[Open source project three] open source IDS (intrusion detection system) - Snort
Speaking of Snort can say that people who engage in network security are very understanding, even may have developed based on it. It is a network input detection system issued in Open Source. Written by Martin Roesch and have a considerable programmer distributed around the world to maintain and upgrade it. Snort supports a variety of system software and hardware platforms:, for example, Red Hat Linux, Debian Linux, HP-UX, Solaris (including x86 and sparc), NetBSD / OpenBSD, Macos, etc. Its code follows the GNU / GPL protocol. Snort has a great advantage relative to expensive commercial systems, such as its system size, easy to install, easy to configure. From functional, it is not inferior and is equivalent to flexibility. On the other hand, SNORT is not only a network IDS, but also as a network packet analyzer (sniffer Sniffer) and a logger. Snort uses rule-based work, rule matching of packet content to detect a variety of intrusion behavior and probe activities. For example, buffer overflow, hidden port scan, CGI attack, SMB detection, etc. Snort is based on LibPCAP, and libpcap provides them with a portable packet intercept and filtering mechanism. The configuration of the entire program, the analysis of the rules, and the initial completion of the data structure is completed before the system performs packet analysis and detection to ensure that the processing time to each packet is compressed to minimal to obtain the best operating performance. Its system architecture emphasizes performance, simple and flexibility, can be divided into three subsystems: packet parser, detection engine and log / alarm system. All subsystems are also based on LibPCAP. This talked, if you are more familiar with WinPCAP, transplantation or modification it should cost. In recent years, the domestic intrusion detection system has also been listed, and the performance function is aunt, but there is a large part of the people who learn from others. Snort is their first research object. A few days ago, I saw a book that specialized in invasion testing, I told Snort with a big set, and a certain annotation and explanation of Snort's source code.
Reference: 1. Snort Official Website 2. << Design and Implementation of Network Intrusion Detection System >> Tang Zhengjun Electronics Industry Press April 2002 Beijing
