论文标题:基于Snort的入侵检测系统的研究与改进
The Research and Improvement of Intrusion Detection Based on Snort
论文作者
论文导师 陈常嘉,论文学位 硕士,论文专业 通信与信息系统
论文单位 北京交通大学,点击次数 141,论文页数 57页File Size4130K
2007-12-01论文网 http://www.lw23.com/lunwen_193642537/
IDS;; Snort;; Netfilter;; Iptables;; Dynamic;; Fragment Packet;; Packet Overlap;; Fragment Reassembly;; Partial fragment reassembly
入侵检测系统作为一种能够自动、实时地保障网络信息安全的动态安全设备,构成对防火墙一类的静态安全设备的必要补充,已经越来越受到人们的重视。但是入侵检测系统单一的入侵检测功能已经不能满足人们的需要,和其它安全产品相结合已经成为入侵检测系统的一个发展趋势。 本文就是在这一背景下,在分析入侵检测系统结构和Snort的源代码的基础上,将Snort入侵检测系统和Linux系统下的Netfilter/iptables防火墙相结合,设计并实现了一个联动的安全系统。该联动安全系统在Snort检测到攻击以后,通过向iptables下发规则的方式来阻断攻击源,因此其具备一定的网络防御能力,能对网络入侵做出实时的响应,在一定程度上增强了其对网络的保护能力。为了验证该联动安全系统的有效性,本文在对BT数据流分析的基础上,利用该联动安全系统设计了一个成功限制BT下载的试验。 本文还对Snort的分片重组的流程进行了深入的分析,并重点研究了对重叠报文的处理。分析了不同操作系统对重叠报文的处理得不一致性,得出结论:入侵检测系统应该根据被保护系统的目标主机的操作系统的类型来选择处理重叠报文的重组方式。然后将Nmap端口扫描工具和Fragroute分片攻击工具相结合,设计了一个端口扫描攻击的实验,以证明该处理方法的必要性和有效性。 最后针对Snort分片报文处理流程的两个不足:(1)对于分片报文重组模块所占用的内存的大小无法预测,并且内存的额外开销较大;(2)延误Snort进行其它处理流程的的时间,提出了一个部分分片重组的方案。该方案改变传统的分片重组处理流程:等所有的分片都到达之后再对报文进行完整的重组,然后再对重组后的完整报文进行规则检测等其它处理流程。而是每到一个分片就和前面已经缓存的分片报文进行重组,随即将重组后的部分报文送入规则检测引擎检测,一旦规则匹配成功就可以中止后续的分片报文重组。这样可以提高Snort检测的实时性并且提高其内存的使用效率。
As a dynamic security equipment, Intrusion detection system (IDS) can safeguard information security automatically and real-time. It is a supplement to the static security equipment such as firewall, so more attention has been paid. But the single intrusion detection function of the IDS has not been satisfied, and the integration of IDS and others secure products has become a developed trend. In this paper, it designed a dynamic secure system, based on the analysis of intrusion system and the snort"s source code. This dynamic secure system had network prevention ability and it can respond as soon as the detection of intrusion. An experiment was designed in order to make sure the system"s availability. It can successfully restrict the download with BT. In this paper, it also did a deep research on the process of the snort fragment reassembly. It gets a conclusion that the different OS has a different fragment reassembly policy. So the IDS should process this diversity, and it should choose different reassembly policy based on the target address of the message. Then we design another experiment with the port scan tool "nmap" and fragment intrusion tool "fragroute". It can prove the availability of the paper"s conclusion. At last, this paper proposes a fragment reassembly method. It need not wait reassembly until all the fragments come. If a fragment comes, it would be merged into the packet saved in the packet-buffer, and then it was sent for detection. With this process, it has two advantages. The one is that the buffer size can be smaller than all fragment was store in the buffer and the buffer can be a constant size. The other is that it can detect the malicious code more efficiently.
|
