一.前言
Libnids是一個用於網絡入侵檢測開發的專業編程接口,它使用Libpcap進行數據包的捕獲。同時,Libnids提供了TCP/IP數據流重組功能,因此省去了應用層自己考慮數據分片、重傳等情況的麻煩。它是模仿了Linux 2.0.x的IP協議棧進行數據處理,因此非常穩定可靠。當然,libnids還有一項非常實用的功能,那就是:TCP端口掃描檢測和異常數據包的檢測功能。
github 位置:
https://github.com/MITRECND/libnids
網上關於libnids的文章很多,這里就不詳細介紹。libnids的源碼包中也提供了好幾個例子,基本上涵蓋了它主要API的用法。並且由於開源,可以直接從源碼中窺探個究竟。我主要說一些,使用libnids過程中,需要注意的一些情況。
1)windows下libnids的安裝
安裝libnids前需要安裝winpcap和libnet。其中winpcap(linux下是libpcap)是一個專業的捕包開發工 具;libnet是專業的網絡數據包構造和發送開發工具(libcurl也具有類似的功能)。順便說一下,有很多強悍的開源工具,都是以lib開頭,可以 學會使用,能夠極大減輕開發任務。winpcap和libnet的具體安裝過程可以參見參考文獻[2][3]。libnids的源碼中直接就有VS工程, 可以進行編譯安裝。
2)libnids中的幾個陷阱
(1)struct tuple4結構體存儲連接雙方ip和端口信息。需要注意的是,這里的源地址與目的地址可能跟我們想的不太一樣。它跟一次通信中是由client像 server發送數據還是server像client發送數據無關,而是由一次連接是由誰發起來決定源地址和目的地址的。通俗的講,如果A給B發送數 據,A不一定是源,B不一定是目的。只有當本次連接是由A發起時,A才是源,B是目的。
(2)當tcp_stream中的nids_state為NIDS_JUST_EST時,必須把client.collect和server.collect置成非零的數值,才能夠在狀態為NIDS_DATA時接受數據並進行處理。否則,數據都會被拋棄。
(3)void nids_discard(struct tcp_stream *a_tcp,int num)函數的用法:如果你期望將要處理的數據長度為n,但是已經收到的數據包總長度為m,其中m<n。那么你可以把第二個參數設置為0,告訴libnids這次數據暫時不處理,給我緩存起來,等到新的數據到來時,一塊處理。說白了,該函數的意思就是把第一個參數a_tcp中緩存的數據丟掉第二個參數num個字節,如果還有剩余的話,留到下一次處理。
====================
libnids-1.25
====================
1. What is libnids ?
------------------------
Libnids is a library that provides a functionality of one of NIDS
(Network Intrusion Detection System) components, namely E-component. It means
that libnids code watches all local network traffic, cooks received datagrams
a bit (quite a bit ;)), and provides convenient information on them to
analyzing modules of NIDS. Libnids performs:
a) assembly of TCP segments into TCP streams
b) IP defragmentation
c) TCP port scan detection
More technical info can be found in MISC file.
So, if you intend to develop a custom NIDS, you don't have to build
low-level network code. If you decide to use libnids, you have got
E-component ready - you can focus on implementing other parts of NIDS.
2. Why is libnids valuable ?
----------------------------
On January 98, Thomas H. Ptacek and Timothy N. Newsham published an
excellent paper entitled "Eluding Network Intrusion Detection". It's a
must-read for all security concerned people, available from
http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html
In this paper one can find description of variety of attack against NIDS.
During libnids development a lot of effort was made to make libnids immune
to these attacks. During tests libnids performed TCP assembly and IP
defragmentation in exactly the same way as Linux 2.0.36 hosts
(targets of test packets). For details, see file TESTS; here let's just
mention two things:
a) libnids passed all tests implemented in fragrouter by Dug Song (see
http://www.anzen.com/research/nidsbench/ ). In fact, fragrouter's tests were
fairly simple when compared with other, custom ones.
b) libnids IP defragmenting module contains slightly modified Linux 2.0.36
kernel source files ip_fragment.c and ip_options.c. It means that libnids IP
defragmentation is as reliable as one implemented in Linux 2.0.36.
Libnids is easy to use and highly configurable - see API file for details.
3. On what platform does it run ?
---------------------------------
Currently libnids will compile on Linux, Solaris, any *BSD. WIN32 port is
available at http://www.datanerds.net/~mike/libnids.html, but currently only
obsoleted versions are present there; newer ports may appear at
http://www.checksum.org (in "downloads" section).
4. Who is allowed to use it ?
-----------------------------
Libnids is licensed under GPL. See the file COPYING for details.
5. Contact info ?
-----------------
The primary libnids site is
http://libnids.sourceforge.net/
Please send bug reports, comments, or questions about this software to
<nergal@7bulls.com>.
五.參考文獻:
1.http://libnids.sourceforge.net/
2.http://blog.hfq.me/windows-libnet.html