In this paper, the vulnerability to intrusion detection system to find out hackers practices. Once installed, the network intrusion detection systems, network intrusion detection system will analyze for you to appear online hacker attacks and have you can use this counter 功能 intrusion detection system immediately in this online hunting or blocked. You can also set up with the firewall, intrusion detection systems by the dynamic changes for you automatically access the firewall rules, refused to follow-up from this ip-line action! "This beautiful" future "may be a number of intrusion detection systems provider The usual marketing practices, general business or organization to establish their own intrusion detection system will have this desired purpose. Indeed, intrusion detection systems can have very good surveillance and intrusion detection capabilities, can also be a business or organization help to provide good security. But as the way the thief will continue with the design of the lock "update" the same, with the emergence of intrusion detection systems, and many network intrusion detection systems for circumvention practices also will continue to "upgrade" . Now, hacker intrusion detection systems have been made for a more complete intrusion methods. Now we will focus on intrusion detection system, vulnerability to hackers way to know.
First, identify ways of design flaws
1. Comparison of the known methods of attack and intrusion detection system to monitor the emergence of a string in the web, is that most network intrusion detection system will take a way. For example, in the early apache web server version of the phf cgi program is often used by hackers to read past the password on the file server system (/ etc / password), or execute arbitrary code on the server for one of the tools. When hackers using this tool, in its url request in the request appears most similar to "get / cgi-bin/phf ?....." string. Many intrusion detection systems will therefore direct comparison of all the url request if there / cgi-bin/phf string, to judge whether there phf the attacks.
2. This inspection method, although applicable to a wide variety of intrusion detection systems, but those of different intrusion detection systems, because of different design, by way of contrast will be different. Some intrusion detection systems can only be a simple string comparison, while others are able to conduct a detailed inspection of reconstruction and tcp session. These two design methods, a consideration of the performance, a recognition ability is taken into account. Attackers during an attack, intrusion detection system to avoid being found in their behavior, may be taken to avoid practices in order to hide its intentions. For example: the attacker will encode the characters in the url into% xx 6 into the value of vigilance at this time "cgi-bin" becomes "% 63% 67% 69% 2d% 62% 69% 6e", a simple string comparison will ignore the value of this string of code within the meaning. An attacker can also catalog the characteristics of the structure, hiding its true intentions, for example: in the directory structure ,"./" catalog ,"../" representatives on behalf of the upper directory, web server may be "/ cgi-bin /././ phf ","// cgi-bin / / phf "," / cgi-bin/blah/../phf? "resolves all of these url request" / cgi-bin/phf ", but simply Intrusion Detection System may only determine whether such request contains the "/ cgi-bin/phf" string, but did not find their behind represents.
3. Request whole in the same tcp session contains only a few characters more than cut a small packet, network intrusion detection, if no reconstruction of the entire tcp session, the intrusion detection system will only see something similar to "get", "/ cg", "i", "-bin", "/ phf" individual packet, but can not find the results of restructuring to come back, because it is simple to check the individual packet only if there is a string of similar attacks. Avoid a similar way there ip fragmentation overlap, tcp overlap deception and other more complex techniques.
Second, "hunting" and resetting security policy flaws
The so-called "hunting" is in the server set a trap, intending to open a port, with the detection system for 24 hours of its very close attention to, when hackers try to invade through the port, the detection system will be timely blockade. Network intrusion detection system "hunting" and re-adjust the firewall security policy setting functions, although the action immediately block the attack, but this action only applies to block tcp session, to be completely restricted, they must rely on re-adjust the firewall security policy set of features, but also may cause other adverse effects: real-time blocking the action ids allow an attacker to discover the existence of an attacker will usually find ways to avoid or move on to attack ids. Re-set the firewall security policy, if set properly, can also cause an attacker to do denial of service (denial of service) attack tools: proper design, check if the lack of Network Intrusion Detection, an attacker can masquerade as Other sources of the normal ip attack action, intrusion detection system to limit the source of the rash ip, will lead to legitimate users who attack because the attacker can not use. Is to identify ways of design, or so called "hunting" and reset the firewall security policy setting functions, has its advantages and disadvantages. Intrusion Detection System can learn more about the identification method or methods of adjustment of its identification, will help to improve the accuracy of intrusion detection system operation. On the "hunt" and re-adjust the firewall security policy setting functions and tools, should carefully evaluate the benefits and the corresponding loss in order to effectively perform the functions of network intrusion detection system.