Doing final year project based upon an intrusion detection system (IDS) - Need Help!

[naveed.pasha]

Hi all!

I've started a little late doing my final year university project, but I know what I want to do so it's probably better than a few of the other students out there!

I do enjoy reading and studying about the wide variety of topics that are encompassed by network and computer security. I want to develop an Intrusion Detection System, possibly making it platform independent into a network intrusion detection system (NIDS). I've been doing quite a bit of research and there are a wide selection of functions I could include and could not include. Anyhow, I've come here to ask assistance in actually planning the programming or how to go about it and suggestions on which functions I should or shouldn't include. By the way, the primary aim for this final year project is to develop a IDS of some sort and display it functioning, possibly it to have some configurable characteristics, maybe using some sort of penetration testing tool or developing one myself along with the IDS to test it working.

In doing all of this I also hope to gain a greater insight into network and computer security...
All suggestions and ideas are welcome anything to point me in the right direction is much appreciated!

Kind Thanks

[lasthell]

Hi Naveed,

Do u want to actually design and build an IDS system or use any existing IDS system and add some features and GUI stuff. snort is already available open source IDS system. It covers fragmentation and timings and based on signature matching with rich set of signatures.
If you want to design your own IDS you ll need proxy application to receive data from clients and forward it to server. And signature matching engine to match vulnerability signatures against TCP payload. Depending on the result of matching you can let the connection continue or can drop it by sending reset packets to client and server.

Thanks,
lasthell

[naveed.pasha]

Hi Lasthell,

Firstly I'd like to thank you for the great info you've provided me with. I'm not sure what option to go for either design and build or modify an existing one such as snort? I've looked through the information on the snort website and it does seem rather complicated. I think after all the planning and writing and research and what not, I'll probably have a period of 3 weeks to program the actual IDS - so what would you recommend for this kind of time frame? Additionally, what proxy application and signature matching engine would you recommend?

Thanks again!

[lasthell]

Naveed, if you want to go with very simplistic approach, this can be done.

1) Linux utility "netsed" can be used to match patterns on packet data. This utility works just like sed, just instead of files it works on packet data.

2) Make collection of some limited software vulnerability signatures in one file, and match these signatures against tcp payload of specific port using netsed.

3) You can get any application specific(telnet, ftp, etc..) vulnerability information on net and develop signatures for the same(u can download them too).

4) You have to differentiate signatures according to their protocols which in turn can be identified using port numbers.

5) So using netsed u ll be matching signatures only specific to that application with packets coming on that application's standard port.

6) You can log information using simple bash commands when pattern matches.

Run ur IDS script/application as daemon on server machine and you are through.

[naveed.pasha]

Hi Lasthell,

Thanks again - I find your advice invaluable!
I've been pondering on the thought of possibly pushing harder to get a better mark for this project and maybe turning this IDS into an Intrusion Prevention System (IPS). After reading a few articles on the net it seems to me that this is the current thing or more recent than IDS's. I would like to know your opinion on this and thoughts on how to adapt the information you've already given me on how to go about developing the product (a simplistic version of course), that's if you recommend going down this avenue?

Kind Regards.

P.s. I've also got hold of a copy of Intrusion Prevention Fundamentals By Earl Carter, Jonathan Hogue this seems like a very relevant book, is there anything else you would recommend?

[isthikar]

Hai Naveed


me to was searching a topic like presently... did u finalize ur project n how was ot.. i too going to then networking side.. so can u help me out by saying is ur topic work good so i can too propose for me....

bt i read it was outdated if soo i will have a problem in approval do u have any topics..

plz reply me soon

[olaolu143]

Hello Naveed,

How is your project going?

I am also doing a project based onntrusion detection but I really want mine to be host based and focus on detecting Masquerade attacks.

I found this on the ACM website: "A web-based system for intrusion detection"

You will need to google it, because CodeCall we not let me post message with links as this is my first post.

It may be helpful.