ChipMaster
/
Poor-Mans-IDS
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The Poor Man's (or Woman's) Intrusion Detection System
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5 Commits
1 Branch
133 KiB
Tree: d67dbc36c9
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd67dbc36c9'
${ noResults }
Poor-Mans-IDS/README.md

README.md 6.2 KiB
Raw Normal View History

Prepare for first PUSH to the 'Shack * Add README.md * Reorder Makefile * Remove remarks that don't have any baring outside of here. * Add INI based conig file for defining local networks and ignores. * Break out data classes into their own module (needed for config). * Break out string utilities into their own module. * Remove "us" & "ignore" definitions from source.
3 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162 
  1. Poor Man's IDS

  2. ==============

  3. 

  4. ### (Yes Women can use it too)

  5. 

  6. The goal of this project is to keep an eye on the requests going in

  7. and out of my network onto the Internet (iNet). This is made

  8. necessary for two reasons:

  9. 

  10. 1. By looking for unusual activity I can get a heads up about

  11.    unwanted software or even "spy hardware" on my systems, ie.

  12.    "Detect Intrusions".

  13. 

  14. 2. Almost all software now days, especially those created by gigabuck

  15.    giants, makes requests out onto the iNet that I did not ask for

  16.    and don't want happening. But even Mozilla makes network traffic I

  17.    didn't ask for and don't want.

  18. 

  19. So this tool is my way of "watching the watchers". This is not a

  20. plug-n-play tool that _magically_ grants the user a "suit of

  21. invulnerability". But it is a tool for those looking for more insight

  22. into their iNet traffic either due to security concerns or curiosity.

  23. 

  24. This software is in the very early stages. Right now it just combines

  25. data from logs from a couple of different software packages. I've

  26. already setup many blocks for traffic I don't want happening, like

  27. g00gle Analytics, some ad servers, ...

  28. 

  29. For the curious I'll post my current block lists in this repository

  30. from time to time. But be **WARNED** that its likely to break your

  31. iNet experience if you use them. I'm a cyber-rebel at heart and tend

  32. to take an "if its doing something I don't want, I have no use for

  33. it" approach. Meaning I'd rather not use a site / program if it

  34. violates my concerns, rather than just "go with the flow". And I will

  35. likely discover I'm breaking stuff I actually want, like: I realized

  36. I've broken my ability to post comments on

  37. [HaD](https://hackaday.com/), but I was curious about what "Server X"

  38. did.

  39. 

  40. So! If you're not "faint of heart" come join me on my adventure in

  41. iNet security exploration.

  42. 

  43. 

  44. 

  45. Phase 1 - General Setup & Operation

  46. -----------------------------------

  47. 

  48. In general I feel its necessary to have a **real-world** idea of what

  49. you're dealing with before diving in and writing software to deal

  50. with what you _think_ your dealing with. So the basic plan is simple:

  51. 

  52. 1. Setup my network routing devices, which are running Linux, to log

  53.   DNS queries and network connections. Specifically, anything that is

  54.   a _new_ unrelated packet gets logged.

  55. 

  56. 2. Collect the logs on a machine, with backups on alternate machines.

  57. 

  58. 3. Run the logs through a filter to combine the DNS query data with

  59.    the packet data.

  60. 

  61. 4. Analyze results to determine phase 2 needs.

  62. 

  63. In this phase I'm jumping the gun a bit, but cyber-thugs are actively

  64. beating on all of our doors, even as I'm getting my stuff together

  65. and there are certain kinds of traffic I know I want to put an end

  66. to. In that light I've already spotted interesting servers I'm

  67. blocking. And I've beefed up my firewall to my mail server with more

  68. permanent blocks from obvious MTA bashers.

  69. 

  70. In this phase I'm using the most excellent

  71. "[dnsmasq](https://thekelleys.org.uk/dnsmasq/doc.html)" to log the

  72. queries **and** block host names I don't want being accessed. I do

  73. this by assigning the bogus address "127.0.0.255" to the names in my

  74. server's "hosts" file, which is used by "dnsmasq" to answer DNS

  75. queries. That address is a **valid** "localhost" address, so will

  76. **immediately** fail requests unless you put a http(s) server. And

  77. I'm sure you can imagine those possibilities.

  78. 

  79. The other source of information and block capabilities is "iptables"

  80. / "ip6tables". I added rules to log "new" packets. The parsing

  81. software is what this repository is about right now.

  82. 

  83. 

  84. 

  85. Note on routers

  86. ---------------

  87. 

  88. I'm using Netgear appliances for WiFi and the first tier firewall

  89. connected to my iNet connection. Since a lot of modern ISP connection

  90. devices provide their own idea of security I have to turn off their

  91. firewall stuff and configure them in a transparent bridging

  92. configuration.

  93. 

  94. I use Netgear because they actively provide tool chains for select

  95. models of their equipment and encourage people to load their own

  96. software mods on them. Have a look at

  97. [My Open Router](https://www.myopenrouter.com/). On my devices I

  98. have settled on [Shibby's Tomato](https://tomato.groov.pl/). Its very

  99. compact, extremely flexible and seems to have everything I've needed

  100. when I've needed it. As an example my dnsmasq & iptables setup for my

  101. gateway router required no changes to the firmware. I just put some

  102. of the lesser used config pages to use.

  103. 

  104. 

  105. 

  106. The future

  107. ----------

  108. 

  109. The goal is an active alert system. This system should provide

  110. immediate feedback on unknown connections allowing the user to either

  111. grant or deny access and maintain the appropriate block lists.

  112. 

  113. But as "reality" exposes itself things are likely to change.

  114. 

  115. 

  116. 

  117. The CODE

  118. --------

  119. 

  120. I'm using C++ to write this. I'm targeting C++98 at this time.

  121. Although I think C++11 defines the minimum viable version of C++

  122. there are places that its still not available, which is most likely

  123. to happen with oddball tool chains like those provided by Netgear.

  124. But even my RaspberryPI 2B doesn't support it. Well... maybe with an

  125. OS upgrade... I'm hoping to support a very wide Linux platform

  126. coverage.

  127. 

  128. I'm doing all of my development with Linux. It may be possible to do

  129. something similar, maybe with very little modification, on BSD based

  130. platforms. I don't have them and therefor won't be personally working

  131. on it. But, unless it makes things really ugly, I'm not opposed to

  132. contributions on that front.

  133. 

  134. 

  135. 

  136. Installation & use

  137. ------------------

  138. 

  139. This is still **VERY** crude and incomplete.

  140. 

  141. 1. Configure the source: the basic setup is hardcoded in the source.

  142.    I'm just testing right now. ;-) There are three lines near the

  143.    bottom of "iptraffic.cpp" to be concerned with:

  144. 

  145.     * `#define PATH "/srv/backups/iptraffic"`: this is the base path

  146.       to the work directory. Its prepended to other paths, read on.

  147. 

  148.     * `ifstream log(PATH "/test.log");`: defines the log file to

  149.       process.

  150. 

  151.     * `ofstream out(PATH "/processed.log");`: the file with the

  152.       combined data that's written out.

  153. 

  154.     * `config.load(PATH "/iptraffic.conf");`: Path to a configuration

  155.       file that lists networks to consider as "us" and connections to

  156.       ignore, basically the set that is considered "OK".

  157. 

  158. 2. Type "make" to compile. Hopefully it compiles for you.

  159. 

  160. 3. Run "iptraffic".

  161. 

  162. 4. Check the output.