Creating an IDS

**JJX** · April 2nd, 2005, 03:01 AM

Me and a friend think to create a small IDS (university's exercise).

We will start with some tcp/ip books. But atm we are searching for some info about ids. Anyone know any good references (books) on howto create an ids? (not configuring snort)

Your forum is really nice ,very usefull

thx
[i hope this is the correct forum and not "IDS & Scanner Discussions"]

**ghostmachine** · April 2nd, 2005, 05:39 AM

Originally posted here by JJX
Me and a friend think to create a small IDS (university's exercise).

We will start with some tcp/ip books. But atm we are searching for some info about ids. Anyone know any good references (books) on howto create an ids? (not configuring snort)

Your forum is really nice ,very usefull
thx
[i hope this is the correct forum and not "IDS & Scanner Discussions"]

you can check out the RFCs for TCP/IP. Then you can download SNORT and study the C source codes...you might learn a thing or two

**JJX** · April 2nd, 2005, 10:15 AM

Yep, we will give a glance to snort but we are looking for a book with IDS basic stuff..

**ghostmachine** · April 2nd, 2005, 12:01 PM

Originally posted here by JJX
Yep, we will give a glance to snort but we are looking for a book with IDS basic stuff..

well, i thought you are going to create an IDS. If you want to know basic stuffs on IDS, there are a lot on the net..but if you want to know how an IDS is created, then get SNORT and see it's src...

***thehorse13*** · April 2nd, 2005, 12:10 PM

Would you like the world's fastest and cheapest IDS?

1) Throw a box in your DMZ.
2) Add firewall ACLs that don't allow internal hosts to hit it.
3) Add firewall ACLs that don't allow external hosts to hit it.
4) Now, add *any* program you like that can see port scan activity. There are hundreds that I can think of other than snort that are free. Hell, you can even use a sniffer for this if you're really hard up.

Done.

Now, when Mr. leet haxor breaks into one of your other hosts in the DMZ, what do you think the first thing he will do if he doesn't have knowledge of your network layout? Yep. Scan for other targets. In doing so he has just announced to you that he has compromised your network and you get to reel him in. Many a dead haxor hang on my shelf using this simple yet effective technique.

--TH13

**JJX** · April 2nd, 2005, 01:18 PM

We want to implement a simple c++/java IDS.
C++ will do the packet sniffing , and according to some rules will detect attempts (real or false).
atm is just an idea ...

***i2c*** · April 2nd, 2005, 09:19 PM

Check out python, you might be able to knock smething up quickly in that as a working prototype - have a look at this -

http://www.antionline.com/showthrea...threadid=249001

its a tut on how to make a honeypot but im sure you could twist how it works and create a simple IDS??

i2c

accidentally posted this else where this morning when I was in a rush, not sure how much help it will actually be...

check this to - http://www.antionline.com/showthread...hreadid=266442

***zencoder*** · April 2nd, 2005, 09:28 PM

Decent tutorial on building a Fedora Core 3 system, installing MySQL, Snort, BASE, et. al. to build a solid IDS. His site looks like ****, but the PDF has some good info for the begginer to build an IDS, so it's worth a look.

**JJX** · April 4th, 2005, 12:27 AM

ok, thx for the links

thx all

***SirDice*** · April 4th, 2005, 11:48 AM

Originally posted here by JJX
We will start with some tcp/ip books. But atm we are searching for some info about ids. Anyone know any good references (books) on howto create an ids? (not configuring snort)

I can highly recommend TCP/IP Illustrated, Volume 1 and Network Intrusion Detection, 3rd edition.

Thread: Creating an IDS

Thread Tools

Display

Creating an IDS

Re: Creating an IDS

Re: Creating an IDS

Posting Permissions