Suricata | Open Source IDS / IPS / NSM engine
Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine.
and owned by a community run non-profit foundation, the Open Information Security Foundation (). Suricata is developed by the OISF and its .
Top 3 Reasons You Should Try Suricata:
1. Highly Scalable
Suricata is multi threaded. This means you can run one instance and it will balance the load of processing across every processor on a sensor Suricata is configured to use. This allows commodity hardware to achieve 10 gigabit speeds on real life traffic without sacrificing ruleset coverage.
2. Protocol Identification
The most common protocols are automatically recognized by Suricata as the stream starts, thus allowing rule writers to write a rule to the protocol, not to the port expected. This makes Suricata a Malware Command and Control Channel hunter like no other. Off port HTTP CnC channels, which normally slide right by most IDS systems, are child’s play for Suricata! Furthermore, thanks to dedicated keywords you can match on protocol fields which range from http URI to a SSL certificate identifier.
3. File Identification, MD5 Checksums, and File Extraction
Suricata can identify thousands of file types while crossing your network! Not only can you identify it, but should you decide you want to look at it further you can tag it for extraction and the file will be written to disk with a meta data file describing the capture situation and flow. The file’s MD5 checksum is calculated on the fly, so if you have a list of md5 hashes you want to keep in your network, or want to keep out, Suricata can find it.
Suricata has many more , and we hope you give it a run. It’s free, it’s fast, and it’s going to be here long term!
TRAINING SESSIONS
November 2, 2015 & Regular Admission: $1500.00
Development
Follow Suricata News via Email
Enter your email address to follow this blog and receive notifications of new posts by email.IDS Categories_百度百科
IDS Categories
本词条缺少信息栏，补充相关内容使词条更完整，还能快速升级，赶紧来吧！
IDS是英文“Intrusion Detection Systems”的缩写，中文意思是“”。Categories为1.分类2.类别3.分类 范畴的意思。 IDS可分十种。分别是IDS分类1－Application IDS；IDS分类2－Consoles IDS；IDS分类3－File Integrity Checkers；IDS分类4－Honeypots；IDS分类5－Host-based IDS；IDS分类6－Hybrid IDS；IDS分类7－Network IDS；IDS分类8－Network Node IDS；IDS分类9－Personal Firewall；IDS分类10－Target-Based IDS。
IDS分类1－Application IDS
Application IDS（应用程序IDS）为一些特殊的应用程序发现入侵信号，这些应用程序通常是指那些比较易受攻击的应用程序，如Web服务器、数据库等。有许多原本着眼于操作系统的基于的IDS，虽然在默认状态下并不针对应用程序，但也可以经过训练，应用于应用程序。例如，KSE（一个基于的 IDS）可以告诉我们在事件日志中正在进行的一切，包括事件日志报告中有关应用程序的输出内容。应用程序IDS的一个例子是Entercept的Web Server Edition.
IDS分类2－Consoles IDS
Consoles IDS（控制台IDS）：为了使IDS适用于协同环境，分布式IDS代理需要向中心控制台报告信息。现在的许多中心控制台还可以接收其它来源的数据，如其它产商的IDS、、等。将这些信息综合在一起就可以呈现出一幅更完整的攻击图景。有些控制台还将它们自己的攻击特征添加到代理级别的控制台，并提供远程管理功能。这种IDS产品有Intellitactics Network Security Monitor和Open Esecurity Platform.
IDS分类3－File Integrity Checkers
File Integrity Checkers（文件完整性检查器）：当一个系统受到攻击者的威胁时，它经常会改变某些关键文件来提供持续的访问和预防检测。通过为关键文件附加信息摘要（加密的杂乱信号），就可以定时地检查文件，查看它们是否被改变，这样就在某种程度上提供了保证。一旦检测到了这样一个变化，完整性检查器就会发出一个警报。而且，当一个系统已经受到攻击后，系统管理员也可以使用同样的方法来确定系统受到危害的程度。以前的文件检查器在事件发生好久之后才能将出来，是“事后诸葛亮”，最近出现的许多产品能在文件被访问的同时就进行检查，可以看做是实时IDS产品了。该类产品有和Intact。
IDS分类4－Honeypots
Honeypots（蜜罐）：关于蜜罐，前面已经介绍过。蜜罐的例子包括Mantrap和Sting。
IDS分类5－Host-based IDS
Host-based IDS（基于的IDS）：这类IDS对多种来源的系统和事件进行监控，发现可疑活动。基于主机的IDS也叫做主机IDS，最适合于检测那些可以信赖的内部人员的误用以及已经避开了传统的检测方法而渗透到网络中的活动。除了完成类似事件阅读器的功能，主机IDS还对“事件/日志/时间”进行签名分析。许多产品中还包含了启发式功能。因为主机IDS几乎是实时工作的，系统的错误就可以很快地检测出来，技术人员和安全人士都非常喜欢它。现在，基于的IDS就是指基于服务器/工作站主机的所有类型的。该类产品包括Kane Secure Enterprise和Dragon Squire。
IDS分类6－Hybrid IDS
Hybrid IDS（混合IDS）：现代交换网络的结构给操作带来了一些问题。首先，默认状态下的交换网络不允许网卡以混杂模式工作，这使传统网络IDS的安装非常困难。其次，很高的意味着很多信息包都会被NIDS所丢弃。Hybrid IDS（混合IDS）正是解决这些问题的一个方案，它将IDS提升了一个层次，组合了IDS和Host IDS（主机IDS）。虽然这种解决方案覆盖面极大，但同时要考虑到由此引起的巨大数据量和费用。许多网络只为非常关键的服务器保留混合IDS。有些产商把完成一种以上任务的IDS都叫做Hybrid IDS，实际上这只是为了广告的效应。混合IDS产品有CentraxICE和RealSecure Server Sensor。
IDS分类7－Network IDS
Network IDS（NIDS，网络IDS）：NIDS对所有流经监测代理的量进行监控，对可疑的异常活动和包含攻击特征的活动作出反应。NIDS原本就是带有IDS过滤器的混合，但是近来它们变得更加智能化，可以破译协议并维护状态。NIDS存在基于应用程序的产品，只需要安装到主机上就可应用。NIDS对每个进行攻击特征的分析，但是在网络高负载下，还是要丢弃些信息包。网络IDS的产品有SecureNetPro和Snort。
IDS分类8－Network Node IDS
Network Node IDS（NNIDS，IDS）：有些网络IDS在高速下是不可靠的，装载之后它们会丢弃很高比例的网络信息包，而且交换网络经常会妨碍网络IDS 看到混合传送的信息包。NNIDS将NIDS的功能委托给单独的主机，从而缓解了高速和交换的问题。虽然NNIDS与功能相似，但它们之间还有区别。对于被归类为NNIDS的，应该对企图的连接做分析。例如，不像在许多上发现的“试图连接到端口xxx”，一个NNIDS会对任何的都做特征分析。另外，NNIDS还会将主机接收到的事件发送到一个中心控制台。NNIDS产品有BlackICE Agent和Tiny CMDS。
IDS分类9－Personal Firewall
Personal Firewall（）：个人防火墙安装在单独的系统中，防止不受欢迎的连接，无论是进来的还是出去的，从而保护。注意不要将它与NNIDS混淆。有ZoneAlarm和Sybergen。
IDS分类10－Target-Based IDS
Target-Based IDS（基于目标的IDS）：这是不明确的IDS术语中的一个，对不同的人有不同的意义。可能的一个定义是文件完整性检查器，而另一个定义则是网络 IDS，后者所寻找的只是对那些由于易受攻击而受到保护的网络所进行的攻击特征。后面这个定义的目的是为了提高IDS的速度，因为它不搜寻那些不必要的攻击。ansys14导入license提示the FLEXlm ID in the license file does not match any supported FLEXlm IDs.._百度知道
提问者采纳
我以前也遇到过，把安装的删除了重新安装，重新生成license，再导入，注意物理网卡要一致
提问者评价
有一次电脑死机强制关机，然后重启之后还原了一下，问题就阴错阳差的解决了。不过还是要谢谢你。
其他类似问题
为您推荐：
flexlm的相关知识
等待您来回答
下载知道APP
随时随地咨询
出门在外也不愁Application User Model IDs (AppUserModelIDs) (Windows)
Expand the table of content
Application User Model IDs (AppUserModelIDs)
Application User Model IDs (AppUserModelIDs) are used extensively by the taskbar in Windows 7 and later systems to associate processes, files, and windows with a particular application. In some cases, it is sufficient to rely on the internal AppUserModelID assigned to a process by the system. However, an application that owns multiple processes or an application that is running in a host process might need to explicitly identify itself so that it can group its otherwise disparate windows under a single taskbar button and control the contents of that application's Jump List.
Application-Defined and System-Defined AppUserModelIDs
Some applications do not declare an explicit AppUserModelID. They are optional. In that case, the system uses a series of heuristics to assign an internal AppUserModelID. However, there is a performance benefit in avoiding those calculations and an explicit AppUserModelID is the only way to guarantee an exact user experience. Therefore, it is strongly recommended that an explicit ID be set. Applications cannot retrieve a system-assigned AppUserModelID.
If an application uses an explicit AppUserModelID, it must also assign the same AppUserModelID to all running windows or processes, shortcuts, and file associations. It must also use that AppUserModelID when customizing its Jump List through , and in any calls to .
If applications do not have an explicit AppUserModelID, they must call , , and
methods as well as
from within the application. If those methods are called from another process, such as an installer or uninstaller, the system cannot generate the correct AppUserModelID and those calls will have no effect.
The following items describe common scenarios that require an explicit AppUserModelID. They also point out cases where multiple explicit AppUserModelIDs should be used.
A single executable file with a UI with multiple modes that appear to the user as separate applications should assign different AppUserModelIDs to each mode. For instance, a portion of an application that users see as an independent experience that they can pin to and launch from the taskbar separately from the rest of the application should have its own AppUserModelID, separate from the main experience.
Multiple shortcuts with different arguments that all lead to what the user sees as the same application should use one AppUserModelID for all of the shortcuts. For example, Windows Internet Explorer has different shortcuts for different modes (such as launching without add-ons) but they should all appear to the user as a single Internet Explorer instance.
An executable that acts as a host process and runs target content as an application must , after which it can assign different AppUserModelIDs to each perceived experience that it hosts. Alternately, the host process can allow the hosted program to set its AppUserModelIDs. In either case, the host process must keep a record of the source of the AppUserModelIDs, either itself or the hosted application. In this case, there is no primary user experience of the host process without the target content. Examples are Windows Remote Applications Integrated Locally (RAIL) applications, the Java Runtime, RunDLL32.exe, or DLLHost.exe.
In the case of existing hosted applications, the system attempts to identify individual experiences, but new applications should use explicit AppUserModelIDs to guarantee the intended user experience.
Cooperative or chained processes that to the user are part of the same application should have the same AppUserModelID applied to each process. Examples include games with a launcher process (chained) and Microsoft Windows Media Player, which has a first-run/setup experience running in one process and the main application running in another process (cooperative).
A Shell namespace extension that acts as a separate application for more than browsing and managing content in Windows Explorer should assign an AppUserModelID in its folder properties. An example is the Control Panel.
In a virtualization environment such as a deployment framework, the virtualization environment should assign different AppUserModelIDs to each application that it manages. In these cases, an application launcher uses an intermediary process to set up the environment and then hands off the operation to a different process to run the application. Note that this causes the system to be unable to relate the running target process back to the shortcut because the shortcut points to the intermediary process.
If any application has multiple windows, shortcuts, or processes, that application's assigned AppUserModelID should also be applied to each of those pieces by the virtualization environment.
An example of this situation is the ClickOnce framework, which properly assigns AppUserModelIDs on behalf of the applications that it manages. As in all such environments, applications deployed and managed by ClickOnce should not assign explicit AppUserModelIDs themselves, because doing so will conflict with the AppUserModelIDs assigned by ClickOnce and lead to unexpected results.
How to Form an Application-Defined AppUserModelID
An application must provide its AppUserModelID in the following form. It can have no more than 128 characters and cannot contain spaces. Each section should be camel-cased.
CompanyName.ProductName.SubProduct.VersionInformation
CompanyName and ProductName should always be used, while the SubProduct and VersionInformation portions are optional and depend on the application's requirements. SubProduct allows a main application that consists of several subapplications to provide a separate taskbar button for each subapplication and its associated windows. VersionInformation allows two versions of an application to coexist while being seen as discrete entities. If an application is not intended to be used in that way, the VersionInformation should be omitted so that an upgraded version can use the same AppUserModelID as the version that it replaced.
Where to Assign an AppUserModelID
When an application uses one or more explicit AppUserModelIDs, it should apply those AppUserModelIDs in the following locations and situations:
property of the application's shortcut file. A shortcut (as an , CLSID_ShellLink, or a .lnk file) supports properties through
and other property-setting mechanisms used throughout the Shell. This allows the taskbar to identify the proper shortcut to pin and ensures that windows belonging to the process are appropriately associated with that taskbar button.
property should be applied to a shortcut when that shortcut is created. When using the Microsoft Windows Installer (MSI) to install the application, the
table allows the AppUserModelID to be applied to the shortcut when it is created during installation.
As a property of any of the application's running windows. This can be set in one of two ways:
If different windows owned by one process require different AppUserModelIDs to control taskbar grouping, use ) to retrieve the window's property store and set the AppUserModelID as a window property.
If all windows in the process use the same AppUserModelID, set the AppUserModelID on the process though . An application must call SetCurrentProcessExplicitAppUserModelID to set its AppUserModelID during an application's initial startup routine before the application presents any UI, makes any manipulation of its Jump Lists, or makes (or causes the system to make) any call to .
A window-level AppUserModelID overrides a process-level AppUserModelID.
When an application sets an explicit AppUserModelID at the window level, the application can provide the specifics of its relaunch command for its taskbar button. To supply that information, the following properties are used:
If a shortcut exists to launch the application, an application should apply the AppUserModelID as a property of the shortcut instead of using the relaunch properties. In that case, the command line, icon, and text of the shortcut are used to supply the same information as the relaunch properties.
A window-level explicit AppUserModelID can also use the
property to specify that it should not be available for pinning or relaunching.
In a call to customize or update (), retrieve (), or clear () the application's Jump List.
In file association registration (through its ) if the application uses the system's automatically generated Recent or Frequent destination lists. This association information is referenced by . This information is also used when adding
destinations to custom Jump Lists through .
In any call the application makes directly to . If the application depends on the common file dialog to make calls to SHAddToRecentDocs on its behalf, those calls can deduce the explicit AppUserModelID only if the AppUserModelID is set for the entire process. If the application sets AppUserModelIDs on its windows instead of on the process, the application must make all calls to SHAddToRecentDocs itself, with its explicit AppUserModelID, as well as preventing the common file dialog from making its own calls. This must be done any time an item is opened, to ensure the Recent or Frequent sections of the application's Jump List are accurate.
The following items describe common scenarios and where to apply explicit AppUserModelIDs in those scenarios.
When a single process contains multiple applications, use
to retrieve the window's property store and set the AppUserModelID as a window property.
When an application uses multiple processes, apply the AppUserModelID to each process. Whether you use the same AppUserModelID on each process depends on whether you want each process to appear as part of the main application or as individual entities.
To separate certain windows from a set in the same process, use the window's property store to apply a single AppUserModelID to those windows you want to separate, and then apply a different AppUserModelID to the process. Any window in that process that was not explicitly labeled with the window-level AppUserModelID inherits the AppUserModelID of the process.
If a file type is associated with an application, assign the AppUserModelID in the file type's
registration. If a single executable file is launched in different modes that appear to the user as distinct applications, a separate AppUserModelID is required for each mode. In that case, there must be multiple ProgID registrations for the file type, each with a different AppUserModelID.
When there are multiple shortcut locations from which a user can launch an application (in the Start menu, on the desktop, or elsewhere) retrieve the shortcut's property store to apply a single AppUserModelID to all of the shortcuts as shortcut properties.
When an explicit call is made to
by an application, use the AppUserModelID in the call. When the common file dialog is used to open or save files, SHAddToRecentDocs is called by the dialog on behalf of the application. That call can infer the explicit AppUserModelID from the process. However, if an explicit AppUserModelID is applied as a window property, the common file dialog cannot determine the correct AppUserModelID. In that case, the application itself must explicitly call SHAddToRecentDocs and provide it with the correct AppUserModelID. Additionally, the application must prevent the common file dialog from calling SHAddToRecentDocs on its behalf by setting the FOS_DONTADDTORECENT flag in the GetOptions method of
Registering an Application as a Host Process
An application can set the IsHostApp registry entry to cause that executable's process to be considered a host process by the taskbar. This affects its grouping and default Jump List entries.
The following example shows the required registry entry. Note that the entry is
its presence is all that is required. It is a REG_NULL value.
HKEY_CLASSES_ROOT
Applications
example.exe
If either the process itself or the shortcut file used to launch the process has an explicit AppUserModelID, then the host process list is ignored and the application is treated as a normal application by the taskbar. The application's running windows are grouped together under a single taskbar button and the application can be pinned to the taskbar.
If only the running process' executable name is known, without an explicit AppUserModelID, and that executable is in the host process list, then each instance of the process is treated as a separate entity for taskbar grouping. The taskbar button associated with any specific instance of the process does not display a pin/unpin option or a launch icon for a new instance of the process. The process is also not eligible for inclusion in the Start menu's Most Frequently Used (MFU) list. However, if the process was launched through a shortcut that contains launch arguments (usually the target content to host as the "application"), the system can determine identity and the application can be pinned and relaunched.
Exclusion Lists for Taskbar Pinning and Recent/Frequent Lists
Applications, processes, and windows can choose to make themselves unavailable for pinning to the taskbar or for inclusion in the Start menu's MFU list. There are three mechanisms to accomplish this:
Add the NoStartPage entry to the application's registration as shown here:
HKEY_CLASSES_ROOT
Applications
Example.exe
NoStartPage
The data associated with the NoStartPage entry is ignored. Only the presence of the entry is required. Therefore, the ideal type for NoStartPage is REG_NONE.
Note that any use of an explicit AppUserModelID overrides the NoStartPage entry. If an explicit AppUserModelID is applied to a shortcut, process, or window, it becomes pinnable and eligible for the Start menu MFU list.
property on windows and shortcuts. This property must be set on a window before the
Add an explicit AppUserModelID as a value under the following registry subkey as shown here:
HKEY_LOCAL_MACHINE
CurrentVersion
FileAssociation
NoStartPageAppUserModelIDs
AppUserModelID1
AppUserModelID2
AppUserModelID3
Each entry is a REG_NULL value with the name of the AppUserModelID. Any AppUserModelID found in this list is not pinnable and not eligible for inclusion in the Start menu MFU list.
Be aware that certain executable files as well as shortcuts that contain certain strings in their name are automatically excluded from pinning and inclusion in the MFU list.
This automatic exclusion can be overridden by applying an explicit AppUserModelID.
If any of the following strings, regardless of case, are included in the shortcut name, the program is not pinnable and is not displayed in the most frequently used list:
Documentation
Read First
What's New
The following list of programs are not pinnable and are excluded from the most frequently used list.
Applaunch.exe
Control.exe
Dllhost.exe
Guestmodemsg.exe
Install.exe
Isuninst.exe
Lnkstub.exe
Msiexec.exe
Msoobe.exe
Rundll32.exe
St5unst.exe
Unwise.exe
Unwise32.exe
Werfault.exe
Winhlp32.exe
Wlrmdr.exe
The preceding lists are stored in the following registry values.
These lists should not be modified by applications. Use one of the exclusion list methods listed previously for the same experience.
HKEY_LOCAL_MACHINE
CurrentVersion
FileAssociation
AddRemoveApps
AddRemoveNames
Related topics
Was this page helpful?
Your feedback about this content is important.Let us know what you think.
Additional feedback?
1500 characters remaining
Thank you!
We appreciate your feedback.
Related developer sites
Downloads and tools
Essentials}