barns.blog

With 2009 already under-way, progress is happening in my Masters at a steady pace. With just under six months to go until the end of July, my work is in full swing, with a mixture of writing, algorithmic construction, testing and other activities. Over the next month, most of the development work should be completed. This is, of course, somewhat dependant on my teaching not getting too much in the way.

Thereafter, my algorithms and the sfPortscan algorithm from Snort will be tested and statistically analysed. Thereafter, I plan on finalising my write-up and handing in.

In the interim, I have plans to submit papers to several conferences during the course of the year, the first list includes ISSA, RAID, SATNAC, SAICSIT and CISSE (in chronological order of submission dates). I also hope to get a journal article out during the course of the year.

So, onward with 2009…

Today I set about performing the following tasks:

• Setting up and Running Snort
• Testing Snort with a few Simple Scans
• Using InetVis with NULL Interface Traffic

I succeeded in setting up Snort and running it with just the sfportscan preprocessor. The README states that it is designed to match against Nmap scans and I attempted to get it to alert on these, but discovered that it doesn’t alert on a number of these scans.

In an attempt to use Nmap scans tartgeted at a FreeBSD disc Interface, I set about modifying InetVis to accept more than just Ethernet frames. This was a “Bad Idea”™. With some help from Nick and Wiresharks text2pcap tool, I wrote a program which converts a disc interface tcpdump file to text which can be processed by text2pcap to produce a file of Ethernet frames. This loads correctly into Wireshark, but still does not produce output in the Windows version of InetVis. I think that it is a bug…

I struggled to use C++ after such a long time of not using it, but it certainly improved as the afternoon wore on.