| Intrusion detection system, as an effective ways of preventing network attack, gradually becomes a hot research topic. Firewall, as a traditional method of network security, has been a ripet echnology. There is a lot of useful information in firewall's logfile, which is excellent material foraudit. But now the analysis of log file recorded by firewall mainly still focuses on traffic statistic.With analyzing log file recorded by a packet-filtering firewall, we implement a closer-to-realtime network intrusion detection system based on firewall's log information. There are mainly four modules in the system: data collection module, syslog analysis module, intrusion detection module, and user interface module. Data collection module implements transfer of log file from firewall to log processing workstation. In intrusion detection module, by analyzing lots of intrusion examples, we extract signature of intrusion and construct an intrusion rule database including signatures of some common-used intrusion methods. User interface module implements the interface about user, and the system will notify the result of analysis to user with it. We implement detection to some commen-used intrusion methods and store alert information to log file for administrator to query and analyze.The result shows that the system has high efficiency in syslog analyzing and real time application.Because there are many styles of the log format and attacking mode, this thesis focuses on analyzing the log complying with the RFC3164. The system will be compatible in other log formats and attacking modes. |
PDF Full Text Request