Signature based IDS

amigurumi

New Member
Hi! My Question: If I want to build my own IDS, I wanted to know If there is a way of using existing attack signatures, if anyone could recommend a guide or manual, or an easier way to do it without using signatures. Also, I would like to know if CAPEC is actually an attack pattern language that can be used for such purposes. Thank you‏

PS: If I am not at the right place to ask this question I would be grateful if someone could redirect me to a place where I could get some advice.
 

mihir

VIP Member
Hi! My Question: If I want to build my own IDS, I wanted to know If there is a way of using existing attack signatures, if anyone could recommend a guide or manual, or an easier way to do it without using signatures. Also, I would like to know if CAPEC is actually an attack pattern language that can be used for such purposes. Thank you‏

PS: If I am not at the right place to ask this question I would be grateful if someone could redirect me to a place where I could get some advice.

How are you planning to build your own IDS? What do you have in mind? (program it?)

I just checked out CAPEC right now, it looks more like a dataset of Attack patterns, use case being classification of an attack pattern detected by the IDS.
 

amigurumi

New Member
Reply to question about how to build ids

Thanks for replying :) I want to program it or make use of available tools along with the JADE agents to build the IDS. I am planning to use packet sniffers to analyse packets.I want to capture the packet analysis so as to detect intrusion either in a live way(which I think is more difficult...) or by capturing these details and comparing them to any available signature(if any) to find match. I am actually looking for the simplest way to do it. . From what I have learnt till here it is easier to do network monitoring on Linux, but I'm quite new to this. I also want to be able to do the monitoring using JADE agents.

Do you think I will be able to find attack signatures or should I create my own algorithm for example- if I get a too big number of requests on a server-->just say it is a denial of service attack?

OR do you think anomaly based detection would be an easier choice?

Thanks
 
Last edited:

beers

Moderator
Staff member
I want to capture the packet analysis so as to detect intrusion either in a live way(which I think is more difficult...) or by capturing these details and comparing them to any available signature(if any) to find match.

Do you think I will be able to find attack signatures or should I create my own algorithm for example-

It'd be a better idea to use something above like Snort/Suricata just so you can get an idea of it first. It sounds like you have a lot of studying to do around these technologies.

Per above an IDS is useless if it can't detect a live signature as the packet traverses the interface. Having the fastest method of detection (live) is mandatory as you'd rather not know about a certain exploit after it already happened. Also, an IPS is more of the industry standard currently where the appliance actually drops the traffic it sees as malicious before it ever gets to the server/destination. A simple IDS just alerts you about it but forwards the traffic still.

You would definitely want to reverse engineer some of the traffic fingerprints/signatures to get an idea of what they're looking for and how to write them. Both of the utilities mentioned above are open source so you should be able to extract the signature database (unless someone else has a direct URL).

if I get a too big number of requests on a server-->just say it is a denial of service attack?

How big is too big? What is your plan for avoiding false positives?

You also may be interested in a SIEM OE type of utility or feature that can do correlation rules. Then you can make something like 'alert for traffic that has greater than 6 invalid logins but then eventually a successful login from the same source address' for server access and similar.

OR do you think anomaly based detection would be an easier choice?

Anomaly detection would be much more difficult as you're trying to match around a vague behavior rather than a known malicious piece of data in the packet. The additional challenges mainly stem from eliminating false positives and actually identifying behavior that is potentially malicious.
 

plice

New Member
u have lots of time on ur hands :0
run snort and get the signatures. of course for any signatures realtime u have to pay, no matter what system it is. there are lots of snort books available, go and get one.

u can get hardware pre loaded with snort, can't remember what's the $$$$ :)

i u want to have more fun, use honeypots. i'd say u want honeypod type instead of ids
 
Top