Intrusion Detection Questions
Results 1 to 4 of 4

Thread: Intrusion Detection Questions

  1. #1
    Junior Member
    Join Date
    Apr 2008
    Posts
    3

    Unhappy Intrusion Detection Questions

    Hi all,

    I am planning to write an intrusion detection system as part of a university project. As soon as I started thinking about it I realised that I will need to be running a service at the IP layer, below TCP or UDP. I need this because I need to be able to examine all incoming packets and check out what ports they're on their way to etc.

    My problem is, all my network coding experience is with TCP and UDP, and whats worse is that its in Java, which I fear is way too high lvl for what Im trying to do.

    Does anyone know how I get my code to run at this level? I assume I'll have to disable the windows IP level service and replace it with my own, which will be much the same (forwarding incoming packets to their TCP/UDP ports) but will also log and alert the user if it recognises any potentially malicious connections.

    PS Its not too late for me to change my ideas as I have until the end of summer to decide on my project. So let me know if what im undertaking is beyond a lone coder.

    Thanks for reading

  2. #2
    Not at all... you should be fine without having to do anything with the IP stack of your operating system. Check into the docs on the classes you plan to import into your java code - all of the access you need to the packets should be available. While it's been some time since I coded in Java, I'm sure there's plenty of classes that will let you identify the IP addresses and source/destination ports. (sorry, if I had more time I'd search around for some classes for you, but I'm on my lunch break!)

    On another note, I hope the project is really just a proof of concept. An IDS or IPS would have to be expected to inspect and process packets at a very high rate (even if you're only inspecting the headers), and Java isn't know for its speed.

    Good luck - post your code out here when you're done!

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hello _Lynks_, and welcome to AO.

    It is not my subject, but might I suggest that you consider an intrusion prevention system?

    OK you need the detection bit, and you might consider the option to turn the prevention module on/off, so as to facilitate "honeypots"?

    Cheers

  4. #4
    Junior Member
    Join Date
    Apr 2008
    Posts
    3
    Quote Originally Posted by InfiniteL00p
    Not at all... you should be fine without having to do anything with the IP stack of your operating system. Check into the docs on the classes you plan to import into your java code - all of the access you need to the packets should be available. While it's been some time since I coded in Java, I'm sure there's plenty of classes that will let you identify the IP addresses and source/destination ports. (sorry, if I had more time I'd search around for some classes for you, but I'm on my lunch break!)
    Thanks for the quick reply, all the information is greatly appreciated. This has given me a boost of confidence.

    Quote Originally Posted by InfiniteL00p
    On another note, I hope the project is really just a proof of concept. An IDS or IPS would have to be expected to inspect and process packets at a very high rate (even if you're only inspecting the headers), and Java isn't know for its speed.
    Well, ish. The primary goal is to prove the technical aspects, while I do have to give a 10 minute presentation infront of a lot of people so it would be nice if it worked to an extent. Thanks for the advice either way.

    Quote Originally Posted by InfiniteL00p
    Good luck - post your code out here when you're done!
    Sure


    Quote Originally Posted by nihil
    It is not my subject, but might I suggest that you consider an intrusion prevention system?
    I had planned to augment the interface with prevention controls, but I thought I'd leave the final decision to the admin (eg, message pops up in the notification area saying that someone is port scanning you, and options pop up eg block ip, or even something like 'spoof os fingerprint' hehe)


    Anyway, thanks again for the replies and information. I'll do a bunch of reading and hunt down some java classes then post again here.

Similar Threads

  1. TOP Intrusion Detection Systems Questions Answered
    By adiveno in forum IDS & Scanner Discussions
    Replies: 1
    Last Post: May 2nd, 2006, 09:47 PM
  2. Asking smart questions
    By pwaring in forum Other Tutorials Forum
    Replies: 60
    Last Post: October 22nd, 2004, 10:15 PM
  3. A look into IDS/Snort Whole thing by QoD
    By qod in forum The Security Tutorials Forum
    Replies: 6
    Last Post: February 27th, 2004, 03:03 AM
  4. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 08:01 AM
  5. Introduction to IDS
    By micael in forum IDS & Scanner Discussions
    Replies: 3
    Last Post: February 23rd, 2002, 10:05 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •