barns.blog

With 2009 already under-way, progress is happening in my Masters at a steady pace. With just under six months to go until the end of July, my work is in full swing, with a mixture of writing, algorithmic construction, testing and other activities. Over the next month, most of the development work should be completed. This is, of course, somewhat dependant on my teaching not getting too much in the way.

Thereafter, my algorithms and the sfPortscan algorithm from Snort will be tested and statistically analysed. Thereafter, I plan on finalising my write-up and handing in.

In the interim, I have plans to submit papers to several conferences during the course of the year, the first list includes ISSA, RAID, SATNAC, SAICSIT and CISSE (in chronological order of submission dates). I also hope to get a journal article out during the course of the year.

So, onward with 2009…

I have now submitted the camera-ready version of the ISSA Paper. It will be published under the title An Evaluation of Scan-Detection Algorithms in Network Intrusion Detection Systems.

Abstract:

Network Intrusion Detection Systems are becoming more prevalent as devices to protect a network. However, the methods they use for some forms of detection are flawed. This paper builds upon existing research by van Riel and Irwin which illustrated these flaws in Snort and Bro’s scan-detection engines. Indeed, it has been ascertained that a number of different scanning techniques are not identified by either Snort or Bro.

This paper highlights current research into the improvement of these scan-detection algorithms and presents insight into how this research is being conducted at Rhodes University. This research will improve on the scan-detection engines in Snort and Bro, permitting them to be used in a production environment without fear of succumbing to the false negative problem which currently exists.

I have submitted my Work In Progress Paper for SATNAC, under the title of An Analysis of Network Scanning Traffic as it relates to Scan-Detection in Network Intrusion Detection Systems.

Abstract

Network Intrusion Detection is, in a modern network, a useful tool to detect a wide variety of malicious traffic. The ever present prevalence of scanning activity on the Internet is fair justification to warrant scan detection as a component of network intrusion detection. Whilst current systems are able to perform scan-detection, the methods they use are often flawed and exhibit an inability to detect scans in an efficient and scalable manner.

Existing research by van Riel and Irwin has illustrated a number of flaws present in the open source systems Snort and Bro. This paper builds on this by describing current research at Rhodes University in which these flaws are being addressed. In particular, this research will address the flaws in the scan-detection engines in Snort and Bro by developing new plug-ins for these systems which take into consideration the improvements which are identified over the course of the research.

Today was a little bit slow. I started off well by redoing this site, so that it would produce nifty things such as RSS feeds. Its now using WordPress.

I managed to get the Linux version of InetVis to work with my crafted Ethernet frames which was great. I then started creating tcpdumps of the different types of Nmap scans. These will be analysed with Snort, Bro and InetVis.

Today I set about performing the following tasks:

• Setting up and Running Snort
• Testing Snort with a few Simple Scans
• Using InetVis with NULL Interface Traffic

I succeeded in setting up Snort and running it with just the sfportscan preprocessor. The README states that it is designed to match against Nmap scans and I attempted to get it to alert on these, but discovered that it doesn’t alert on a number of these scans.

In an attempt to use Nmap scans tartgeted at a FreeBSD disc Interface, I set about modifying InetVis to accept more than just Ethernet frames. This was a “Bad Idea”™. With some help from Nick and Wiresharks text2pcap tool, I wrote a program which converts a disc interface tcpdump file to text which can be processed by text2pcap to produce a file of Ethernet frames. This loads correctly into Wireshark, but still does not produce output in the Windows version of InetVis. I think that it is a bug…

I struggled to use C++ after such a long time of not using it, but it certainly improved as the afternoon wore on.