Assignment #1 - Implement a network intrusion detection system

IDS 제작

Implement a network intrusion detection system

monitor network traffic
detect known network patterns

requirement
    should be linux (or other unix like OS)
    interface for accepting new patterns
    show detection result
    C/C++/Java

Test cases (requirement)
    IP header
    TOS, length, fragment offset, TTL, protocol, source/destination address
    TCP header
    source/destination port, seq numer, ACK number, flags
    And payload
        string patterns - e.g., “I am an attacker”
    you should consider the “*” - don’t care
        e.g.,
        source IP:143.248.111.14, destination IP: 143.248.111.13
        others: *
    performance/correctness
    can your program detect all patterns?

 

Test environment
    Linux
        e.g., ubuntu (free)
    no machine? — virtual box, it is free
        https://www.virtualbox.org/
    Turn in
        source codes - compressed
        report (max 5-pages)
        how to install your program
        how to run your program
        simple description of your program
        and some more (any note, comment, …) ??
        demonstrate your program to TAs
    Hint?
        libpcap

====================================================================================

To avoid confusing about assignment #1, we notice details, INPUT interface, RULE syntax, and an OUTPUT format. Please keep in mind.

1. OVERVIEW

We will evaluate your assignment as below,

     1) We prepare IDS rules in plain text.

     2) Your IDS parses the IDS rules. (Do not insert a rule manually)

     3) Transmit a set of packet to your IDS.

     4) Check whether your IDS detects a packet matched with the IDS rules properly.

 

2. Input Interface  

IDS must parse rules in plain text as parameter or similar input interface. 

Your IDS parses multiple rules in a single rule file. In other words, a rule file can have multiple rules.

For example,

     ./Your_IDS ids_rule.txt

     or similar interfaces

     ./Your_IDS

     IDS > ids_rule.txt

 

3. Rule Syntax

Follow the Snort IDS rule (Below example does not fully match with a Snort Rule format described in Snort user manual. Please CHECK whether your syntax is matched with Snort user manual) . You don`t need to parse all of the elements described in Snort documentation. However, your IDS must have a function to parse all of the fields in IP header, TCP header and HTTP header including payload 
-> the fields described in the network security lecture-4 presentation material. In other words, your IDS parses IP header (TOS, length, fragment offset, TTL, protocol, source/destination address), TCP header (source/destination port, seq number, ACK number, flags) and payload (String patterns) without "Don`t care". In addition to this limitation, you don`t need to implement to handle a range format (e.g., port number 1-300).

Here are the examples, (please ignore additional HTTP protocol)

     alert udp any 53 -> any any (msg:"From dns server to client";)
     alert udp any any -> any 53 (msg:"From client to dns server";)
     alert http any any -> any any (msg:"DAUM!"; http_request:"GET"; content:"daum";) 
     alert http any any -> any 80 (msg:"NAVER!"; http_request:"PUT"; content:"naver";)
     alert http any 80 -> any any (msg:"GOOGLE!"; http_request:"POST"; content:"google";)
     alert tcp any any -> any any (msg:"SYN packet"; SYN:1;)
     alert tcp any any -> any any (msg:"window size is 0"; win:0;)

4. Output format

IDS must display all of the fields in matched packet including payload.

The output format is below

     IP header
          Version: xx
          Header Length: xx
          Service Type: xx

          …
     TCP header
          Source Port:xx
          Destination Port: xx
          …

An order of displayed field must same with a protocol specification (e.g., If you display TCP header, your IDS display Source Port, Destination Port, …)

Including all of packet information, IDS must highlight matched field with yellow color.

================================================================================

1. How to install your program

파일을 압축해제하고 아래 2.(2)와 같이 실행.

2. How to run your program

(1) 압축에 포함된 파일은 아래와 같음

➀ p1/src/assign: 프로그램 소스코드

➁ p1/bin/assignment.jar: 프로그램 실행을 위한 jar 파일

➂ p1/lib: 프로그램 실행에 필요한 jnetpcap 라이브러리(libjnetpcap.so)

(2) 프로그램 실행 방법

Terminal 창에서 root 권한(sudo)으로 p1/bin/내에 있는 assignment.jar를 실행

➀ p1/bin/ 경로로 이동한 뒤 -> sudo java –Djava.library.path=(p1/lib폴더의 경로) –jar assignment.jar

➁ example : sudo java –Djava.library.path=/home/p1/lib –jar assignment.jar

3. Description of the program

프로그램은 다음과 같이 총 3가지 영역으로 나뉘어져 있음.

[그림 1] 프로그램 실행 후 첫 화면

(1) LoadRule 영역:

미리 준비된 snort rule을 불러옴.(다음의 sample rule을 사용하였음.)

[그림 2] 사용된 sample rule

(2) Start 영역:

➀ 패킷을 스캔하기 위해 현재의 network interface list를 보여준 다음 알맞은 번호를 골라 콘솔 입력.

[그림 3] network 인터페이스 번호를 입력한 상태

➁ rule에 적합한 packet이 스캐닝 되며 출력됨.

[그림 4] alert가 출력된 이유와 스캔된 내용 출력

(3) stop 영역:

스캔을 멈추고 NIC를 선택하는 곳으로 돌아감. (프로그램 종료는 x버튼을 클릭)

[그림 5] stop이 선택 되었을 경우