The Poor Man's (or Woman's) Intrusion Detection System
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
Jon Foster d67dbc36c9 Proper CLI interface for iptraffic 2 years ago
blacklists Start blacklist collection 2 years ago
.gitignore Prepare for first PUSH to the 'Shack 2 years ago
Makefile Proper CLI interface for iptraffic 2 years ago
README.md Prepare for first PUSH to the 'Shack 2 years ago
cli.cpp Proper CLI interface for iptraffic 2 years ago
cli.h Proper CLI interface for iptraffic 2 years ago
config.cpp Prepare for first PUSH to the 'Shack 2 years ago
config.h Prepare for first PUSH to the 'Shack 2 years ago
data.cpp Prepare for first PUSH to the 'Shack 2 years ago
data.h Prepare for first PUSH to the 'Shack 2 years ago
iptraffic.cpp Proper CLI interface for iptraffic 2 years ago
strutil.cpp Prepare for first PUSH to the 'Shack 2 years ago
strutil.h Prepare for first PUSH to the 'Shack 2 years ago

README.md

Poor Man’s IDS

(Yes Women can use it too)

The goal of this project is to keep an eye on the requests going in and out of my network onto the Internet (iNet). This is made necessary for two reasons:

  1. By looking for unusual activity I can get a heads up about unwanted software or even “spy hardware” on my systems, ie. “Detect Intrusions”.

  2. Almost all software now days, especially those created by gigabuck giants, makes requests out onto the iNet that I did not ask for and don’t want happening. But even Mozilla makes network traffic I didn’t ask for and don’t want.

So this tool is my way of “watching the watchers”. This is not a plug-n-play tool that magically grants the user a “suit of invulnerability”. But it is a tool for those looking for more insight into their iNet traffic either due to security concerns or curiosity.

This software is in the very early stages. Right now it just combines data from logs from a couple of different software packages. I’ve already setup many blocks for traffic I don’t want happening, like g00gle Analytics, some ad servers, ...

For the curious I’ll post my current block lists in this repository from time to time. But be WARNED that its likely to break your iNet experience if you use them. I’m a cyber-rebel at heart and tend to take an “if its doing something I don’t want, I have no use for it” approach. Meaning I’d rather not use a site / program if it violates my concerns, rather than just “go with the flow”. And I will likely discover I’m breaking stuff I actually want, like: I realized I’ve broken my ability to post comments on HaD, but I was curious about what “Server X” did.

So! If you’re not “faint of heart” come join me on my adventure in iNet security exploration.

Phase 1 - General Setup & Operation

In general I feel its necessary to have a real-world idea of what you’re dealing with before diving in and writing software to deal with what you think your dealing with. So the basic plan is simple:

  1. Setup my network routing devices, which are running Linux, to log DNS queries and network connections. Specifically, anything that is a new unrelated packet gets logged.

  2. Collect the logs on a machine, with backups on alternate machines.

  3. Run the logs through a filter to combine the DNS query data with the packet data.

  4. Analyze results to determine phase 2 needs.

In this phase I’m jumping the gun a bit, but cyber-thugs are actively beating on all of our doors, even as I’m getting my stuff together and there are certain kinds of traffic I know I want to put an end to. In that light I’ve already spotted interesting servers I’m blocking. And I’ve beefed up my firewall to my mail server with more permanent blocks from obvious MTA bashers.

In this phase I’m using the most excellent “dnsmasq” to log the queries and block host names I don’t want being accessed. I do this by assigning the bogus address “127.0.0.255” to the names in my server’s “hosts” file, which is used by “dnsmasq” to answer DNS queries. That address is a valid “localhost” address, so will immediately fail requests unless you put a http(s) server. And I’m sure you can imagine those possibilities.

The other source of information and block capabilities is “iptables” / “ip6tables”. I added rules to log “new” packets. The parsing software is what this repository is about right now.

Note on routers

I’m using Netgear appliances for WiFi and the first tier firewall connected to my iNet connection. Since a lot of modern ISP connection devices provide their own idea of security I have to turn off their firewall stuff and configure them in a transparent bridging configuration.

I use Netgear because they actively provide tool chains for select models of their equipment and encourage people to load their own software mods on them. Have a look at My Open Router. On my devices I have settled on Shibby’s Tomato. Its very compact, extremely flexible and seems to have everything I’ve needed when I’ve needed it. As an example my dnsmasq & iptables setup for my gateway router required no changes to the firmware. I just put some of the lesser used config pages to use.

The future

The goal is an active alert system. This system should provide immediate feedback on unknown connections allowing the user to either grant or deny access and maintain the appropriate block lists.

But as “reality” exposes itself things are likely to change.

The CODE

I’m using C++ to write this. I’m targeting C++98 at this time. Although I think C++11 defines the minimum viable version of C++ there are places that its still not available, which is most likely to happen with oddball tool chains like those provided by Netgear. But even my RaspberryPI 2B doesn’t support it. Well... maybe with an OS upgrade... I’m hoping to support a very wide Linux platform coverage.

I’m doing all of my development with Linux. It may be possible to do something similar, maybe with very little modification, on BSD based platforms. I don’t have them and therefor won’t be personally working on it. But, unless it makes things really ugly, I’m not opposed to contributions on that front.

Installation & use

This is still VERY crude and incomplete.

  1. Configure the source: the basic setup is hardcoded in the source. I’m just testing right now. ;-) There are three lines near the bottom of “iptraffic.cpp” to be concerned with:

    • #define PATH "/srv/backups/iptraffic": this is the base path to the work directory. Its prepended to other paths, read on.

    • ifstream log(PATH "/test.log");: defines the log file to process.

    • ofstream out(PATH "/processed.log");: the file with the combined data that’s written out.

    • config.load(PATH "/iptraffic.conf");: Path to a configuration file that lists networks to consider as “us” and connections to ignore, basically the set that is considered “OK”.

  2. Type “make” to compile. Hopefully it compiles for you.

  3. Run “iptraffic”.

  4. Check the output.