Re: couple IDS development questions

["Sebastien Tricaud" <stricaud () inl fr>]

> Hi

Hello,

> Recently i'm working on a new IDS project.
> As a matter a fact at the moment i'm stuck in a point where i'm supposted
> to decide few very important things :
>
> 1) Which language?? C/C++ with its
> already implemented projects (Snort, ModSecurity), Java with its
> multiplatform option?

It really depends on what you want to do. C can be very dangerous for such
a component since it can expose your software to common problems. However,
if you need CPU performances, real-time etc.. C is a good choice.
To get started though, I would recommend you to use a higher level
language such as Python, to build a prototype and then rewrite it
depending of what you need.

All those languages are well supported on various plateforms anyway.


> 2) Should I just take a project and try to build a new one on top of it?
> Snort fe ? Has anybody done that before? Any suggestions?

Some NIDS projects used Snort as a base and then got included as official
in the Snort preprocessors.

Again, it depends of the time you can have to work on this, and what kind
of IDS you are developing.

However, if you need to understand the basis, starting from scratch is a
good thing to do. After that, if you want to develop an nids, don't bother
with stuff like cross-platform packet reassembly since the work has been
done in frag3, just use it and improve the Snort project.

> 3) How is network IDS analizing  network activity when almost every
> package nowadays is encrypted?

Because almost every packet is *not* encrypted.

If you have a VPN, don't put your NIDS in the middle of the tunnel (or
give it the keys, but I would not recommend that). Simply put your NIDS at
endpoints.

In case of low encryption, some NIDS can decrypt it on the fly (ex. back
orifice).


> 4) I'm thinking about encrypting IDS messages/alerts-packages as well?
> What cipher should i use?

Blowfish! :)

I would recommend you to use Prelude IDS (www.prelude-ids.org) for alert
stuff, it is a good framework that assure you security, alerts backup
etc...

You can develop using the libprelude in C, perl or python.

See: https://trac.prelude-ids.org/wiki/DevelopingSensorQuickly


> I dont want to "go in a wrong direction" from the start so please help ;]

I guess this is the purpose of this list too :)

Happy hacking!
Sebastien.



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------