Detailed introduction to the construction of IDS in the system win 2003

Users who are using the win 2003 system will be involved in a technology called IDS. In some cases, the technology is very useful. Of course, the technical means of IDS is not very mysterious. Next, this article will use a kind of “The stalk of the vines” is a simpler IDS entry-level framework. From the perspective of market distribution and difficulty in starting, it is more appropriate to choose NIDS as an example for deployment. This article uses the complete Windows platform to run through the entire intrusion detection process. Due to space limitations, it is stated in terms of qualitative analysis.

Prerequisites

IDS: Intrusion Detection System, an intelligent combination of software and hardware for intrusion detection analysis by collecting network system information.

Two organizations working on standardization of IDS: Intrusion Detection Working Group (IDWG, Intrusion Detection Working Group) and Common Intrusion Detection Framework (CIDF), the makers of Internet standards .

IDS classification: Network IDS (network based), Host-based IDS (host based), Hybrid IDS (hybrid), Consoles IDS (console), File Integrity Checkers (file integrity checker), Honeypots. Event Generation System

According to CIDF, the general model idea of ​​Intrusion Detection System (IDS) is explained. The most simple intrusion detection component with all the elements is shown in the figure. According to the CIDF specification, the data that IDS needs to analyze is collectively referred to as an Event. The Event may be Data Packets in the network, or Information obtained from other methods such as System Log.

No data flow (or data is collected), IDS is a rootless wood, completely useless.

As the grassroots organization of IDS, the event generation system can play a big role. It collects all the events defined and then transmits them to other components. In the Windows environment, the current basic practice is to use Winpcap and WinDump.

As you know, for event generation and event analysis systems, Linux and Unix platforms are widely used. In fact, on Windows platforms, there are similar Libpcaps (which are Unix or Linux to capture network data from the kernel). The tool for the package's must-have software is Winpcap.

Winpcap is a free, Windows-based network interface API that sets the network card to "mixed" mode and then loops through the packets captured by the network. The technology is simple to implement, portable, and has nothing to do with the network card, but the efficiency is not high, suitable for networks below 100 Mbps

The corresponding Windows-based network sniffing tool is WinDump (Linux/Unix platform) Tcpdump is a ported version of Windows. This software must be based on the Winpcap interface (here someone calls Winpcap: Data Sniffing Driver). Using WinDump, it can display the header of the packet matching the rule. You can use this tool to find network problems or monitor the status on the network, and to effectively monitor the security and unsafe behavior from the network to some extent.

These two softwares are available for free on the Internet, and readers can also view related software usage tutorials.

The following is a brief introduction to the steps of establishing event detection and acquisition.

1. Assembly software and hardware system. According to the busyness of the network, it is decided whether to use a common compatible machine or a dedicated server with higher performance; if you install the NT core Windows operating system, it is recommended to use Windows Server 2003 Enterprise Edition. If the conditions are not met, you can use Windows 2000 Advanced Server. The partition format is recommended for the NTFS format.

2, the space division of the server should be reasonable and effective, the installation of the program, the storage of the data log, the space between the two is best placed in different partitions.

3, Simple implementation of Winpcap. First install its driver, you can download WinPcap auto-installer (Driver+DLLs) from its homepage or mirror site and install it directly.

Note: If you are developing with Winpcap, you will also need to download the Developer's pack.

WinPcap consists of three modules: the first module, NPF (Netgroup Packet Filter), is a VxD (Virtual Device Driver) file. Its function is to filter the packets and pass them to the user mode module intact. The second module, package.dll, provides a common interface to the Win32 platform, which is built on top of packet.dll, providing a more convenient and straightforward programming method. The third module Wpcap.dll does not depend on any operating system, is the underlying dynamic link library, provides high-level, abstract functions. The specific instructions for use are on all major websites. How to better use Winpcap requires a strong C environment programming ability.

4, WinDump creation. After installation, run in the Windows command prompt mode, the user can view the network status, which will not be described.

Event detection and acquisition can be achieved without software compatibility issues, installation and configuration.