libnids 介绍
2020-09-15 19:20 宋海宾 阅读(1934) 评论(0) 编辑 收藏 举报一.前言
Libnids是一个用于网络入侵检测开发的专业编程接口,它使用Libpcap进行数据包的捕获。同时,Libnids提供了TCP/IP数据流重组功能,因此省去了应用层自己考虑数据分片、重传等情况的麻烦。它是模仿了Linux 2.0.x的IP协议栈进行数据处理,因此非常稳定可靠。当然,libnids还有一项非常实用的功能,那就是:TCP端口扫描检测和异常数据包的检测功能。
github 位置:
https://github.com/MITRECND/libnids
网上关于libnids的文章很多,这里就不详细介绍。libnids的源码包中也提供了好几个例子,基本上涵盖了它主要API的用法。并且由于开源,可以直接从源码中窥探个究竟。我主要说一些,使用libnids过程中,需要注意的一些情况。
1)windows下libnids的安装
安装libnids前需要安装winpcap和libnet。其中winpcap(linux下是libpcap)是一个专业的捕包开发工 具;libnet是专业的网络数据包构造和发送开发工具(libcurl也具有类似的功能)。顺便说一下,有很多强悍的开源工具,都是以lib开头,可以 学会使用,能够极大减轻开发任务。winpcap和libnet的具体安装过程可以参见参考文献[2][3]。libnids的源码中直接就有VS工程, 可以进行编译安装。
2)libnids中的几个陷阱
(1)struct tuple4结构体存储连接双方ip和端口信息。需要注意的是,这里的源地址与目的地址可能跟我们想的不太一样。它跟一次通信中是由client像 server发送数据还是server像client发送数据无关,而是由一次连接是由谁发起来决定源地址和目的地址的。通俗的讲,如果A给B发送数 据,A不一定是源,B不一定是目的。只有当本次连接是由A发起时,A才是源,B是目的。
(2)当tcp_stream中的nids_state为NIDS_JUST_EST时,必须把client.collect和server.collect置成非零的数值,才能够在状态为NIDS_DATA时接受数据并进行处理。否则,数据都会被抛弃。
(3)void nids_discard(struct tcp_stream *a_tcp,int num)函数的用法:如果你期望将要处理的数据长度为n,但是已经收到的数据包总长度为m,其中m<n。那么你可以把第二个参数设置为0,告诉libnids这次数据暂时不处理,给我缓存起来,等到新的数据到来时,一块处理。说白了,该函数的意思就是把第一个参数a_tcp中缓存的数据丢掉第二个参数num个字节,如果还有剩余的话,留到下一次处理。
====================
libnids-1.25
====================
1. What is libnids ?
------------------------
Libnids is a library that provides a functionality of one of NIDS
(Network Intrusion Detection System) components, namely E-component. It means
that libnids code watches all local network traffic, cooks received datagrams
a bit (quite a bit ;)), and provides convenient information on them to
analyzing modules of NIDS. Libnids performs:
a) assembly of TCP segments into TCP streams
b) IP defragmentation
c) TCP port scan detection
More technical info can be found in MISC file.
So, if you intend to develop a custom NIDS, you don't have to build
low-level network code. If you decide to use libnids, you have got
E-component ready - you can focus on implementing other parts of NIDS.
2. Why is libnids valuable ?
----------------------------
On January 98, Thomas H. Ptacek and Timothy N. Newsham published an
excellent paper entitled "Eluding Network Intrusion Detection". It's a
must-read for all security concerned people, available from
http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html
In this paper one can find description of variety of attack against NIDS.
During libnids development a lot of effort was made to make libnids immune
to these attacks. During tests libnids performed TCP assembly and IP
defragmentation in exactly the same way as Linux 2.0.36 hosts
(targets of test packets). For details, see file TESTS; here let's just
mention two things:
a) libnids passed all tests implemented in fragrouter by Dug Song (see
http://www.anzen.com/research/nidsbench/ ). In fact, fragrouter's tests were
fairly simple when compared with other, custom ones.
b) libnids IP defragmenting module contains slightly modified Linux 2.0.36
kernel source files ip_fragment.c and ip_options.c. It means that libnids IP
defragmentation is as reliable as one implemented in Linux 2.0.36.
Libnids is easy to use and highly configurable - see API file for details.
3. On what platform does it run ?
---------------------------------
Currently libnids will compile on Linux, Solaris, any *BSD. WIN32 port is
available at http://www.datanerds.net/~mike/libnids.html, but currently only
obsoleted versions are present there; newer ports may appear at
http://www.checksum.org (in "downloads" section).
4. Who is allowed to use it ?
-----------------------------
Libnids is licensed under GPL. See the file COPYING for details.
5. Contact info ?
-----------------
The primary libnids site is
http://libnids.sourceforge.net/
Please send bug reports, comments, or questions about this software to
<nergal@7bulls.com>.
五.参考文献:
1.http://libnids.sourceforge.net/
2.http://blog.hfq.me/windows-libnet.html
