THE IDS Detector Engine simulation problemObjective: Implemented a signature based Intrusion Detection Engine. Optimize performance of detection
Question:
THE IDS Detector Engine simulation problemObjective:
Implemented a signature based Intrusion Detection Engine.
Optimize performance of detection engine.
Parameters:
This is a individual project, but group members can share ideas and all must document their contributions.
10% of the grade will be based upon the relative performance (in comparison to other teams) of a given trace and rule set which the instructor will provide.
5% of the grade will be based upon the relative technological merits and creative innovations used in the design e.g., advanced search techniques and/or parallel processing.
5% of the grade will be based upon the relative submission timeline i.e., first team to submit a solution receives full points
You may use any of the following languages: Intel Assembly, C/C++, C#, Java, Perl, Python, VB. However, language and development will have an impact on your grade.
Process:
Write a program that inputs summarized network trace in Wireshark csv format and a set of Snort rules.
For each network trace record search the table of rules for a matching rule.
If a rule is matched, output a report indicating the network trace data and rule action.
Your program must maintain performance timing information: Runtime, average search time, number of records processed.
Matching process
Match on header information (protocol, source, and destination) first, then match on flags, ttl and content.
Assume $HOME_NET is 10.0.0.0/8 and $EXTERNAL_NET is any other IP address for the wiresharksample.txt file and 192.168.3.0/24 for the zeus file.
Support port ranges and lists in brackets [ ]
Support any for IP and port
Protocols support TCP, UCP, ICMP, IP (DNS, ARP, etc)
Testing:
Use the provided sample data set for the network trace.
Use the simplified Snort csv rules (see below) for testing.
Input File: Network Trace
Ascii text file input in the following format: "No.","Time","Source","Destination","Protocol","Length","Info"
See Example files generated from Wireshark File>>Export Dissection >> CSV
wiresharksample.txt (Home net 10.0.0.0/8)
zeus.txt (Home net 192.168.3.0/24)
Input File: Rules
sortrules.txt file - community Snort rules.
Standard Snort Format: [#] Action Protocol Source IP Source Port Direction Destination IP Destination Port (options)
Process header fields and only the flags, content and msg options.
Field | Search Options | Comments |
Action | Alert Drop | Action to be performed if a match occurs |
Protocol | Any valid Protocol: TCP, UDP, ICMP, IP | String match to the input data |
Source IP | Any IPV4 CIDR Mask ip/bits IPV4 address | Three possible search options |
Source Port | Any Port:range low:high port | Three possible search options |
Direction | -> <> | Source to destination Bi-directional |
Destination IP | Any IPV4 CIDR Mask ip/bits IPV4 address | Three possible search options |
Destination Port | Any Port:range low:high port | Three possible search options |
Flags | U - urg A - ack P - psh R - rst S - syn F- fin | Only need for TCP protocol |
TTL | TTL Value | Match on numeric value if present |
Content String | String value from packet | hex string| | Match on string or hex string |
Program Design
Functional Components - the following functional decomposition is recommended.
Function (extractRules): reads Snort formatted rules file and loads into a memory table.
Function (detect): reads network trace data in csv format (recommended) or pcap format; scans rule table for a rule header and select rule option matches. If all fields match - outputs alert message. The order of field checks are as follows: protocol, source ip, source port, destination ip, destination port - if a rule header applies, then check the rule options, flags and content fields only. Calls the check functions below to determine if a rule applies.
Function (checkProt): compares the rule protocol to the network trace protocol.
Function (checkIP): compares the rule source or destination IP to the network trace source or destination IP.
Function (checkPort): compares the rule ports to the network trace ports - both source and destination.
Function (checkFlags): compares the rule flags to the network trace flags.
Function (checkContent): compares the rule content to the network trace content.
Function (main): calls extractRules() funtion to initialize rules table; followed by the detect() function.