Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Net::Pcap port and distributed NIDS

From: "Flowers, Jay" <Jay_Flowers () CHCSII COM>
Date: Fri, 4 Jan 2002 16:56:56 -0500
First:
Wayne Rogers (mostly him) and I have almost completed a port of the *inx
Perl Module Net::Pcap.  We would like to post it on Cpan, but need some
testing first.  If any of you could use this module and would be willing to
help test it please seed me or Wayne (wayne_rogers () chcsii com) an email.
 
Second:
We are porting Net::Pcap to widows to make a distributed NIDS that will work
on both Win32 and *nix platforms.  If anyone would like to participate small
or large please send me an email.
 
The general plan so far:
Write the client and server app in Perl and then use something like Perl2Exe
to make and executable out of the scripts.
 
The four major things that I don't see in the other open source NIDSs: Not
distributed, one machine is scanning all the network traffic If it is
distributed it doesn't run on Win32 they do not take any actions other than
logging or notification they do not address DHCP spoofing or Arp attacks
 
The last one amazes me the most.  I have already found several solutions to
the DHCP spoofing, and Arp attacks.  I have not decided which are the best
yet, I need to test which are the most robust.
 
Most of the work as far as rules to pass the traffic through have already
been done in Snort.  I was thinking that the best thing to do would be to
store several sets of rules on the server.  Then to configure the server to
apply the appropriate set of rules to each client app.  The client app would
report to the server any activity that matched its rules.  Then the server
can take action(s) based on its rules.  For instances if a client reported
to the server that it received an Arp spoof attach, the server could to do
several things at this point.  It would of course log this and email the
administrator, but it could also; log all of the compromised clients current
connections to the external net, order one of the clients on that segment to
send a crafted arp packet to correct the arp spoof, shutdown the compromised
client, shutdown the port of the switch that the client is connected to, or
just kill all it's connections to the external net, or ... I am not sure yet
which are the best actions to include in the app.
 
I could go on and on about this, but that is not for this mailing list.  If
you are interested please give me a shout.  
 
Thanks for listening to me ramble
 
Jay Flowers
 
 
 
Jay Flowers
Integic Health Care
Previous By Date Next
Previous By Thread Next

Current thread: