Intrusion Detection

shrka

Disciple
I want to develop an "Intrusion Detection system" specifically for Windows Systems as my final year project in my Bachelor's degree.
Currently my skill set includes
Programming in C ,
JAVA ,
Basics of OS,
DBMS
Computer Networks,
Server side programming(JSP & Servlets)

I am seeking guidance from the administrators and other site members whoever are interested and have knowledge of these systems ,exploits etc.

What all knowledge & programming skills should I have in order to build IDS?
All views and ideas are invited and will be consequential in my approach.
 
I would say its better to develop an IDS in a language like perl or C. I am more in exploit coding but i think i will go with this with u. pm me ur Messenger id and we could work this out.

Also the best way is to develop an plugin based architecture, coz u cant hope to deal with each and every aspect of IDS. Maybe we can do a bit with port scan detection for the starts and then work ahead. But i would bet only on plugin based architecture or rule based IDS. Snort is a rule based IDS.
 
Why don't you look at the code of snort? See if you can do something like that for windows. But I don't know what sort of interfaces you are going to need to hook into to be able to take over the network ports..
 
^^great idea, but it is already a great tool. can function as a port scanner,checking vulnerabilities, and IDS.

I am thinking of something of a web interface, with MySQL etc backend. This way atleast we wont need to go for platform dependency. I have been reading upto all this since some time. And would definitely like to help. But since my skill set and ur skill set is different, we would have to work it out. Give me some days and i will present a model here.
 
a succesful IDS is really tuff to make and time consuming if u have time plunge in though i dont have much coding skills i reaslly wud love to get in thius project and help u with the possible ways. ;)

add mer in msn we'll talk tonight.
 
Guys, he is doing his final year project, which means

1. Little time

2. Guidance is allowed. But we can't help (read code and design) for him!

And you cannot achieve platform independence in this domain, unless you somehow write it in Java - and I doubt that the necessary facilities are available for that in the runtime.
 
^^ I agree but what the heck.. He will be in this project from the start till end so he will already know everything... And come on most engg students get their projects made from outside and even college people make no issues... And atleast this guy is willing to work.. Why not...lets give it a try...

I say there are 2 ways...

1 : we code from bottom up and try to add functionalities, but coding will be tough but i vote for this.

2 : we configure snort with apache,mysql so that it can be administered remotely. but this would be easy and no point in making it as the final yr project.

Better we meet on msn and do some serious thinking.. I can code in perl and c ( but better in perl ). So i say we meet on msn, read up a bit and then again decide what to do. Perl will be better coz excellent pattern matching inbuild. But platform independency will be better achieved through Ruby or C.... Watcha say guys ??

gmail id : josh.anu

Or i will create an msn id and post... Also shrka if u could tell the project deadline etc it would be more helpful...
 
I didnt get it.... How do u integrate IDS with Metasploit ?? or for what need ?? You can think of incorporating Nessus or any good vulnerability scanner with metasploit to get a product of Canvas standard.

This is worth thinking of, but IDS and Vulnerability detection/exploitation are 2 different things from 2 different perspectives...
 
See basically what i have read and know from my experience of running servers is that IDS is a behaviour based science. Nothing is totally concrete other than preliminary reports of scan,ping sweeps or DDOS. Also an IDS can be defeated by keeping your behaviour as low as IDS assumes it to be normal.

But to keep out script kiddies or newbies Snort can be used with mysql etc and firewall to generate configs on the go...

Testing an IDS is pretty simple with nessus also. Using metasploit against IDS will not necessarily lead to detection until u do something to step on the rules set themselves. Connecting to an open port and running an exploit will not or should not trigger the IDS.

But since i am nobody concrete on this, i am willing to code a IDS in perl just to get better understanding.
 
This is going to get real bad.. Perl is mostly out i think.. How to get to listen on ports which are already bound to daemon processes ?? Maybe we will have to use some TCP/IP lib for linux. Hmmm will search and keep this updated...
 
^^ yup i keep forgetting that... What i suggest is that u download snort and get a bit comfortable with it.. Also if u have 2 rigs then install snort and run it in IDS mode and use the second rig with nessus or for starters scan with nmap and check the response etc.

Also we can start with either WinPCap as said above. Its open source library for windows, and all major windows ports of excellent tools like Nmap and even Snort use this. But since this is a project we have to answer a very strong question that why redo a concept actually implemented ( snort ). U may have to face this question in your Viva also.

I suggest we try out Ruby and try to add a GUI interface or something extra. Ruby is well supported in Windows and even Metasploit is coded in Ruby now ( especially for windows ). Even i dont know Ruby but if we have time we should go for it.

All suggestions open.
 
Ok for starters we will have to code a sniffer. This will sniff all packets knocking on ethernet port. Then we will have to strip the packets into different components like Sorce,Destination IP, source,destination port, other flags etc. Then we will compare it with a select set of rules. Also we can ping the source IP as soon as we get substancial packets to check for spoofing.

But first code a sniffer.
 
Back
Top