|
First: Wayne
Rogers (mostly him) and I have completed a port of the *inx
Perl Module Net::Pcap to Win32. We would
like to post it on Cpan, but need some testing first. If any of you could use this module and would
be willing to help test it please send me or Wayne ([EMAIL PROTECTED]) an
email. Second: We
are porting Net::Pcap to widows to make a distributed NIDS that will work on
both Win32 and *nix platforms. If anyone
would like to participate small or large please send me an email. The
general plan so far: Write
the client and server app in Perl and then use something like Perl2Exe to make
and executable out of the scripts. The
four major things that I don't see in the other open source NIDSs:
Not distributed, one machine is scanning all the network traffic If it is
distributed it doesn't run on Win32 they do not take any actions other than
logging or notification they do not address DHCP spoofing or Arp attacks The
last one amazes me the most. I have
already found several solutions to the DHCP spoofing, and Arp attacks. I have not decided which are the best yet, I
need to test which are the most robust. Most
of the work as far as rules to pass the traffic through have
already been done in Snort. I was
thinking that the best thing to do would be to store several sets of rules on
the server. Then to
configure the server to apply the appropriate set of rules to each client app. The client app would report to the server any
activity that matched its rules. Then
the server can take action(s) based on its rules. For instances if a client reported to the
server that it received an Arp spoof attach, the server could to do several
things at this point. It would of course
log this and email the administrator, but it could also; log all of the compromised
clients current connections to the external net, order one of the clients on
that segment to send a crafted arp packet to correct the arp spoof, shutdown
the compromised client, shutdown the port of the switch that the client is
connected to, or just kill all it's connections to the external net, or ... I
am not sure yet which are the best actions to include in the app. I
could go on and on about this, but that is not for this mailing list. If you are interested please give me a
shout. Thanks
for listening to me ramble Jay
Flowers Integic
Health Care |
