/application resources). Multiple output plug-ins can be invoked for different functions. Key output plug-ins include: Alert_fast – generates abbreviated alerts to a one line file. Optimized for fast performance. Alert_full – creates a directory for each IP that generates an alert and dumps decoded packet data to the directory. Alert_smb – sends SMB messages to Windows hosts. Alert_unixsock – establishes a UNIX domain socket and sends alerts to it. External applications or processes can listen on this socket for alert data. Log_tcpdump – logs packets to the tcpdump file for