First page

master
Jon Foster 2 years ago
commit
ed9c45726c
3 changed files with 23 additions and 0 deletions
  1. +23
    -0
      Home.md
  2. BIN
      imgs/tomato-dnsmasq.png
  3. BIN
      imgs/tomato-syslog.png

+ 23
- 0
Home.md

@@ -0,0 +1,23 @@
Welcome to the Poor-Mans-IDS Wiki!
==================================

There are a few different classes of "Intrusion Detection Systems" (IDS). Since the bulk of malware or corporation sponsored leaks require communicating across the Internet I'm starting with a central network traffic monitor based approach.

This approach can be used on a single computer, which is simpler, or for a whole network. At the exit to the internet I want to collect data about connections getting made, associate them with DNS requests and provide tools to classify in one of three different ways and respond accordingly:

1. Accept the traffic
2. Block the traffic
3. Unknown traffic make a decision

By marking remote systems as acceptable or unacceptable I can whittle down the traffic I want to watch into the "unkown" category. The "accept" traffic becomes a filter on the data reports. The "blocked" traffic is physically blocked and _shouldn't_ happen again. The "unknown" is then presented to the IDS operator for review in one way or another.

***WARN:*** _What I'm doing here is not an install and forget sort of solution. There are commercial products out there that will attempt to protect you to some extent, without any need to understand what is really happening. What I'm building up here are tools for the truly paranoid and curious.

> You can't trust code that you did not totally create yourself. Especially code from companies that employ people like me.
> -- Ken Thompson (creator of UNIX) @ '83 Turing Award

I think its important to note that pre-packaged solutions will be setup to mark traffic in whatever manner is suitable to the manufacturer and while they might provide some control its not **your** total control. This can be bad and good. But my paranoia level has raised such I, personally, can't trust big money making entites. Especially when it looks like the solution is sooo much simpler.

Its also of importantance to understand that one of the **biggest** threats facing the average user is malware injected into legitimate websites, often by getting them to load content from sources that are not part of the site's domain. I've already been surprised by the vast number of external sources pulled into common sites. Since those code sources are not under the site owner's control its possible they can become a _poisoned well_. Although its not like the site itself can't get hacked, but often times that means they pull in more _foreign_ scripts with the poisoned payload which would fall into the "unknown" category above and alert the operator.

This solution is likely to grow in scope as time progresses. My initial aim is to do as little coding as possible and use as much _off the shelf_ software as possible. Patching those packages is likely to happen.

BIN
imgs/tomato-dnsmasq.png

Before After
Width: 414  |  Height: 482  |  Size: 27 KiB

BIN
imgs/tomato-syslog.png

Before After
Width: 665  |  Height: 504  |  Size: 30 KiB

Loading…
Cancel
Save