Este conteúdo não está disponível no idioma selecionado.
9.3. Network-based IDS
			Network-based intrusion detection systems operate differently from host-based IDSes. The design philosophy of a network-based IDS is to scan network packets at the router or host-level, auditing packet information, and logging any suspicious packets into a special log file with extended information. Based on these suspicious packets, a network-based IDS can scan its own database of known network attack signatures and assign a severity level for each packet. If severity levels are high enough, a warning email or cellular pager is placed to security team members so they can further investigate the nature of the anomaly.
		
			Network-based IDSes have become popular as the Internet grows in size and traffic. IDSes that can scan the voluminous amounts of network activity and successfully tag suspect transmissions are well-received within the security industry. Due to the inherent insecurity of the TCP/IP protocols, it has become imperative to develop scanners, sniffers, and other network auditing and detection tools to prevent security breaches due to such malicious network activity as:
		
- IP Spoofing
- denial-of-service attacks
- arp cache poisoning
- DNS name corruption
- man-in-the-middle attacks
			Most network-based IDSes require that the host system network device be set to promiscuous mode, which allows the device to capture every packet passed on the network. Promiscuous mode can be set through the 
ifconfig command, such as the following:
		ifconfig eth0 promisc
ifconfig eth0 promisc
			Running 
ifconfig with no options reveals that eth0 is now in promiscuous (PROMISC) mode.
		
			Using a tool such as 
tcpdump (included with Red Hat Enterprise Linux), we can see the large amounts of traffic flowing throughout a network:
		
			Notice that packets that were not intended for our machine (
pinky.example.com) are still being scanned and logged by tcpdump.
		9.3.1. Snort
Copiar o linkLink copiado para a área de transferência!
				While 
tcpdump is a useful auditing tool, it is not considered a true IDS because it does not analyze and flag packets for anomalies. Instead, tcpdump prints all packet information to the screen or to a log file without any analysis. A proper IDS analyzes the packets, tags potentially malicious packet transmissions, and stores them in a formatted log.
			
				Snort is an IDS designed to be comprehensive and accurate in successfully logging malicious network activity and notifying administrators when potential breaches occur. Snort uses the standard 
libcap library and tcpdump as a packet logging backend.
			
				The most prized feature of Snort, in addition to its functionality, is its flexible attack signature subsystem. Snort has a constantly updated database of attacks that can be added to and updated via the Internet. Users can create signatures based on new network attacks and submit them to the Snort signature mailing lists (located at http://www.snort.org/lists.html) so that all Snort users can benefit. This community ethic of sharing has developed Snort into one of the most up-to-date and robust network-based IDSes available.
			
Note
					Snort is not included with Red Hat Enterprise Linux and is not supported. It has been included in this document as a reference to users who may be interested in evaluating it.
				
				For more information about using Snort, refer to the official website at http://www.snort.org/.