Wednesday, October 6, 2010

IDS rules to establish (1)



IDS to effectively capture the intrusion, the invasion must have a strong database features, which, as the public security department must have a sound information base as offenders. However, IDS signature database are usually carried by relatively rigid, experience "Changing Faces" to the invasion, which often meet, strangers. Therefore, administrators need to learn how to create to meet the actual needs of the feature data model, so that changing the status quo! This article will feature the concept of invasion, species and how to create features introduced in the hope to help readers master the deal as soon as possible "change of face" approach.

1, characteristic (signature) of the basic concepts

The features of IDS is the kind of information that used to distinguish a model for data communications, usually divided into multiple, the following are some typical situations and Recognition:


Reserved IP address from the connection attempt: can check the IP header (IP header) to easily identify the source address.

Joint property with illegal TCP flag packets: TCP header by comparing the marks set with known joint property right and wrong tags to identify the differences.
Special virus containing information Email: Email by comparing each to the theme of information and pathological information to identify the subject of Email, or by searching the vicinity of a specific name to identify.
Query load attempt buffer overflow in the DNS: DNS domain through analysis and examination of the length of each field to identify the use of DNS domain buffer overflow attempt. There is another identification method are: the load in the search for "shell code to use" (exploit shellcode) the sequence of code combinations.
POP3 server by issuing the same command which led to thousands of DoS attacks: by tracking the records of the number of times a command sent straight to see if more than the preset limit, and alarm information.
Not registered to use files and directories under the command of the FTP server, file access attacks: by creating a model with status tracking feature to monitor the success of the FTP login dialog, found in non-verification is an order of intrusion attempts.


Can be seen from the above categories cover a wide range of features, a simple header field value, highly complex connection state tracking, with the extended protocol analysis. Leaf can Zhiqiu, this article will start with the simplest features, discussed in detail the function and development, customized approach.

Also note: different products have the features of IDS functions also vary. For example: Some network IDS system only allows very little data to customize existing features or characteristics of the preparation of necessary data, while others allow a wide range of customization features of the data or writing, or even a feature can be arbitrary; Some IDS systems only can check the headers, or to determine the load value, while others can get anywhere on any packet data.

Second, feature do?

This seems to be an answer to the obvious question: is characterized by detecting suspicious packet content is really "not necessary" as a model, or "bad elements cloning." IDS system itself with this important part of why the need to customize or write in simple terms? Is this: Perhaps you often see some familiar communications wandering on the network information flow, due to the characteristics of IDS database system expired or the communication of information is in itself not to attack or detect data, IDS system does not concern them, and then Your curiosity rises again to the data in these suspicious when issued by the police, want to capture them, look at them in the end where it comes from, what your dry, so the only way is to customize existing features of the database some configuration or the preparation of the new features of the data.

Degree of customization features can be rough or writing may be fine, depends entirely on the actual demand. Or occurred only to determine whether the abnormal behavior was not sure what the specific attack name, saving resources and time; or determine the specific means of attack or vulnerabilities use patterns, in order to gain more information. I feel that the former applies to leaders, who need specific things to use, plus micro-macro, the enemy should not even think stroll in! -







Recommended links:



cover your laptop lid with art NOTEBOOK skins



Hot Stocks Head Invasion: With Input For The Stock Market Frenzy



Vector graphics on the description of SEVERAL concepts



evaluation Multimedia Creation Tools



UT Starcom Orders by the Indian IPTV operator



Report Communications Tools



For you Flash Tools



MP4 To 3GP



How to promote sales WILL not die



SoftBrands, because Focusing so professional



Wang Donglin Beijing scholar Chairman



MP4 to Flash



3GPP Converter



Comment Dictionaries Education



Kaspersky: Vigilance Good At Disguising The "beauty" Release Device Trojan



GIS work?



No comments:

Post a Comment