DOS Intrusion Detection System
Results 1 to 5 of 5

Thread: DOS Intrusion Detection System

Hybrid View

  1. #1
    Junior Member
    Join Date
    Aug 2003
    Posts
    11

    DOS Intrusion Detection System

    I think I had posted on here ages ago asking how to create an Intrustion Detection System just using DOS commands in a batch file. Well, I actually wrote this awhile back and figured I should post it. It's not meant as a serious security tool, mainly just a learning experience for the curious newb (aka me).

    The basic concept is to leave the program running at night, at a time when you are not using the computer, to check for differences in connections. The code is pretty self-explanatory.

    @ECHO OFF
    CLS
    ECHO Written by Blithendell.
    ECHO http://www.antionline.com/
    ECHO.
    ECHO Your current connections..
    NETSTAT
    ECHO.
    ECHO Check C:\NIGHTWATCHLOG.TXT to see if any intrusion attempts occured.
    PAUSE
    ECHO Original connections..>C:\NIGHTWATCHLOG.TXT
    NETSTAT>>C:\NIGHTWATCHLOG.TXT
    ECHO.>>C:\NIGHTWATCHLOG.TXT
    DATE /T>>C:\NIGHTWATCHLOG.TXT
    TIME /T>>C:\NIGHTWATCHLOG.TXT
    NETSTAT>C:\NETLOG1.TXT
    ECHO.
    ECHO.
    ECHO.
    ECHO Currently scanning for intruders..
    :MAIN
    NETSTAT>C:\NETLOG2.TXT
    FC C:\NETLOG1.TXT C:\NETLOG2.TXT>>C:\FILELOG.TXT
    IF ERRORLEVEL 1 GOTO :ALERT
    GOTO :MAIN
    :ALERT
    ECHO.>>C:\NIGHTWATCHLOG.TXT
    ECHO Intrusion attempt detected!>>C:\NIGHTWATCHLOG.TXT
    ECHO Compare the above and below entries to indentify the intruder.>>C:\NIGHTWATCHLOG.TXT
    NETSTAT>>C:\NIGHTWATCHLOG.TXT
    ECHO.>>C:\NIGHTWATCHLOG.TXT
    DATE /T>>C:\NIGHTWATCHLOG.TXT
    TIME /T>>C:\NIGHTWATCHLOG.TXT
    DEL C:\FILELOG.txt
    DEL C:\NETLOG1.txt
    DEL C:\NETLOG2.txt
    SHUTDOWN -s -t 10
    Everything Turns Grey!

  2. #2
    @ŞΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    Location
    St. Petersburg, FL
    Posts
    1,689
    Or... you could merely check your audit logs for the same information...

    The idea of a script calling netstat repeatedly seems like somewhat of an unneccessary resource drain.
    Real security doesn't come with an installer.

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    As d0pp has mentioned, the audit policy which is defined in the security policy would be a better indication. You can audit logon/log off, policy changes, object access/failures, etc. The default log size should be increased as to not overwrite events too quickly. If you really want, dump those to a syslog server for archival/analysis.

    You'd be better off logging connections at the firewall and dumping them to a syslog server. You can do this with most home routers. I say dump to a syslog as there is no place on the router to store the logs and using a large buffer to store the logs uses valuable resources.

    I log inbound/outound connections on my gateway/firewall to a syslog server. I also log sucessful connections to my workstations using the windows firewall.

    Many other host based firewalls also log all this stuff... I just prefer to log to a secured syslog server because you know the logs can't be modified. Even if they flood the logs on the host, the info will still be on the syslog server.

    It's fun to play around with batch files to learn, but the problem you are going to run into is either the attacker will modify the batch file, replace the binaries you're using with a patched ones, kill the process, etc. I know you just did it for fun and for learning, which is fine... I just wouldn't put too much faith in it.

    All of the above would be ok for a home setup. When you get into a corporate/enterprise level... everything changes.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    I agree with phish but you do get 12 points for originality/creativity
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    I want to present a perspective. I know that the batch file is just for fun but just for the sake of a point that could cause false alerts:

    Sometimes we see a page which have a dynamic content placed on them. usually that thing is either a live report like scores for a game or an advertisment. Sometimes the advertisements are loaded in to the page from different websites (may be the server to which the page is connceted does that on regular time intervals in response to some signal from java code).

    I think that if a person sleeps away while the scanner is running, it will end up in some nice number of intrusion alerts.

    I know that the batch file is not a full fledged security scanning system, but I just wanted to present one aspect from a lerner's (my) side.

    Thanks to all.
    Last edited by jockey0109; April 15th, 2007 at 03:03 AM.
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 01:51 PM
  2. Average User Security (Tutorial)
    By catch in forum The Security Tutorials Forum
    Replies: 7
    Last Post: September 16th, 2005, 03:20 PM
  3. can't rid my computer of Spoton
    By rpgraff in forum Spyware / Adware
    Replies: 16
    Last Post: August 24th, 2004, 08:01 AM
  4. Howto: Understand Secure Systems
    By catch in forum The Security Tutorials Forum
    Replies: 4
    Last Post: October 19th, 2003, 07:22 AM
  5. Traceroute: under the hood
    By antihaxor in forum Non-Security Archives
    Replies: 0
    Last Post: January 24th, 2002, 04:42 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides