NIDS与防火墙联动(国外英文资料)

NIDS与防火墙联动(国外英文资料)

In this paper, by a785842883 contribution

Doc documents may have a poor browsing experience at the WAP end. It is recommended that you choose TXT, or download the source file to the native view.

The experimental principle

Fwsam - snort

The Guardian

The Iptables

Snortsam

One, the Guardian implementation of snort and iptables in the Guardian is a proactive firewall based on snort and iptables, running in the background. Guardian analysis snort alert alarm log file (default path/var/log/snort), according to a certain judgment automatically adding some malicious IP iptables input chain, will be discarded the datagram. When the guardian exits, it deletes the rules previously inserted into the iptables input chain. Second, snort and iptables interlocking snortsam with snortsam plugin is the intrusion prevention plug-in for snort. It works by adding a new response to the snort rule, which makes the firewall or router change when the rules are touched. This change usually blocks or forbids traffic from or to a particular IP address for a period of time. SnortSam works with the Checkpoint Firewall - 1 Firewall, the Cisco PIX Firewall, and the iptables Firewall. SnortSam has two basic components: plug-ins and agents. This structure can allow firewall rules or ACL termination after a predefined period of time. The agent is responsible for modifying the router and firewall and can establish and remove firewall rules. It has a timing function that allows it to terminate a rule at the preset time. Other intrusion prevention applications can permanently modify firewalls and routers, which is clearly not ideal. This structure allows a single sensor to interact with many different firewalls and routers. If you have a sensor is used to protect many environment a firewall, the sensor can control rules based on triggered each fire wall. The plug-in is a standard snort output plug-in that is used to send instructions to the agent when the rules are triggered. These i