You were minding your own business and suddenly it occurred to you that not only did you want to script an Intrusion Detection System – you wanted it to do something no other IDS has ever done.
(Shhh I know it’s like I read your mind!)
Chances are you haven’t given it a lot of thought, but why not start now? If you are a Linux user you can do it in python, bash, or pretty much any other language that has libraries for socket monitoring.
If you have nmap you could get started with this version right now and within 20 minutes have an IDS that can be modified extensively. You could just as an example:
- Combine it with a port mirror?
- Set the alert to trigger something other than alarm bell?
- Build a port closing script and set it as an executable that responds to this running as a daemon?
Obviously a port mirror won’t be very useful to combine with this unless you are running it on a gateway server. But things you could trigger in response to an intrusion might surprise you. With just a bit of tweaking you could get an intruding packet redirected to a honeypot – or something similar.
A great python example could be this one at sourceforge. Reverse engineering it may take longer than finding an existing python script that is leaning in the direction of what you want though so if you mean to build it you need to have a few thoughts about your end result.
A few thoughts:
- Do you need something system wide or just application specific?
- Do you know which applications have modifiable scripts that could touch your IDS?
- Is Modifying Snort, Suricata, or Samhain a better option?
When thinking and scripting proactively we can assume a system wide protection is best – but it isn’t necessarily. In recent years the applications that required the most protection were browsers, email programs, messaging platforms, and websites (including databases.)
While browser security tools exist there isn’t much documentation that tells us specifically which browser plugins prevent exploits – and certainly there aren’t many cases of browser based system intrusions > paradoxically, there are countless downloads that enable intrusion and/or links clicked to enable them.
Snort, Suricata, Samhain. Aide, and other IDS do bolster the port/socket based security – but like with firewalls – if an admin makes unusual exceptions by clicking the wrong scripts or downloading backdoor software, some targets are simply lulled into a sense of security that is actually detrimental.
What practices can prevent intrusion?
I’m certainly not about to ramble about your passwords – I hate those articles. Rather a look at how malicious script is introduced to better familiarize you with doing your own part in preventing an intrusion invitation.
Via browser: Links that have been shortened by unscrupulous or unrecognizable link shortening services are often the culprit in a variety of exploits – from intrusion to cookie theft – the best practice is always hover on a link if you don’t know or trust the sender. Generally if the link looks to be full of redirects – don’t click it. Redirecting a browser onto and off of a page set up to gather data or execute code is fairly common these days because it works.
Email programs: Yes people still love them for whatever reason, aside from sending mail from a desktop they are pretty much just browsers that can execute a wider variety of code though. PDF downloads that “might” contain malicious scripts, zipped files that “might be backdoor software” and yet users insist on using outdated versions of these email programs – or worse – they use a homebrew email server with no protections.
Websites: Everyone who visits a website leaves enough info about their system to fill a small logbook – so naturally some hackers want that info and will go pretty far to get it. Compromising a database is one way – getting administrative control is another – and whichever way they go about it the result is the same. An index of names and information that can be processed into something lucrative. This website had an attacker for years who never managed to get in – we logged his/her attempts to compromise the login system and changed passwords whenever they got close. (We won’t say how many times that was because that would make it easier.) Obviously our password wasn’t 12345 though and that actually was an entire weeks worth of their attempts so the attacker was obviously new at this sort of thing, or a huge fan of Spaceballs?
Whatever you decide to build – implement good practices – don’t run a website and let everyone post links or posts without vetting everything. Because beyond 50,000 crap articles for off brand viagra from Canada – you could unintentionally host some malicious script and ruin someone else’s day.