Snort mailing list archives
Net::Pcap port and distributed NIDS
From: "Flowers, Jay" <Jay_Flowers () CHCSII COM>
Date: Fri, 4 Jan 2002 16:56:56 -0500
First: Wayne Rogers (mostly him) and I have almost completed a port of the *inx Perl Module Net::Pcap. We would like to post it on Cpan, but need some testing first. If any of you could use this module and would be willing to help test it please seed me or Wayne (wayne_rogers () chcsii com) an email. Second: We are porting Net::Pcap to widows to make a distributed NIDS that will work on both Win32 and *nix platforms. If anyone would like to participate small or large please send me an email. The general plan so far: Write the client and server app in Perl and then use something like Perl2Exe to make and executable out of the scripts. The four major things that I don't see in the other open source NIDSs: Not distributed, one machine is scanning all the network traffic If it is distributed it doesn't run on Win32 they do not take any actions other than logging or notification they do not address DHCP spoofing or Arp attacks The last one amazes me the most. I have already found several solutions to the DHCP spoofing, and Arp attacks. I have not decided which are the best yet, I need to test which are the most robust. Most of the work as far as rules to pass the traffic through have already been done in Snort. I was thinking that the best thing to do would be to store several sets of rules on the server. Then to configure the server to apply the appropriate set of rules to each client app. The client app would report to the server any activity that matched its rules. Then the server can take action(s) based on its rules. For instances if a client reported to the server that it received an Arp spoof attach, the server could to do several things at this point. It would of course log this and email the administrator, but it could also; log all of the compromised clients current connections to the external net, order one of the clients on that segment to send a crafted arp packet to correct the arp spoof, shutdown the compromised client, shutdown the port of the switch that the client is connected to, or just kill all it's connections to the external net, or ... I am not sure yet which are the best actions to include in the app. I could go on and on about this, but that is not for this mailing list. If you are interested please give me a shout. Thanks for listening to me ramble Jay Flowers Jay Flowers Integic Health Care
Current thread:
- Net::Pcap port and distributed NIDS Flowers, Jay (Jan 04)