nids与防火墙联动(NIDS and firewall linkage)
nids与防火墙联动(NIDS and firewall linkage)
This article is contributed by a785842883
DOC documents may experience poor browsing on the WAP side. It is recommended that you first select TXT, or download the source file to the local view.
Experimental principle
Iptables
Snortsam
First, the use of Guardian to achieve Snort and iptables linkage, Guardian is based on Snort and iptables an active firewall, running in the background. Guardian analysis of the snort alarm log alert file (default path /var/log/snort/), according to certain judgments, automatically add some malicious IP to the iptables input chain, and discard its datagram. When Guardian exits, it deletes the rules previously inserted into the iptables input chain. Two. Use snortsam plug-in to achieve Snort and iptables linkage, SnortSam is Snort Intrusion Prevention plug-in. It works by adding new responses to the snort rule, which, once triggered, changes the firewall or router. This change usually blocks or prohibits traffic from or to a particular IP address for a period of time. SnortSam works with Checkpoint, Firewall-1 firewalls, Cisco PIX firewalls, and iptables firewalls. There are two basic components of SnortSam: plug-ins and proxies. This structure allows you to allow firewall rules or ACL to terminate after a predefined period of time. The agent is responsible for modifying routers and firewalls, and can build and remove firewall rules. It has a timer function that allows it to terminate a rule at the preset time. Other intrusion prevention applications can permanently modify firewalls and routers, which is obviously not ideal. This structure allows a single sensor to interact with many different firewalls and routers. If you have a sensor that is used to protect a large environment with many firewalls, sensors can control each firewall based on the triggered rules. A plug-in is a standard snort output plug-in that is used to send instructions to an agent when a rule is fired. Thes