5 Home
Jon Foster edited this page 3 months ago

Welcome to the Poor Man’s IDS Wiki!

Introduction

There are a few different classes of “Intrusion Detection Systems” (IDS). Since the bulk of malware or corporation sponsored leaks require communicating across the Internet I’m starting with a central network traffic monitor based approach.

This approach can be used on a single computer, which is simpler, or for a whole network. At the exit to the internet I want to collect data about connections getting made, associate them with DNS requests and provide tools to classify in one of three different ways and respond accordingly:

  1. Accept the traffic
  2. Block the traffic
  3. Unknown traffic make a decision

By marking remote systems as acceptable or unacceptable I can whittle down the traffic I want to watch into the “unkown” category. The “accept” traffic becomes a filter on the data reports. The “blocked” traffic is physically blocked and shouldn’t happen again. The “unknown” is then presented to the IDS operator for review in one way or another.

WARN: _What I’m doing here is not an install and forget sort of solution. There are commercial products out there that will attempt to protect you to some extent, without any need to understand what is really happening. What I’m building up here are tools for the truly paranoid and curious.

You can’t trust code that you did not totally create yourself. Especially code from companies that employ people like me.
-- Ken Thompson (creator of UNIX) @ ‘83 Turing Award

I think its important to note that pre-packaged solutions will be setup to mark traffic in whatever manner is suitable to the manufacturer and while they might provide some control its not completely under your control. This can be bad and good. But my paranoia level has raised such that I, personally, can’t trust big money making entites. Especially when it looks like this solution is sooo much simpler.

Its also of importantance to understand that one of the biggest threats facing the average user is malware injected into legitimate websites, often by getting them to load content from sources that are not part of the site’s domain. I’ve already been surprised by the vast number of external sources pulled into common sites. Since those code sources are not under the site owner’s control its possible they can become a poisoned well. Although its not like the site itself can’t get hacked, but often times that means they pull in more foreign scripts with the poisoned payload which would fall into the “unknown” category above and alert the operator.

This solution is likely to grow in scope as time progresses. My initial aim is to do as little coding as possible and use as much off the shelf software as possible. Patching those packages if needed. Thank G-D for Open Source!

Now onto the spy tools...

Table of Contents

Phase 1 - Network Setup
Phase-1 - Netgear Router Setup