An intrusion detection system (IDS) is a network security device whose main function is to conduct real-time monitoring of network transmissions. An intrusion detection system (IDS) is a network security device whose main function is to conduct real-time monitoring of network transmissions. and send alerts or take proactive response measures when suspicious transmissions are detected. Compared with other network security devices, the main feature of IDS is its proactive security protection technology. It does not span multiple physical network segments and usually only listens to one port. It does not need to forward any traffic. It only needs to passively and silently collect the packets of concern on the network.
In terms of specific implementation, IDS first extracts the collected traffic statistical feature values, and uses the built-in intrusion knowledge base to intelligently analyze and compare these traffic features. If a certain packet flow matches the preset threshold high, the packet will be considered as a possible attack behavior. At this time, the IDS will issue an alarm or carry out a limited counterattack based on the corresponding configuration.
IDS implementation principle and function
IDS implementation principle:
- Network traffic analysis: IDS monitors data traffic on the network and analyzes the content, source, destination and other information of data packets to look for abnormal signs. - Feature detection: IDS uses specific rules or feature signatures to detect known attack patterns or malicious behaviors. These rules can be implemented based on digital signatures, statistics, behavioral analysis and other technologies. - Anomaly detection: IDS can also model normal system and network activities and then detect anomalies that are significantly different from normal behavior.
IDS function:
- Attack detection: IDS can detect various types of attacks such as network scanning, denial of service attacks, malware spreading, etc. - Malicious behavior analysis: IDS can detect malicious activities within the system, such as illegal access, abnormal login behavior, etc. - Post-event audit: IDS records abnormal events and attack behaviors to facilitate post-event audit and security investigation.
In general, the role of IDS is to help organizations monitor and protect their networks and systems, detect potential security issues in a timely manner, and take appropriate measures to deal with them. IDS is usually used in conjunction with other security solutions such as firewalls and intrusion prevention systems (IPS) to form a comprehensive security protection system.
IDS and iptables working together
iptables is a tool used to configure and manage firewall rules in Linux systems, while an intrusion detection system (IDS) is used to monitor network attacks and respond accordingly. When using iptables, it can be used in conjunction with an IDS to improve the security and protection capabilities of the system.
Here are some examples of using iptables with IDS:
- Enable iptables logs: iptables can record firewall log information, including rejected connections, abnormal traffic, etc. Sending these log information to the IDS can help the IDS detect and analyze attack behavior. In the iptables rules, use the LOG target to log information, and then use the syslog
Or send logs to IDS by other means. - Define custom iptables rules: Use iptables to define custom rules to filter and block specific attack behaviors or abnormal traffic. These rules can be integrated with an IDS to automatically apply the appropriate rules when an attack is detected.
- Interaction with IDS: iptables and IDS can be interoperated to achieve automated defense and response. For example, when an IDS detects an attack, it can trigger
Automatic application of iptables rules to quickly block attack traffic or isolate attackers. Similarly, IDS can also be notified when an iptables rule triggers
for further analysis and processing. - Administration and Maintenance: Using iptables and IDS
In the process, these tools need to be managed and maintained regularly. For example, update the rule base, check log files, fix configuration errors, etc. Ensure regular security audits and vulnerability scans to ensure system security.
In summary, iptables and IDS are important components of Linux system security. By properly configuring and managing these tools, the system’s protection capabilities can be enhanced and the response speed to attacks can be improved.
Detecting abnormal behavior and code implementation in the network
-
Intrusion detection systems (IDS) can detect abnormal behavior in the network by injecting into the server during the TCP three-way handshake. Specifically, when the client initiates a TCP connection request to the server, IDS can insert its own IP address and port number in the middle to communicate with the server. In this way, IDS can intercept and analyze all data packets during the TCP connection to detect whether there are malicious attacks or abnormal behaviors.
During the TCP three-way handshake, the client first sends a SYN packet to the server, indicating a request to establish a connection. After receiving the SYN packet, the server will reply with a SYN-ACK packet to indicate its agreement to establish the connection. Finally, the client replies with an ACK packet to confirm the establishment of the connection. During this process, IDS can intercept and analyze these data packets to detect whether there are malicious attacks or abnormal behaviors.
iptables -A OUTPUT -p tcp --sport 80 --tcp-flags RST RST -j DROP
The purpose of this command is to add a rule to the iptables firewall rules that blocks all TCP connection requests from the local host (source IP address) whose destination port is 80 and has the RST flag. When these conditions are met, the rule drops these connection requests.
...
#define DATA "HTTP/1.1 200 OK\r\
Content-Type: text/plain\r\
Content-Length: 21\r\
\r\
you have been hacked!"
...
pcap_t* open_pcap_socket(char* device, const char* bpfstr)
{<!-- -->
char errbuf[PCAP_ERRBUF_SIZE];
pcap_t* pd;
uint32_t srcip, netmask;
struct bpf_program bpf;
// If no network interface (device) is specified, get the first one
if (!*device & amp; & amp; !(device = pcap_lookupdev(errbuf)))
{<!-- -->
printf("pcap_lookupdev(): %s\
", errbuf);
return NULL;
}
// Open the device for real-time capture instead of reading the packet capture file
if ((pd = pcap_open_live(device, BUFSIZ, 1, 0, errbuf)) == NULL)
{<!-- -->
printf("pcap_open_live(): %s\
", errbuf);
return NULL;
}
// Get the source IP address and network mask of the network device
if (pcap_lookupnet(device, & amp;srcip, & amp;netmask, errbuf) < 0)
{<!-- -->
printf("pcap_lookupnet: %s\
", errbuf);
return NULL;
}
if (pcap_compile(pd, & amp;bpf, (char*)bpfstr, 0, netmask))
{<!-- -->
printf("pcap_compile(): %s\
", pcap_geterr(pd));
return NULL;
}
//Assign the packet filter to the given libpcap socket
if (pcap_setfilter(pd, & amp;bpf) < 0)
{<!-- -->
printf("pcap_setfilter(): %s\
", pcap_geterr(pd));
return NULL;
}
return pd;
}
void capture_loop(pcap_t* pd, int packets, pcap_handler func)
{<!-- -->
int linktype;
// Determine the data link layer type.
if ((linktype = pcap_datalink(pd)) < 0)
{<!-- -->
printf("pcap_datalink(): %s\
", pcap_geterr(pd));
return;
}
//Set the data link layer header size
switch(linktype)
{<!-- -->
case DLT_NULL:
linkhdrlen = 4;
break;
case DLT_EN10MB:
linkhdrlen = 14;
break;
case DLT_SLIP:
case DLT_PPP:
linkhdrlen = 24;
break;
default:
printf("Unsupported datalink (%d)\
", linktype);
return;
}
// Start capturing packets
if (pcap_loop(pd, packets, func, 0) < 0)
printf("pcap_loop failed: %s\
", pcap_geterr(pd));
}
...
void parse_packet(u_char *user, struct pcap_pkthdr *packethdr,
u_char *packetptr)
{<!-- -->
...
// Skip the data link layer header and get the IP header fields
packetptr + = linkhdrlen;
iphdr = (struct ip*)packetptr;
strcpy(srcip, inet_ntoa(iphdr->ip_src));
strcpy(dstip, inet_ntoa(iphdr->ip_dst));
sprintf(iphdrInfo, "ID:%d TOS:0x%x, TTL:%d IpLen:%d DgLen:%d",
ntohs(iphdr->ip_id), iphdr->ip_tos, iphdr->ip_ttl,
4*iphdr->ip_hl, ntohs(iphdr->ip_len));
packetptr + = 4*iphdr->ip_hl;
if (iphdr->ip_p == IPPROTO_TCP )
{<!-- -->
tcphdr = (struct tcphdr*)packetptr;
addr_in.sin_family = AF_INET;
addr_in.sin_port = tcphdr->source;
addr_in.sin_addr.s_addr = iphdr->ip_src.s_addr;
if (debug_output)
{<!-- -->
printf("[*] TCP %s:%d -> %s:%d\t", srcip, ntohs(tcphdr->source), dstip, ntohs(tcphdr->dest));
printf( "%c%c%c%c%c%c Seq: 0x%x Ack: 0x%x Win: 0x%x TcpLen: %d\
",
(tcphdr->urg ? 'U' : '*'), (tcphdr->ack ? 'A' : '*'),
(tcphdr->psh ? 'P' : '*'), (tcphdr->rst ? 'R' : '*'),
(tcphdr->syn ? 'S' : '*'), (tcphdr->fin ? 'F' : '*'),
ntohl(tcphdr->seq), ntohl(tcphdr->ack_seq), ntohs(tcphdr->window), 4*tcphdr->doff
);
}
sender_port = ntohs(tcphdr->source);
seq_number = rand();
memset(synack_packet, 0, sizeof(synack_packet));
memset(pshack_packet, 0, sizeof(pshack_packet));
memset(finack_packet, 0, sizeof(finack_packet));
memset(ack_packet, 0, sizeof(ack_packet));
// Preparing SYN-ACK packet
ipHdr = (struct iphdr *) synack_packet;
tcpHdr = (struct tcphdr *) (synack_packet + sizeof(struct iphdr));
ipHdr->ihl = 5;
ipHdr->version = 4;
ipHdr->tos = 0;
ipHdr->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr);
ipHdr->id = htons(rand());
ipHdr->frag_off = 0x00;
ipHdr->ttl = 0xFF;
ipHdr->protocol = IPPROTO_TCP;
ipHdr->check = 0;
ipHdr->saddr = iphdr->ip_dst.s_addr;
ipHdr->daddr = iphdr->ip_src.s_addr;
ipHdr->check = csum((unsigned short *) synack_packet, ipHdr->tot_len);
tcpHdr->source = tcphdr->dest;
tcpHdr->dest = tcphdr->source;
tcpHdr->seq = htonl(seq_number);
seq_number + = 1; // Increment sequence number
tcpHdr->ack_seq = htonl(ntohl(tcphdr->seq) + 1);
tcpHdr->doff = 5;
tcpHdr->res1 = 0;
tcpHdr->cwr = 0;
tcpHdr->ece = 0;
tcpHdr->urg = 0;
tcpHdr->ack = 1;
tcpHdr->psh = 0;
tcpHdr->rst = 0;
tcpHdr->syn = 1;
tcpHdr->fin = 0;
tcpHdr->window = htons(15500);
tcpHdr->check = 0;
tcpHdr->urg_ptr = 0;
tcpHdr->check = tcp_checksum(tcpHdr, sizeof(struct tcphdr), iphdr->ip_dst.s_addr, iphdr->ip_src.s_addr);
// Prepare DATA packet
memcpy(pshack_packet, synack_packet, sizeof(struct iphdr) + sizeof(struct tcphdr));
ipHdr = (struct iphdr *) pshack_packet;
tcpHdr = (struct tcphdr *) (pshack_packet + sizeof(struct iphdr));
data = (char *) (pshack_packet + sizeof(struct iphdr) + sizeof(struct tcphdr));
strcpy(data, DATA);
ipHdr->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr) + strlen(data);
tcpHdr->seq = htonl(seq_number);
seq_number + = strlen(data);// Increment seq number
tcpHdr->syn = 0;
tcpHdr->psh = 1;
tcpHdr->check = 0x0;
tcpHdr->check = tcp_checksum(tcpHdr, sizeof(struct tcphdr) + strlen(data), iphdr->ip_dst.s_addr, iphdr->ip_src.s_addr);
// Prepare FIN packet
memcpy(finack_packet, pshack_packet, sizeof(struct iphdr) + sizeof(struct tcphdr) + strlen(data));
ipHdr = (struct iphdr *) finack_packet;
tcpHdr = (struct tcphdr *) (finack_packet + sizeof(struct iphdr));
tcpHdr->seq = htonl(seq_number);
seq_number + = 1; // Increment seq number
ipHdr->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr);
tcpHdr->fin = 1;
tcpHdr->psh = 0;
tcpHdr->check = 0x0;
tcpHdr->check = tcp_checksum(tcpHdr, sizeof(struct tcphdr), iphdr->ip_dst.s_addr, iphdr->ip_src.s_addr);
// Preparing ACK packet
memcpy(ack_packet, synack_packet, sizeof(struct iphdr) + sizeof(struct tcphdr));
ipHdr = (struct iphdr *) ack_packet;
tcpHdr = (struct tcphdr *) (ack_packet + sizeof(struct iphdr));
tcpHdr->seq = tcphdr->ack_seq;
tcpHdr->ack_seq = htonl(ntohl(tcphdr->seq) + 1);
if (strlen((char*) tcphdr + 4*tcphdr->doff) > 0)
tcpHdr->ack_seq = htonl(ntohl(tcpHdr->ack_seq) - 1 + strlen((char*) tcphdr + 4*tcphdr->doff));
ipHdr->tot_len = sizeof(struct iphdr) + sizeof(struct tcphdr);
tcpHdr->ack = 1;
tcpHdr->psh = 0;
tcpHdr->rst = 0;
tcpHdr->syn = 0;
tcpHdr->fin = 0;
tcpHdr->check = 0x0;
tcpHdr->check = tcp_checksum(tcpHdr, sizeof(struct tcphdr), iphdr->ip_dst.s_addr, iphdr->ip_src.s_addr);
if (tcphdr->syn & amp; & amp; !tcphdr->ack )
{<!-- -->
...
ipHdr = (struct iphdr *) pshack_packet;
if((bytes = sendto(sock, pshack_packet, ipHdr->tot_len, 0, (struct sockaddr *) & amp;addr_in, sizeof(addr_in))) < 0)
perror("Error on sendto()");
else {<!-- -->
printf("\t[ + ] [%s:%d] Sending HTTP response data\
", srcip, ntohs(tcphdr->source));
}
ipHdr = (struct iphdr *) finack_packet;
if((bytes = sendto(sock, finack_packet, ipHdr->tot_len, 0, (struct sockaddr *) & amp;addr_in, sizeof(addr_in))) < 0)
perror("Error on sendto()");
else {<!-- -->
printf("\t[ + ] [%s:%d] Closing connection. Sending FIN-ACK\
", srcip, ntohs(tcphdr->source));
}
}
else if (tcphdr->ack & amp; & amp; (tcphdr->psh || tcphdr->fin) & amp; & amp; send_ack)
{<!-- -->
ipHdr = (struct iphdr *) ack_packet;
if((bytes = sendto(sock, ack_packet, ipHdr->tot_len, 0, (struct sockaddr *) & amp;addr_in, sizeof(addr_in))) < 0)
perror("Error on sendto()");
else
printf("[ + ] ACKing to [%s:%d]\
", srcip, ntohs(tcphdr->source));
}
}
...
}
int main(int argc, char **argv)
{<!-- -->
...
sprintf(help, "usage: %s -i <interface> -p <port: 1..65535> [-d] [-a]\
\t-d\tenable debug output\
\t-a\tsend ACK packet to every incoming data packet\
\
", argv[0]);
if((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {<!-- -->
perror("Error while creating socket");
exit(-1);
}
if(setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *) & amp;one, sizeof(one)) < 0) {<!-- -->
perror("Error while setting socket options");
exit(-1);
}
while ((c = getopt (argc, argv, "hadi:p:")) != -1)
{<!-- -->
switch (c)
{<!-- -->
case 'i':
strcpy(interface, optarg);
break;
case 'p':
strcpy(port, optarg);
break;
case 'd':
debug_output = 1;
break;
case 'a':
send_ack = 1;
break;
case 'h':
default:
printf("%s", help);
exit(0);
break;
}
}
if (atoi(port) < 1 || atoi(port) > 65535 || interface[0] == 0x0)
{<!-- -->
printf("%s", help);
exit(0);
}
strcat(bpfstr, "tcp and dst port ");
strcat(bpfstr, port);
if ((pd = open_pcap_socket(interface, bpfstr)))
{<!-- -->
capture_loop(pd, 0, (pcap_handler)parse_packet);
}
...
}
running result:
If you need the complete source code, please add the WeChat number (c17865354792 strong>)
Packet capture effect:
IDS (Intrusion Detection System) Bypass Tips
IDS (Intrusion Detection System) bypass techniques refer to technical means that use various methods to circumvent or deceive the intrusion detection system. IDS is a network security device used to monitor and detect intrusions in the network. It can identify possible attack behaviors based on defined rules and provide corresponding alerts. However, attackers may try to bypass IDS to hide their activities and avoid the risk of detection.
Here are some possible IDS bypass tricks:
-
Bypass based on traffic characteristics: Attackers can use characteristics of specific protocols or transmission methods to avoid IDS detection. For example, attackers can use sharding or tunneling techniques to segment or hide attack traffic so that it is not easily detected by an IDS.
-
Encryption and covert communications: Attackers can use encrypted communications or covert channels to hide their attack traffic. This prevents IDS from detecting and analyzing the transmitted content.
-
Flaw-based attacks: Attackers can exploit vulnerabilities or flaws in the IDS itself to bypass its detection mechanism. For example, an attacker may discover that the rules of an IDS are incomplete or misconfigured, allowing them to perform an attack without being detected.
-
Spoofing: An attacker may try to trick an IDS to avoid detection. For example, an attacker can send specially crafted packets to simulate legitimate traffic, making it impossible for an IDS to detect malicious behavior.
The purpose of these bypass techniques is to make the attacker’s behavior invisible, allowing them to successfully carry out the attack without being detected or blocked. The key to combating these bypass techniques is to continuously update and improve IDS detection rules and technologies, as well as strengthen the overall ability of network security defenses.
Summary
An intrusion detection system (IDS) is a network security tool used to detect and identify network attacks. IDS can monitor network traffic, detect various attack behaviors, and issue alerts or take corresponding defensive measures.
Welcome to follow WeChat official account【Programmer Coding】