March 13th, 2004, 10:41 PM
Need Help in My Project
I'm developing a graduation Project "Network Based Intrusion Detection System
using Signature Analysis"
I've already finished some phases
1. Packet Capture
2. Packet Decoding
3. And i'm working now in the detection Engine
I really need some information about different Attacks
(using any protocol ) and the corresponding packet format
for this attack,I thought you might help me, or at least
show me where i can find help.
i hope i'm not annoying you , but my graduation project have
to be handed over the next month ,and i still have a lot of
work to do.
March 15th, 2004, 06:07 AM
you can run snort on a machine and attack using automated tools ( such as sara or something ) and can see how the attack you just launched looks like and see what the signiture is.
Ben Franklin said it best. \"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.\"
March 15th, 2004, 01:32 PM
To expand on what easeZE said, read the Snort docs at www.snort.org and then go through the rulesets. They will give you a really good idea of how pattern matching works in the best IDS out there. Then start writing rules for yourself. Silly rules are fine. For example, to catch yourself sending email you could write
alert tcp 22.214.171.124 any -> any 25 (msg: "Me sending EMail"; Flags: S; classtype: bad-unknown;)
The "Flags: S" only alerts on the initial connection attempts otherwise you get an alert for every packet sent during the transaction. Leave the "flags" keyword out to see it for yourself.
Then you could move on to more complex rules that only pick up on certain content in the email so you could send 10 emails with only one containing the word "Dog". The rule alerst when you sent an email with the word dog in it but not on the others.
alert tcp 126.96.36.199 any -> any 25 (msg: "Me EMailing Dog"; content: "dog"; classtype: bad-unknown;)
Note that the "flags" has been removed from this rule because there would be none of the email message in the initial SYN packet. If you left it in the rule would never alert because SYN packets are not supposed to carry any data. You could go further and use the "Flags" keyword to specify ACK/PSH which is the type of packet that one would expect to find the word 'dog' in your email. However, at this point, the benefit is questionable. You need to balance processor time against accuracy. By the time snort has already determined the source, destination and ports in a rule such as this then there isn't much point in using the "flags" keyword to further narrow the packet search any more since the vast majority of packets in an email transaction are of an ACK/PSH nature. The processing time to check each packet to eliminate just the few that aren't ACK/PSH, IMO, doesn't warrant just searching for the content in every packet.
So you can see that you don't really have to concentrate merely on attacks, (looking through the rulesets will show you pattern matching for them), but you can certainly get your feet nice and wet by simply playing with the keywords.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
March 15th, 2004, 02:49 PM
Rigth now im working in something similar.....i think we can help each other.....mail me
firstname.lastname@example.org place antionline o subject please......
we work in the dark - we give what we have - we do what what we can - our doubt`s our passion - our passion our task - the rest....- is the madness of art.