libnids 入侵检测

Posted 2023-04-21

有人知道如何使用Libnids进行简单的linux环境下实现入侵检测的功能？？？
比如端口扫描，死亡之ping，等简单的检测，应该如何实现？有没有这方面的专门的论坛或是介绍Libnids开发的详细文章？？？

参考技术A 一个基于Libnids入侵检测程序~有人成功测试过吗~

#include "stdio.h"
#include "string.h"
#include "nids.h"
/*检测扫描用的的扫描信息数据结构*/
struct scan

u_int addr; /*地址*/
unsigned short port; /*端口号*/
u_char flags; /*标记*/
;
/*下面是检测扫描时用到的扫描主机数据结构*/
struct host

struct host* next; /*下一个主机结点*/
struct host* prev; /*前一个主机结点*/
u_int addr; /*地址*/
int modtime; /*时间*/
int n_packets; /*个数*/
struct scan* packets; /*扫描信息*/
;
/*下面是IP协议首部和数据结构*/
struct ip_header

#if defined(WORDS_BIGENDIAN)
unsigned ing ip_v : 4,
ip_hl : 4;
#else
unsigned int ip_hl : 4,
ip_v : 4;
#endif
unsigned int ip_tos;
unsigned char ip_len;
unsigned char ip_id;
unsigned char ip_off;
unsigned int ip_ttl;
unsigned int ip_p;
unsigned char ip_csum;
struct in_addr ip_src;
struct in_addr ip_dst;
;
/*下面是TCP协议首部的数据结构*/
struct tcp_header

unsigned char th_sport; /*源端口号*/
unsigned char th_dport; /*目的端口号*/
unsigned short th_seq; /*序列号*/
unsigned short th_ack; /*确认号*/
#ifdef WORDS_BIGENDIAN
unsigned int th_off : 4, /*数据偏移*/
th_x2 : 4; /*保留*/
#else
unsigned int th_x2 : 4, /*保留*/
th_off : 4; /*数据偏移*/
#endif
unsigned int th_flags;
unsigned char th_win; /*窗口大小*/
unsigned char th_sum; /*校验和*/
unsigned char th_urp; /*紧急指针*/
;
char *nids_warnings[] = "Murphy - you never should see this message !";

/*下面是检测扫描攻击和异常数据包的函数*/
static void my_nids_syslog(int type, int errnum, struct ip_header *iph, void *data)

static int scan_number = 0;
char source_ip[20];
char destination_ip[20];
char string_content[1024];
struct host* host_information;
unsigned char flagsand = 255,flagsor = 0;
int i;
char content[1024];
printf("ff");
switch (type) /*检测类型*/

case NIDS_WARN_IP:
if (errnum !=NIDS_WARN_IP_HDR)

strcpy(source_ip, inet_ntoa(*((struct in_addr *) &(iph->ip_src.s_addr))));
strcpy(destination_ip, inet_ntoa(*((struct in_addr *) &(iph->ip_dst.s_addr))));
printf("%s,packet(apparently from %s to %s\n", nids_warnings[errnum],source_ip, destination_ip);

else

printf("%s\n", nids_warnings[errnum]);
break;

case NIDS_WARN_TCP:
strcpy(source_ip, inet_ntoa(*((struct in_addr *) &(iph->ip_src.s_addr))));
strcpy(destination_ip, inet_ntoa(*((struct in_addr *) &(iph->ip_dst.s_addr))));
if (errnum != NIDS_WARN_TCP_HDR)

printf("%s,from %s:%hi to %s:%hi\n", nids_warnings[errnum], source_ip, ntohs(((struct tcp_header *) data)->th_sport), destination_ip, ntohs(((struct tcp_header *) data)->th_dport));

else

printf("%s,from %s to %s\n", nids_warnings[errnum], source_ip, destination_ip);

break;
case NIDS_WARN_SCAN:
scan_number++;
sprintf(string_content, "------------- %d -------------\n", scan_number);
printf("%s", string_content);
printf("----- 发现扫描攻击 -----\n");
host_information = (struct host *) data;
sprintf(string_content, "扫描者的IP地址为:\n");
printf("%s", string_content);
sprintf(string_content, "%s\n", inet_ntoa(*((struct in_addr *) &(host_information->addr))));
printf("%s", string_content);
sprintf(string_content, "被扫描者的IP地址和端口号为:\n");
printf("%s", string_content);
sprintf(string_content, "");
for(i = 0; i < host_information->n_packets; i++)

strcat(string_content, inet_ntoa(*((struct in_addr *) &(host_information->packets.addr))));
sprintf(string_content + strlen(string_content), ":%hi\n", host_information->packets.port);
flagsand &= host_information->packets.flags;
flagsor |= host_information->packets.flags;

printf("%s", string_content);
sprintf(string_content, "");
if (flagsand == flagsor)

i = flagsand;
switch (flagsand)

case 2:
strcat(string_content, "扫描类型为: SYN\n");
break;
case 0:
strcat(string_content, "扫描类型为: NULL\n");
break;
case 1:
strcat(string_content, "扫描类型为: FIN\n");
break;
default:
sprintf(string_content + strlen(string_content), "标志=0x%x\n", i);


else

strcat(string_content, "标志异常\n");

printf("%s", string_content);
break;
default:
sprintf(content, "未知");
printf("%s", string_content);
break;


/*主函数*/
void main()

struct nids_prm nids_params;
nids_params.syslog = my_nids_syslog; /*注册检测攻击的函数*/
nids_params.pcap_filter = "ip";
if (!nids_init()) /*Libnids初始化*/

printf("出现错误: %s\n", nids_errbuf);
exit(1);

nids_run(); /*进入循环捕获数据包的状态*/

snort入侵检测技术

参考技术A #snort -v【开启snort的嗅探功能】

在win10上ping 192.168.67.130

在Ubuntu上抓取到数据包

ctrl+C退出：自动统计数据

root@bt:~# cd /etc/snort

root@bt:/etc/snort# ls

classification.config  reference.config  snort.conf        unicode.map

community-sid-msg.map  rules            snort.debian.conf

gen-msg.map            sid-msg.map      threshold.conf

root@bt:/etc/snort# snort -c snort.conf

打开snort的安装目录下，查看文件夹下的文件，打开snort.conf

拖到最下面发现有error------复制如图的内容

编辑文档进行改错：# vi /etc/snort/rules/community-smtp.rules

按insert进入编辑模式--------把第13行的！去掉------按ESC----:wq-----保存

再root@bt:/etc/snort# snort -c snort.conf，拖到最下面直到没有错误为止，有错误就重复上述内容

在xp上运行nmap 对bt5进行扫描

Snort输出统计信息

进入日志文件目录/var/log/snort

输入vi alert查看报警信息

报警信息