200622115475135
所属分类:网络编程
开发工具:Visual C++
文件大小:2196KB
下载次数:46
上传日期:2007-02-03 15:05:23
上 传 者:
madman
说明: 这是一个网络检测的系统,
喜欢网络安全的朋友可以用来学习一下,
希望大家一起进步,
(This is a network detection systems, like network security friend can be used to learn from this. I hope all of us can progress.)
文件列表:
247709\200622115475135\网络入侵检测系统\AUTHORS (269, 2000-10-29)
247709\200622115475135\网络入侵检测系统\backdoor-lib (3124, 2000-11-20)
247709\200622115475135\网络入侵检测系统\BUGS (1005, 2001-01-18)
247709\200622115475135\网络入侵检测系统\ChangeLog (30111, 2001-01-18)
247709\200622115475135\网络入侵检测系统\configure (109328, 2001-01-30)
247709\200622115475135\网络入侵检测系统\COPYING (18329, 2000-10-29)
247709\200622115475135\网络入侵检测系统\contrib\create_mysql (6631, 2000-08-30)
247709\200622115475135\网络入侵检测系统\contrib\create_oracle (5357, 2001-01-03)
247709\200622115475135\网络入侵检测系统\contrib\create_postgresql (5318, 2000-08-30)
247709\200622115475135\网络入侵检测系统\CREDITS (6830, 2001-01-02)
247709\200622115475135\网络入侵检测系统\ddos-lib (3881, 2000-11-20)
247709\200622115475135\网络入侵检测系统\finger-lib (1236, 2000-11-20)
247709\200622115475135\网络入侵检测系统\ftp-lib (2298, 2000-11-20)
247709\200622115475135\网络入侵检测系统\INSTALL (13064, 2001-01-02)
247709\200622115475135\网络入侵检测系统\install-sh (5834, 2000-10-29)
247709\200622115475135\网络入侵检测系统\LICENSE (18329, 2001-01-02)
247709\200622115475135\网络入侵检测系统\WIN32-Prj\Makefile (35252, 2001-01-19)
247709\200622115475135\网络入侵检测系统\misc-lib (6232, 2000-11-20)
247709\200622115475135\网络入侵检测系统\missing (6462, 2000-10-29)
247709\200622115475135\网络入侵检测系统\mkinstalldirs (773, 2000-10-29)
247709\200622115475135\网络入侵检测系统\netbios-lib (1255, 2000-11-20)
247709\200622115475135\网络入侵检测系统\NEWS (19380, 2001-01-02)
247709\200622115475135\网络入侵检测系统\overflow-lib (10156, 2000-11-20)
247709\200622115475135\网络入侵检测系统\ping-lib (3386, 2000-11-20)
247709\200622115475135\网络入侵检测系统\rpc-lib (3299, 2000-11-20)
247709\200622115475135\网络入侵检测系统\scan-lib (7158, 2000-11-20)
247709\200622115475135\网络入侵检测系统\smtp-lib (2284, 2000-11-20)
247709\200622115475135\网络入侵检测系统\contrib\snortlog (1682, 2000-08-07)
247709\200622115475135\网络入侵检测系统\telnet-lib (1180, 2000-11-20)
247709\200622115475135\网络入侵检测系统\USAGE (11621, 2000-12-30)
247709\200622115475135\网络入侵检测系统\web-lib (7364, 2000-10-29)
247709\200622115475135\网络入侵检测系统\webcf-lib (3951, 2000-11-20)
247709\200622115475135\网络入侵检测系统\webcgi-lib (10000, 2000-11-20)
247709\200622115475135\网络入侵检测系统\webfp-lib (3960, 2000-11-20)
247709\200622115475135\网络入侵检测系统\webiis-lib (8025, 2000-11-20)
247709\200622115475135\网络入侵检测系统\webmisc-lib (9371, 2000-11-20)
247709\200622115475135\网络入侵检测系统\WIN32_Changelog (324, 2001-02-01)
247709\200622115475135\网络入侵检测系统\contrib\ACID-0.9.5b9.tar.gz (48550, 2000-11-08)
... ...
Snort Version 1.7
by Martin Roesch (roesch@clark.net)
Distribution Site:
http://www.snort.org
http://snort.sourceforge.net
Alternate Sites:
US:
http://www.technotronic.com
http://packetstorm.securify.com
http://snort.whitehats.com
Europe:
http://gd.tuwien.ac.at/infosys/security/snort
ftp://gd.tuwien.ac.at/infosys/security/snort
http://www.centus.com/snort/security.html
South America:
http://snort.safenetworks.com
Australia:
ftp://the.wiretapped.net/pub/security/network-intrusion-detection/snort
Distributed with:
Trinux
SuSE Linux
Debian Linux
NetBSD
Conectiva Linux
Others?
******************************************************************************
COPYRIGHT
Copyright (C)19***,1999,2000,2001 Martin Roesch
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
Some of this code has been taken from tcpdump, which was developed
by the Network Research Group at Lawrence Berkeley National Lab,
and is copyrighted by the University of California Regents.
******************************************************************************
DESCRIPTION
Snort is an open source network intrusion detection system, capable of
performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis and content searching/matching in order to
detect a variety of attacks and probes, such as buffer overflows, stealth port
scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
Snort uses a flexible rules language to describe traffic that it should collect
or pass, as well as a detection engine that utilizes a modular plugin
architecture. Snort has a real- time alerting capability as well,
incorporating alerting mechanisms for syslog, user specified files, a
UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.
Snort has three primary functional modes. It can be used as a straight
packet sniffer like tcpdump(1), a packet logger (useful for network traffic
debugging, etc), or as a full blown network intrusion detection system.
Snort logs packets in either tcpdump(1) binary format or in Snort's decoded
ASCII format to a hierarcical set of directories that are named based on the IP
address of the remote host.
Plugins allow the detection and reporting subsystems to be extended. Available
plugins include database or XML logging, small fragment detection, portscan
detection, and HTTP URI normalization, IP defragmentation, TCP stream
reassembly and statistical anomaly detection.
******************************************************************************
[*][USAGE]
Command line:
snort -[options]
Options:
-A Set mode to full, fast or none. Full mode
does normal "classic Snort"-style alerts to the alert
file. Fast mode just writes the timestamp, message,
IPs, and ports to the file. None turns off alerting.
There is experimental support for UnixSock alerts
that allow alerting to a sepreate process. Use the
"unsock" argument to activate this feature.
-a Display ARP packets
-b Log packets in tcpdump format. All packets are logged
in their native binary state to a tcpdump formatted
log file called "snort.log". This option results in
much faster operation of the program since it doesn't
have to spend time in the packet binary->text
converters. Snort can keep up pretty well with 100Mbps
networks in "-b" mode.
-c Use configuration file . This is the rules file
which tells the system what to log, alert on, or pass!
-C Dump the ASCII characters in packet payloads only, no
hexdump
-d Dump the application layer data
-D Run Snort in daemon mode. Alerts are sent to
/var/log/snort/alert unless otherwise specified.
-e Display/log the layer 2 packet header data.
-F Read BPF filters from file . Handy for those of
you running Snort as a SHADOW replacement or with a
love of super complex BPF filters.
-g Run Snort as group ID after initialization.
This switch allows Snort to drop root priveleges after
it's initialization phase has completed as a security
measure.
-h Set the "home network" to , which is a class C IP
address something like 192.168.1.0 or whatever. If you
use this switch, traffic coming from external networks
will be formatted with the directional arrow of the
packet dump pointing right for incoming external
traffic, and left for outgoing internal traffic. Kind
of silly, but it looks nice.
-i Sniff on network interface .
-I Add the interface name to alert printouts (first interface only)
-l Log packets to directory . Sets up a hierarchical
directory structure with the log directory as the base
starting directory, and the IP address of the remote
peer generating traffic as the directory which packets
packets from that adress are stored in. If you do not
use the -l switch, the default logging directory is
/var/log/snort.
-L Set the binary output file's filename to .
-M Send WinPopup messages to the list of workstations
contained in the file. This option requires
Samba to be resident and in the path of the machine
running Snort. The workstation file is simple: each
line of the file containes the SMB name of the box to
send the message to (no \\'s needed).
-n Exit after processing packets.
-N Turn off logging. Alerts still function normally.
-o Change the order in which the rules are applied to
packets. Instead of being applied in the standard
Alert->Pass->Log order, this will apply them in
Pass->Alert->Log order, allowing people to avoid having
to make huge BPF command line arguments to filter their
alert rules.
-O Obfuscate the IP addresses when in ASCII packet dump
mode. This switch changes the IP addresses that get
printed to the screen/log file to "xxx.xxx.xxx.xxx".
If the homenet address switch is set (-h), only
addresses on the homenet will be obfuscated while non-
homenet IPs will be left visible. Perfect for posting
to your favorite security mailing list!
-p Turn off promiscuous mode sniffing. Useful for places
where that can screw up your host severely.
-q Quiet. Don't show banner and status report.
-r Read the tcpdump-generated file . This will cause
Snort to read and process the file fed to it. This is
useful if, for instance, you've got a bunch of Shadow
files that you want to process for content, or even if
you've got a bunch of reassembled packet fragments
which have been written into a tcpdump formatted file.
-s Log alert messages to the syslog. On linux boxen, they
will appear in /var/log/secure, /var/log/messages on
many other platforms. You can change the logging facility
by using the syslog output plugin, at which point the -s
switch is unneeded.
-S Set variable name "n" to value "v". This is useful for
setting the value of a defined variable name in a Snort
rules file to a command line specified value. For
instance, if you define a HOME_NET variable name inside
of a Snort rules file, you can set this value from
it's predefined value at the command line.
-t Changes Snort's root directory to after
initialization. Please note that all log/alert filenames
are relevant to chroot directory, if chroot is used.
-u Change the UID Snort runs under to after
initialization.
-v Be verbose. Prints packets out to the console. There
is one big problem with verbose mode: it's still kind
of slow. If you are doing IDS work with Snort, don't
use the -v switch, you WILL drop packets (not many, but
some).
-V Show the version number and exit.
-x Show an annoying little message whenever you see an
annoying IPX packet.
-X Dump the raw packet data starting at the link layer.
-? Show the usage summary and exit.
[*][FILTERS]:
The "filters" are standard BPF style filters as seen in tcpdump. Look
at the man page for snort for docs on how to use it properly. In general,
you can give it a host, net or protocol to filter on and some logical statements
to tie it together and get the specific traffic you're interested in. For
example:
[zeus ~]# ./snort -h 192.168.1.0/24 -d -v host 192.168.1.1
records the traffic to and from host 192.168.1.1.
[zeus ~]# ./snort -h 192.168.1.0/24 -d -v net 192.168.1 and not host 192.168.1.1
records all traffic on the 192.168.1.0/24 class C subnet, but not traffic
to/from 192.168.1.1. Notice that the command line data specified after the
"-h" switch is formated differently from the BPF commands provided at the end
of the command line. Sorry for the confusion, but I like the CIDR notation and
I'm not rewriting libpcap to make it consistent! Anyway, you get the picture.
Mail me if you have trouble with it.
You can use the -F switch to read your BPF filters in from a file.
[*][RULES]:
-------------------------------------------------------------------------
NOTE: The "official" rules document these days is available at:
http://www.snort.org/snort_rules.html
-------------------------------------------------------------------------
[*][RUN MODES]
Snort has three primary run-time modes: sniffer, packet logger, and network
intrusion detection.
Sniffer Mode: When in this mode, Snort reads and decodes all packets from
the network and dumps them to the stdout. To put Snort into straight sniffing
mode, use the "-v" verbose switch. This will dump the packet headers only.
You can see the headers + the packet payloads by specifying the "-v" and "-d"
switch. To print a dump of the raw bytes in the entire packet, specify the
"-X" switch. If you specify the "-X" switch, the -d switch is overridden. You
can filter the traffic that shows up in this mode by using BPF filters.
Packet Logger Mode: This mode logs the packets to the disk in their decoded
ASCII format. This mode is activated merely by specifying a directory to log
packets to with the "-l" switch. This will log packets into the specified
logging directory in a heirarchy of directories based upon the IP addresses of
the packets on the wire. To log the packets in terms of the network being
monitored (i.e. the directories created under the logging directory are the
IP addresses of the remote/non-home hosts) use the "-h" switch. To log the
packets in their raw binary format to the disk, use the "-b" switch. Logging
the packets in this format will allow them to be run through other tools like
Ethereal, tcpdump, etc. Packet logger mode can be mixed with sniffer mode
switches with no ill effects, however logging performance may be impacted by
the slowness of the terminal.
Intrusion Detction Mode: Snort enters IDS mode when a configuration file is
specified with the "-c" switch. Output formats, rules, preprocessor
configuration, etc are all specified in the configuration file. Logger mode
is essentially disabled when in IDS mode, but that's ok because you specify
which packets you want to log when in IDS mode. See the rule document (above)
for how to write your own rules. When an alert rule goes off the alert data is
logged to the alerting mechanism (be default a file called "alert" in the
logging directory) in addition to being logged to the logging mechanism. The
default logging directory is /var/log/snort, which can be changed using the
"-l" switch.
You can use something like "rt" or just "tail -f" it to give a running display
of system alerts. Alerts can also be sent to syslog (and monitored with
something like swatch), or they can be sent out as WinPopup messages with
smbclient. Check out the "INSTALL" file for information on enabling the SMB
alerting option. There are a variety of other alerting and logging mechanisms
available, check out the snort.conf file for information on enabling them.
Note that the system requires the use of the "-l" flag to redirect rules based
logging to a specific directory. If you don't specify a place for it to go, it
defaults to /var/log/snort.
******************************************************************************
/* $Id: README,v 1.13 2001/01/28 05:34:54 roesch Exp $ */
近期下载者:
相关文件:
收藏者: