| In this paper, with the technology of network attack, the Network Intrusion Detection System Snort is analyzed and researched in the experiments of attacking and defending, and the application of Snort is researched in the experiment, for adapting to the demand of network actual environment. Snort detects the distrustful or vicious flux with rule matching. Snort supports the technology of inserting components and its rule language can describe the network attack well, which make Snort have a good expansibility. The main content of this paper is about the technology of inserting components and Snort rule language.Firstly, Snort is analyzed in detail in this paper, including that the architecture of Snort, the whole flow of intrusion detection, protocol parsing, rule parsing, and rule matching. And then, the Snort-based distributed intrusion detection system (DIDS) is designed and implemented. Afterwards, the DIDS is applied to an experimental LAN. Meanwhile, the applied scheme about Snort is presented and the intrusion detection capability of Snort is analyzed.Secondly, the theories of network attack and the ways to write snort rules are researched in this paper. The general principles of writing Snort rules are expounded from three points of view which are the operating system vulnerable description, the response of network attack, and the detecting policy of experimental LAN. Meanwhile, the attack theory aimed at Microsoft Distributed Transaction Coordinator (MSDTC) Remote Exploit, the theory of Bdoor Trojan attack and the intrusion theory based on 3389 port are analyzed in this paper. According to the flux analyzing of the three attacks, the intrusion characters for these attacks are picked up and expressed by writing Snort rules, which are added into the library of Snort rules. In the analysis of experiment, it is proved that the new rule is valid and exact.Lastly, the FTP preprocessor for protocol parsing and command interpreting is designed and implemented, which is used for detecting the abnormal FTP network flux. And then, the experimental testing for FTP preprocessor is accomplished. This preprocessor can detect the FTP password forced break attack, the attack aimed at IIS FTP remote exploit and the remote overflow attack used MDTM command. The conclusion is that, it is important to realize the architecture and mechanism of Snort intrusion detection in detail, to config Snort according to applicable environment, to design the Snort rules and preprocessor for extending its detection capability according to the type of attack. |
PDF Full Text Request