Shulou(Shulou.com)06/01 Report--

The Defense system (Intrusion Prevention System) is an effective complement to antivirus software and firewalls. IPS can monitor the abnormal information in the network, and can immediately interrupt, block and alarm the abnormal network behavior of the internal and external network.

In WFilter NGF, we have integrated a snort-based defense system, which can achieve the following three functions:

Protect the web server, file server and mail server of the intranet.

Detect intranet terminals for * * and malware.

Detect the abnormal network behavior of the intranet terminal.

In this article, I will briefly introduce how to achieve these three functions.

1. Protect the server of the intranet

In the internal local area network of enterprises, there are various services such as ERP, CRM, OA and other Web servers, file servers, mail servers and so on. Some services are published to the Internet and are easy to be used. In the "* Detection" of WSG, enable the options of "system vulnerability * *" and "Server vulnerability * *" to effectively detect * on the server. As shown below:

For public network * *, you can set "log and block IP for 10 minutes". In this way, once a public network * * is detected, the connection of the ip will be banned immediately, thus preventing its subsequent * * behavior. For private network * *, log and alarm events can be recorded for subsequent verification.

two。 Detect * * and malware in intranet terminals

The spread of viruses and software leads to a large number of poison machines and mining machines in the local area network. For network management personnel, it is absolutely not an easy task to investigate and kill these poison machines and mining machines. From a technical point of view, these programs will have certain network characteristics, so the detection can be located through these network features. Network management technicians can locate the terminal through * detection, and then go to the terminal for processing. As shown in the figure:

3. Detect abnormal network behavior of intranet terminals

This feature is generally used for custom detection scripts to detect some personalized content. For example, you need to detect events in which the private network accesses a certain IP. You can add custom rules, as shown in the following figure:

Custom rule format: alert tcp $HOME_NET any-> 120.55.165.132 22 (msg: "SSH attempt"; sid:1000003; rev:1;)

Any port (any) of the local (HOME_NET) to port 22 of tcp 120.55.165.132 will trigger a * detection event named "SSH attempt".

To sum up, the function of "* defense" is very powerful, and the good use of this module can effectively protect the security of the intranet and detect the toxic machines and mining machines in the intranet. If you can write your own policies, you can also achieve more powerful detection capabilities.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.