Results 1 to 5 of 5

Thread: DOS Intrusion Detection System

  1. #1
    Junior Member
    Join Date
    Aug 2003

    DOS Intrusion Detection System

    I think I had posted on here ages ago asking how to create an Intrustion Detection System just using DOS commands in a batch file. Well, I actually wrote this awhile back and figured I should post it. It's not meant as a serious security tool, mainly just a learning experience for the curious newb (aka me).

    The basic concept is to leave the program running at night, at a time when you are not using the computer, to check for differences in connections. The code is pretty self-explanatory.

    ECHO Written by Blithendell.
    ECHO http://www.antionline.com/
    ECHO Your current connections..
    ECHO Check C:\NIGHTWATCHLOG.TXT to see if any intrusion attempts occured.
    ECHO Original connections..>C:\NIGHTWATCHLOG.TXT
    ECHO Currently scanning for intruders..
    ECHO Intrusion attempt detected!>>C:\NIGHTWATCHLOG.TXT
    ECHO Compare the above and below entries to indentify the intruder.>>C:\NIGHTWATCHLOG.TXT
    DEL C:\FILELOG.txt
    DEL C:\NETLOG1.txt
    DEL C:\NETLOG2.txt
    SHUTDOWN -s -t 10
    Everything Turns Grey!

  2. #2
    @ŞΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    St. Petersburg, FL
    Or... you could merely check your audit logs for the same information...

    The idea of a script calling netstat repeatedly seems like somewhat of an unneccessary resource drain.
    Real security doesn't come with an installer.

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    As d0pp has mentioned, the audit policy which is defined in the security policy would be a better indication. You can audit logon/log off, policy changes, object access/failures, etc. The default log size should be increased as to not overwrite events too quickly. If you really want, dump those to a syslog server for archival/analysis.

    You'd be better off logging connections at the firewall and dumping them to a syslog server. You can do this with most home routers. I say dump to a syslog as there is no place on the router to store the logs and using a large buffer to store the logs uses valuable resources.

    I log inbound/outound connections on my gateway/firewall to a syslog server. I also log sucessful connections to my workstations using the windows firewall.

    Many other host based firewalls also log all this stuff... I just prefer to log to a secured syslog server because you know the logs can't be modified. Even if they flood the logs on the host, the info will still be on the syslog server.

    It's fun to play around with batch files to learn, but the problem you are going to run into is either the attacker will modify the batch file, replace the binaries you're using with a patched ones, kill the process, etc. I know you just did it for fun and for learning, which is fine... I just wouldn't put too much faith in it.

    All of the above would be ok for a home setup. When you get into a corporate/enterprise level... everything changes.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands
    I agree with phish but you do get 12 points for originality/creativity
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member
    Join Date
    Aug 2006
    I want to present a perspective. I know that the batch file is just for fun but just for the sake of a point that could cause false alerts:

    Sometimes we see a page which have a dynamic content placed on them. usually that thing is either a live report like scores for a game or an advertisment. Sometimes the advertisements are loaded in to the page from different websites (may be the server to which the page is connceted does that on regular time intervals in response to some signal from java code).

    I think that if a person sleeps away while the scanner is running, it will end up in some nice number of intrusion alerts.

    I know that the batch file is not a full fledged security scanning system, but I just wanted to present one aspect from a lerner's (my) side.

    Thanks to all.
    Last edited by jockey0109; April 15th, 2007 at 03:03 AM.
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Average User Security (Tutorial)
    By catch in forum The Security Tutorials Forum
    Replies: 7
    Last Post: September 16th, 2005, 03:20 PM
  3. can't rid my computer of Spoton
    By rpgraff in forum Spyware / Adware
    Replies: 16
    Last Post: August 24th, 2004, 08:01 AM
  4. Howto: Understand Secure Systems
    By catch in forum The Security Tutorials Forum
    Replies: 4
    Last Post: October 19th, 2003, 07:22 AM
  5. Traceroute: under the hood
    By antihaxor in forum Non-Security Archives
    Replies: 0
    Last Post: January 24th, 2002, 05:42 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts