**2.3.2 Log record module**

Log record module is applied to record and audit the time when event happened and corresponding information of subjects and objects, and it aims for providing sufficient information for detailed analysis of security events later.

Log record module collects log of intrusion prevention module, saves it to log server, and provides analysis data for security policy specified by central control module. The collected logs include intrusion detection log generated by Snort\_inline and firewall log by the configuration of IPtables.

Snort\_inline will generate corresponding log based on specific parameter of rule action such as alert, log, drop and reject. The default directory of log files is "/var/log/snort".

The Netfilter firewall log may be accessed with LOG target of IPtables. To make use of LOG target, ipt\_LOG module is needed to be loaded as follows:

"/sbin/modprobe ipt\_LOG"

For instance, all the connection information passing by may be recorded as follows:

"#iptables -A FORWARD -j LOG"

LOG target is dedicated for recording detailed packet information such as IP header and other useful information. The default directory of log of IPtables is "/var/log/message", which is done by the "syslogd"daemon.

Intrusion Detection and Prevention in High Speed Network 61

The general communication protocol is derived from standard TCP/IP protocol with farther

Customized protocol header is composed of version, type and total length. Type field specifies the type of message such as control message, log message or acknowledgement message according to specific functions. Meanwhile, type field specifies the format of

Header Payload

The format of payload field varies according to type field. The format of a sample log

Message length

Message content

Version Type Total length

Customized communication protocol provides the better extensibility for later new function to be updated or new communication needs. Also it supports encryption manners for secure

DXIPS provides flexible deployment strategies and better extensibility. It can be expediently deployed in distributed network environment corresponding with various securities

With the rapid development of Internet, great deals of business applications rely on Internet. However, there are various security threats, such as worms, computer viruses, spywares and DDoS attacks, towards the entrance to the Internet of an intranet due to the openability

To minimize external network security risks, intrusion prevention module may sit on the entrance to Internet, examine traffic, and block malicious or suspect code in real time. As

encapsulation, and it is an application layer protocol.

Fig. 4. Customized protocol unit

message is as follows:

and reliable communication.

Node ID

**2.4 Deployment of DXIPS** 

of Internet.

shown in figure 7.

**2.4.1 Border prevention deployment** 

Fig. 5. Format of customized protocol header

Fig. 6. Format of payload field of a sample log message

Log level

Log time

prevention needs, and presents a comprehensive protection.

data.

There are three manners for log server to collect intrusion detection log of Snort\_inline and firewall log of Netfilter configured by IPtables:

### **All the nodes of intrusion prevention module directly interact with log server**

This can be done by outputting log records directly to log database with Snort\_inline output plugin and LOG target of IPtables. The defect of this manner is to improve the system overhead in that intrusion prevention module needs to execute log operations as well as perform intrusion detection and prevention. Additionally, this manner compromises the extensibility of the whole system for the duplicated implementation of log recording.

#### **Log server accesses logs saved in every intrusion prevention nodes at regular time**

Though this manner decreases the overhead of intrusion prevention module, it compromises real time performance of the whole system. Log server can't get log information in time, thus central control module is unable to monitor the protected network in real time.

#### **Apply specialized log collection daemon**

These daemons are responsible for receiving and dispatching logs of various intrusion prevention nodes and saving to log server in distributed network environment. Compared to the preceding manners, this manner shortens handling time, reduces system overhead, and provides better extensibility.
