Programming Assignment #7Intrusion Detection System1. IntroductionAn Intrusion Detection System (IDS) looks for known attacks. A simple type of IDS looks for attack signatures. This assignment will require you to detect some known attacks and log them. 2. DetailsUse libpcap if you are programming in a Linux/Unix type of environment, or WinPcap if you are programming in a Microsoft Windows environment. They can natively be used with C/C++ and have bindings to Java as well. For Linux/Unix users, the libpcap library can be downloaded from www.tcpdump.org. For Windows useres, the winpcap library can be downloaded form winpcap.polito.it. Whether you use libpcap, or winpcap, read the tutorial from each website. Also, read and understand the examples that come with the source code. For ease of programming, only worry about IPV4. You get 50% extra credit if you also handle IPV6. 3. Network Integrity (45%)You will only have a single program for this assignment. It must be named ids on Linux/Unix platforms, or ids.exe on Windows platforms. You will only need to worry about monitoring TCP traffic. Modern IDS programs check for a variety of things, you will be asked to check for only three significant signatures of attack.
4. Intrusion Notification (10%)When an attack signature is identified, it should log the suspicion to a file named ids.txt, including: the type of intrusion that was detected, where it was from, and what time it occurred. It should then completely block the offending IP using your code from your previously created firewall program. The file should be in this format:
YYYYMMDD-HH:MM.SS The following is an example of what an ids.txt file might look like.
20071107-11:37.31 192.168.0.102 Port Scan 5 User Interface (20%)Your program will have menu that must look and behave like the following:
1. Start IDS 5.1 Start IDSStart monitoring all traffic, and begin analyzing for criteria specified in below sections. If activation works, respond "IDS Started!", else respond "Error! Unable to start IDS!", with descriptive error message. Example: Start the IDS, should give positive feedback
$ ./ids Example: If there is an error
$ ./ids 5.2 Stop IDSStop monitoring traffic, and clear all lists of blocked users and firewall rules. If deactivation works, respond "IDS Stopped!", else respond "Error! Unable to stop IDS!", with descriptive error message. Example: Stop the IDS, should give positive feedback
1. Start IDS Example: If there is an error
$ ./ids 5.3 View Current TrafficSimply start dumping all sniffed traffic to the console traffic for 10 seconds. Use the standard pcap way of presenting the data. 5.4 View Block ListList all IP addresses that are currently blocked and the reason for being blocked. Example: Below are the three possible reasons for being blocked.
1. Start IDS The output should be in this format: <User#>-<SIP> - <Reason> 5.5 View Current Firewall RulesPrint rules in order they were entered. Make sure to number them, so the user can tell what rule they want to delete if needed. Example:
1. Start IDS The output should be in the following format: <Rule#>-<SIP>/<SMask>:<SPort> <DIP>/<DMask>:<DPort> <Protocol> <Action> 5.6 Unblock UserHave user enter number that corresponds to the IP address from the View Block List command, then unblock this user. This means you must keep track of which firewall rule belongs to which blocked user. If unblocking works, respond "User Unblocked!", else respond "Error! Unable to unblock user!", with descriptive error message. Example: Unblock the 2nd user
1. Start IDS Verify user is no longer blocked
1. Start IDS Now print the firewall rules to check the corresponding rule is gone
1. Start IDS If you try to unblock the 3rd user you should get an error
1. Start IDS 5.7 QuitStop all firewall and packet monitoring processes and exit gracefully. 6. Testing Your Application (15%)Along with your assignment, include a document test.txt that includes the resulting firewall rules, and output from ids.txt from running the following commands on your computer: Example: Tests for an OS fingerprinting attack
hping2 localhost -SAF Example: Tests for buffer overflow; nop.txt should be a text file containing "NOPNOPNOPNOPNOP"
hping2 localhost -E nop.txt
hping2 localhost -p +5200 If done correctly, your test.txt file would look like the following:
1-192.168.0.101/255.255.255.0:0 0.0.0.0/0.0.0.0:0 0 1 Please note that this example should work, even though the packets are getting blocked by the firewall, because pcap reads the packages straight from the device before the OS gets them. This allows you to test your program without the need of another computer on the network. 7. Required Document (5%)In addition to your source code and your output you are required to submit a memo to your instructor that is flawlessly written. No spelling errors. No grammatical errors, etc. If the document is deemed unprofessional, e.g. a significant number of grammatical or spelling errors, then it will be assigned a grade of zero. If you're not sure about the format for a memo, then just search for "memo format" on Google. Your memo should state clearly the status of the assignment. Is it done or not? Does it meet all of the requirements? If anything is missing then state clearly what is missing from your work. Failure to give a status for the assignment will result in a grade of zero for the entire assignment. Providing a status that's false or significantly misleading will also result in a zero for the entire assignment. Make sure your document is well-written, succinct, and easy to read. If you encountered problems with the assignment, then provide a detailed description of those problems and the solution(s) you found. 8. Assignment Submission (5%)You are required to submit your work online, using the Blackboard. Late work will be accepted, however it is subject to late penalties as described in the syllabus. For the electonic submission, here are the requirements:
$Id: programmingAssignment-7.html,v 1.2 2007/10/28 17:34:46 virgil Exp $ |