本文详细探讨了NIDS(网络入侵检测系统)与防火墙的联动机制,包括基于Snort和iptables的主动防火墙Guardian的实现原理,SnortSam插件如何与不同防火墙同步响应,以及其组件如插件和代理的功能。重点介绍了Snort分析报警日志并自动添加恶意IP规则的过程。
NIDS与防火墙联动(国外英文资料)
NIDS与防火墙联动(国外英文资料)
In this paper, by a785842883 contribution
Doc documents may have a poor browsing experience at the WAP end. It is recommended that you choose TXT, or download the source file to the native view.
The experimental principle
Fwsam - snort
The Guardian
The Iptables
Snortsam
One, the Guardian implementation of snort and iptables in the Guardian is a proactive firewall based on snort and iptables, running in the background. Guardian analysis snort alert alarm log file (default path/var/log/snort), according to a certain judgment automatically adding some malicious IP iptables input chain, will be discarded the datagram. When the guardian exits, it deletes the rules previously inserted into the iptables input chain. Second, snort and iptables interlocking snortsam with snortsam plugin is the intrusion prevention plug-in for snort. It works by adding a new response to the snort rule, which makes the firewall or router change when the rules are touched. This change usually blocks or forbids traffic from or to a particular IP address for a period of time. SnortSam works with the Checkpoint Firewall - 1 Firewall, the Cisco PIX Firewall, and the iptables Firewall. SnortSam has two basic components: plug-ins and agents. This structure can allow firewall rules or ACL termination after a predefined period of time. The agent is responsible for modifying the router and firewall and can establish and remove firewall rules. It has a timing function that allows it to terminate a rule at the preset time. Other intrusion prevention applications can permanently modify firewalls and routers, which is clearly not ideal. This structure allows a single sensor to interact with many different firewalls and routers. If you have a sensor is used to protect many environment a firewall, the sensor can control rules based on triggered each fire wall. The plug-in is a standard snort output plug-in that is used to send instructions to the agent when the rules are triggered. These i
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
