Intrusion Detection System
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Intrusion Detection System

  1. #1
    Junior Member
    Join Date
    Feb 2005
    Posts
    24

    Lightbulb Intrusion Detection System

    hi All,

    I plan to develop an intrusion detection system for educational purpouse and asked for a start in genral programming section , after understanding what an IDS is i will lov to ask some question related to how to go on programming it.(I am confused wether to start new thread or not)

    First things first,
    I will lov to build an Network Based IDS first and if time is left I will definately lov to add System Integrity verefier(SIV).
    so I will keep my discussion to a NIDS only,

    The broad steps which I need to take (according to my understanding) are:

    1. PACKET SNIFFER:
    It logs all the inward and outward traffic

    2. ANOMALY DETECTION ON BASIS OF SIGNATURE:
    I dont know how can this be done so plss help

    3. TAKING ACTION:
    * This could either be reporting to admin
    * To block the access.

    now some question(I know there are some great guys here) :

    ##the above mention design dosent look perfect could u plss suggest some thing.

    ## I hav not began coding so if u suggest any good advice i will change my approch

    ##the choice of programming language : should i stick to c, or go toward scripting language like pearl php etc... what r usefull libraries like libcp or how can tcpdump be used.


    ##It would be so nice of u guys if u can suggest details related to steps esp 1st and 2nd one.
    give some insight on how the things are done in real.

    ## Point to some Code that could be helpfull

    I would be happy if i could detect port scan attack and DDOS attack at this instant of time.

    P.S : I am new to programming related to networking
    and the present aim of my IDS is to understand the basic concepts and by gods grace if it turns out to be a nice on then its great

    P.P.S: I am new to this forum so I am yet to explore so It fully.

  2. #2
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    Sounds like you're trying to re-invent the wheel with a few cool twists - Let me throw this into the fire and see how it cooks up:

    I submit that you can't do a realtime intrusion detection system because:

    The key to breaking into a system is making it think you're legitimately there. What would you look for that wouldn't show everyone logged to your net as a threat?

    Feel free to fry this at will folks, it was just a random thought - if we can overcome that one little obstacle, perhaps it's doable.
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  3. #3
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    to davinci :
    1st, you could have continued this in the old thread as it wasn't that old, has the same basic topic, and people wouldn't have to search for it to see the post and responses here

    2nd, I am not a programmer so I can't really help you, but
    . what r usefull libraries like libcp or how can tcpdump be used.
    did you mean libpcap ( note here that it is being maintained by the people at tcpdump ) or for MS Win machines WinPcap ????

    to |3lack|ce :

    excuse me please if I take this out of order a bit.
    What would you look for that wouldn't show everyone logged to your net as a threat?
    Everyone logged on your net is a threat!

    I submit that you can't do a realtime intrusion detection system because:
    Before getting into the technical debate you are looking for I think it important to examine the philosophical area so we know what your idea of “realtime” is.
    Is it a system that logs intrusion attempts as they occur to be examined months later only after an admin realizes the box was rooted ?
    Or is does it need to flash a big red screen and sound bells and whistles at 11:00 P.M. on Friday when no one will be around to see it until Tuesday ? ( holiday weekend ... they love holiday weekends )

    Just looking for a baseline here .....

    Remember, I didn't name these things, so don't blame me. I don't believe a true IDS exists. No matter what happens, you need an experienced person to look at and evaluate the results to determine if there is an actual intrusion or attempted intrusion. Maybe they should have called them “ Possible Intrusion of System Security Indicators “ ( PISSI ) ?

    back to
    What would you look for that wouldn't show everyone logged to your net as a threat?
    how about
    SCAN nmap XMAS for a start?
    or
    MS-SQL Worm propagation attempt
    ICMP PING CyberKit 2.2 Windows
    ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited

    hope this gets things moving a bit !
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  4. #4
    Junior Member
    Join Date
    Feb 2005
    Posts
    24
    Thanx for replying IKnowNot & |3lack|ce

    IKnowNot,

    I am sorry for that I thought tht was in genral programming section and it will suit better in security Programming and I am sorry for that.

    That was libpcap only and I am sorry for my bad typing.

    debate related to wether IDS can detect all intrusion or a Network based ids is better or a host based IDS can continue till eternity but I am hoping to get some conclusion reached.

    This philosophical debate can go on but shifting to programming ,
    Which programming is suited best the answer which came to mind instantly is C .
    but surfing here and there I am ought to think of other option like Perl , PHP and Python.

    The mixture of c and perl or PHP is possible i think so beside previous question could any one also shed light on pro and cons of using one.


    P.S : lately it struck my mind to build an IDS which is integration of existing IDS like Snort for NIDS or Tripwire for SIV but I think it will become even more cumbersome to handle and will make my project more complex as its not easy to debug someone others code . Plss correct me if I am wrong.

    Thanx to all

  5. #5
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    Before getting into the technical debate you are looking for I think it important to examine the philosophical area so we know what your idea of “realtime” is.
    Realtime - 'right now' time - to the millisecond or faster depending on the system for which this ids is designed.

    Everyone logged on your net is a threat!
    You hit the nail on the head but still missed the point - let me clarify a bit....

    Your user account is logged to the net, right? Are you a threat to it? From the ids standpoint under your parameters you are. How do you 'teach' the IDS to ignore your account, and whatever other legitimate users on your net at the same time, but still look for others? Remember again the key to a successful net crack is to appear legitimate...

    To answer my own question I can think of one possibility but even that one's exploitable - make a user defined 'exceptions' set - just as exist on good firewalls - let the admin dictate exactly what traffic is permitted to/from that exception and when. (Joe User works from 9am to 5pm mon thru fri and does strictly bookkeeping - so he's allowed to access only the bookkeeping software and data files during those hours. If he wants to work late on something he has to go talk to Gore, the netadmin from hell, to get 'extra permission time')
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  6. #6
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by |3lack|ce
    Realtime - 'right now' time - to the millisecond or faster depending on the system for which this ids is designed.
    Agreed. Real time is right now, as in the system is notifying me on my screen of a problem as it is occurring. If I am a dumbshit CISO and don't have a full time 'round the clock security staff receiving the events/alerts, or at least a system calling the SecAdmin on his blackberry at all hours of the night, I should not be able to claim "real time".

    Real time is more of an industry buzz word used to make re-worked existing solutions sound new, shiny, and exiciting. What real time means is you have someone sitting there with their hands wrapped around the power cables to your backbone router(s), waiting for a reason to pull the plug. The illusion of some 'Counter-Hacker' resplendant in his white hat, multiple terminals (VT100 baby, screw this GUI stuff) and keyboards at the ready, prepared to write code, issue config changes, and actively subvert an intruders attempts to compromise your network in a dance of keyboard clacks and caffeine ingestion, this is a thing of Hollywood, not the Real World™. Don't believe me? Go watch Swordfish. Fun movie. Complete bullshit, but fun if you can ignore that.

    Everyone logged on your net is a threat!
    You hit the nail on the head but still missed the point - let me clarify a bit....
    I don't think he hit it on the head for this discussion...I agree with the statement in a humourous/ironic sence, but the point of IDS is to determine good intent from bad. That statement indicates all users, all activity, all traffic is potentially bad. While this can be considered true from a certain perspective, it doesn't really further this discussion now does it?
    Sorry, not trying to pick on you IKnowNot, just a point I wanted to make. I agree, users are the biggest threat (since they are humans).


    <snip>...he has to go talk to Gore, the netadmin from hell, to get 'extra permission time')
    I thought he was BOFH? Did he get promoted? W00H00!
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  7. #7
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    Ok, Knownot wants programming discussion, Zen wants to let his security staff (himself) sleep - so we get this:

    RealTime definitions subroutine for the Real World IF:

    If we're in normal working hours;
    andif someone's within earshot;
    then it's NOW;

    elif we're after business hours;
    orif everyone's too lazy to answer the alarm in a timely fashion;
    then it's logged;
    endif;
    endif;
    rem Easy fix :ž

    For Gore the Bastard SysAdmin from Michigan, see my PM since it's off topic
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Why are you going through all this trouble? Would you like a free IDS solution? Place a box of your liking, even if it's a 486, and place it in your DMZ. Disallow internal traffic from hitting it, disallow external traffic from hitting it. Throw any open source tool on there (snort with bleeding rules enabled, whatever) a simple sniffer will be just as effective. Then let it pass log data to your internal collector or monitor.

    Now, when a box other than this one gets pwn3d in your DMZ, unless the attacker has intimate knowledge of your environment, what do you think the first thing he/she is going to do? Yes, port scan or probe hosts in the DMZ. Congrats. The attacker just informed you that he has broken into your DMZ.

    This meathod is extremely effective and free. If you'd like to pay 60k for it, please continue to pan the IDS market. One thing is for sure, you don't need to develop one.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by |3lack|ce
    Ok, Knownot wants programming discussion, Zen wants to let his security staff (himself) sleep - so we get this:

    RealTime definitions subroutine for the Real World IF:

    If we're in normal working hours;
    andif someone's within earshot;
    then it's NOW;

    elif we're after business hours;
    orif everyone's too lazy to answer the alarm in a timely fashion;
    then it's logged;
    endif;
    endif;
    rem Easy fix :ž
    LMAO! Nice. Actually, I was making a side comment on the fact that agree's with the intent of IKnowNot's original statement. If you buy the safest car in the world, but get drunk and drive without a seatbelt, you're still f$cked. Same thing with IDS and alerting systems. Many companies have IDS in place more to meet regulations and dictums from their governments and shareholders than any actual, invested, serious concern for their network integrity. They want the integrity, but don't want to do what it takes. IDS offers a solution to the business and psuedo-ethical concerns.

    And my apologies to davinci and IKnowNot, for taking this thread WAY, WAY off the intended path. I'll shut up now.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  10. #10
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    Sorry, not trying to pick on you IKnowNot, just a point I wanted to make.
    My post was intended to stimulate discussion.
    And my apologies to davinci and IKnowNot, for taking this thread WAY, WAY off the intended path.
    Is it really? Before you bake a cake you not only need the recipe, ingredients, have the oven, etc. but have to have a basic idea what you want it to look like and what environment it will be used ( a cake for a bachelor party may not be appropriate for a 5th birthday party, etc. )
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •