THE IDS Detector Engine simulation problemObjective:

Implemented a signature based Intrusion Detection Engine.

Optimize performance of detection engine.

Parameters:

This is a individual project, but group members can share ideas and all must document their contributions.

10% of the grade will be based upon the relative performance (in comparison to other teams) of a given trace and rule set which the instructor will provide.

5% of the grade will be based upon the relative technological merits and creative innovations used in the design e.g., advanced search techniques and/or parallel processing.

5% of the grade will be based upon the relative submission timeline i.e., first team to submit a solution receives full points

You may use any of the following languages: Intel Assembly, C/C++, C#, Java, Perl, Python, VB. However, language and development will have an impact on your grade.

Process:

Write a program that inputs summarized network trace in Wireshark csv format and a set of Snort rules.

For each network trace record search the table of rules for a matching rule.

If a rule is matched, output a report indicating the network trace data and rule action.

Your program must maintain performance timing information: Runtime, average search time, number of records processed.

Matching process

Match on header information (protocol, source, and destination) first, then match on flags, ttl and content.

Assume $HOME_NET is 10.0.0.0/8 and $EXTERNAL_NET is any other IP address for the wiresharksample.txt file and 192.168.3.0/24 for the zeus file.

Support port ranges and lists in brackets [ ]

Support any for IP and port

Protocols support TCP, UCP, ICMP, IP (DNS, ARP, etc)

Testing:

Use the provided sample data set for the network trace.

Use the simplified Snort csv rules (see below) for testing.

Input File: Network Trace

Ascii text file input in the following format: "No.","Time","Source","Destination","Protocol","Length","Info"

See Example files generated from Wireshark File>>Export Dissection >> CSV

wiresharksample.txt (Home net 10.0.0.0/8)

zeus.txt (Home net 192.168.3.0/24)

Input File: Rules

sortrules.txt file - community Snort rules.

Standard Snort Format: [#] Action Protocol Source IP Source Port Direction Destination IP Destination Port (options)

Process header fields and only the flags, content and msg options.

Field	Search Options	Comments
Action	Alert Drop	Action to be performed if a match occurs
Protocol	Any valid Protocol: TCP, UDP, ICMP, IP	String match to the input data
Source IP	Any IPV4 CIDR Mask ip/bits IPV4 address	Three possible search options
Source Port	Any Port:range low:high port	Three possible search options
Direction	-> <>	Source to destination Bi-directional
Destination IP	Any IPV4 CIDR Mask ip/bits IPV4 address	Three possible search options
Destination Port	Any Port:range low:high port	Three possible search options
Flags	U - urg A - ack P - psh R - rst S - syn F- fin	Only need for TCP protocol
TTL	TTL Value	Match on numeric value if present
Content String	String value from packet | hex string|	Match on string or hex string

Program Design

Functional Components - the following functional decomposition is recommended.

Function (extractRules): reads Snort formatted rules file and loads into a memory table.

Function (detect): reads network trace data in csv format (recommended) or pcap format; scans rule table for a rule header and select rule option matches. If all fields match - outputs alert message. The order of field checks are as follows: protocol, source ip, source port, destination ip, destination port - if a rule header applies, then check the rule options, flags and content fields only. Calls the check functions below to determine if a rule applies.

Function (checkProt): compares the rule protocol to the network trace protocol.

Function (checkIP): compares the rule source or destination IP to the network trace source or destination IP.

Function (checkPort): compares the rule ports to the network trace ports - both source and destination.

Function (checkFlags): compares the rule flags to the network trace flags.

Function (checkContent): compares the rule content to the network trace content.

Function (main): calls extractRules() funtion to initialize rules table; followed by the detect() function.