-
April 4th, 2007, 10:23 PM
#1
DOS Intrusion Detection System
I think I had posted on here ages ago asking how to create an Intrustion Detection System just using DOS commands in a batch file. Well, I actually wrote this awhile back and figured I should post it. It's not meant as a serious security tool, mainly just a learning experience for the curious newb (aka me).
The basic concept is to leave the program running at night, at a time when you are not using the computer, to check for differences in connections. The code is pretty self-explanatory.
@ECHO OFF
CLS
ECHO Written by Blithendell.
ECHO http://www.antionline.com/
ECHO.
ECHO Your current connections..
NETSTAT
ECHO.
ECHO Check C:\NIGHTWATCHLOG.TXT to see if any intrusion attempts occured.
PAUSE
ECHO Original connections..>C:\NIGHTWATCHLOG.TXT
NETSTAT>>C:\NIGHTWATCHLOG.TXT
ECHO.>>C:\NIGHTWATCHLOG.TXT
DATE /T>>C:\NIGHTWATCHLOG.TXT
TIME /T>>C:\NIGHTWATCHLOG.TXT
NETSTAT>C:\NETLOG1.TXT
ECHO.
ECHO.
ECHO.
ECHO Currently scanning for intruders..
:MAIN
NETSTAT>C:\NETLOG2.TXT
FC C:\NETLOG1.TXT C:\NETLOG2.TXT>>C:\FILELOG.TXT
IF ERRORLEVEL 1 GOTO :ALERT
GOTO :MAIN
:ALERT
ECHO.>>C:\NIGHTWATCHLOG.TXT
ECHO Intrusion attempt detected!>>C:\NIGHTWATCHLOG.TXT
ECHO Compare the above and below entries to indentify the intruder.>>C:\NIGHTWATCHLOG.TXT
NETSTAT>>C:\NIGHTWATCHLOG.TXT
ECHO.>>C:\NIGHTWATCHLOG.TXT
DATE /T>>C:\NIGHTWATCHLOG.TXT
TIME /T>>C:\NIGHTWATCHLOG.TXT
DEL C:\FILELOG.txt
DEL C:\NETLOG1.txt
DEL C:\NETLOG2.txt
SHUTDOWN -s -t 10
-
April 5th, 2007, 03:49 AM
#2
Or... you could merely check your audit logs for the same information...
The idea of a script calling netstat repeatedly seems like somewhat of an unneccessary resource drain.
Real security doesn't come with an installer.
-
April 5th, 2007, 01:51 PM
#3
As d0pp has mentioned, the audit policy which is defined in the security policy would be a better indication. You can audit logon/log off, policy changes, object access/failures, etc. The default log size should be increased as to not overwrite events too quickly. If you really want, dump those to a syslog server for archival/analysis.
You'd be better off logging connections at the firewall and dumping them to a syslog server. You can do this with most home routers. I say dump to a syslog as there is no place on the router to store the logs and using a large buffer to store the logs uses valuable resources.
I log inbound/outound connections on my gateway/firewall to a syslog server. I also log sucessful connections to my workstations using the windows firewall.
Many other host based firewalls also log all this stuff... I just prefer to log to a secured syslog server because you know the logs can't be modified. Even if they flood the logs on the host, the info will still be on the syslog server.
It's fun to play around with batch files to learn, but the problem you are going to run into is either the attacker will modify the batch file, replace the binaries you're using with a patched ones, kill the process, etc. I know you just did it for fun and for learning, which is fine... I just wouldn't put too much faith in it.
All of the above would be ok for a home setup. When you get into a corporate/enterprise level... everything changes.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
April 5th, 2007, 04:14 PM
#4
I agree with phish but you do get 12 points for originality/creativity
Oliver's Law:
Experience is something you don't get until just after you need it.
-
April 15th, 2007, 03:00 AM
#5
I want to present a perspective. I know that the batch file is just for fun but just for the sake of a point that could cause false alerts:
Sometimes we see a page which have a dynamic content placed on them. usually that thing is either a live report like scores for a game or an advertisment. Sometimes the advertisements are loaded in to the page from different websites (may be the server to which the page is connceted does that on regular time intervals in response to some signal from java code).
I think that if a person sleeps away while the scanner is running, it will end up in some nice number of intrusion alerts.
I know that the batch file is not a full fledged security scanning system, but I just wanted to present one aspect from a lerner's (my) side.
Thanks to all.
Last edited by jockey0109; April 15th, 2007 at 03:03 AM.
"Everything should be made as simple as possible, but not simpler."
- Albert Einstein
Similar Threads
-
By cheyenne1212 in forum Miscellaneous Security Discussions
Replies: 7
Last Post: February 1st, 2012, 02:51 PM
-
By catch in forum The Security Tutorials Forum
Replies: 7
Last Post: September 16th, 2005, 03:20 PM
-
By rpgraff in forum Spyware / Adware
Replies: 16
Last Post: August 24th, 2004, 08:01 AM
-
By catch in forum The Security Tutorials Forum
Replies: 4
Last Post: October 19th, 2003, 07:22 AM
-
By antihaxor in forum Non-Security Archives
Replies: 0
Last Post: January 24th, 2002, 05:42 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|