Re: Building a Basic IDS.

[Sébastien Tricaud <toady () gscore org>]

On 04 Jun 2003 15:30:01 +0300
Zaid Amireh <tumbak () inbox lv> wrote:

> hello all,
> please don't flame me, I'm just a student seeking knowledge.
> we are three undergraduate students, we have much interest in security
> in general and NIDS's in specific, so we decided to code a simple NIDS
> as our graduation project.
> we read a lot about the theoretical parts, but we couldn't find any
> technical documents about building an ids from scratch, we do have a
> general overview of what we are to do, but as you know, getting a second
> opinion is always better :)
> so if you were asked to code a simple NIDS, where would you start and
> what path would you choose?
> thanks for your time.

The best way is to use libpcap to catch packets.
You can get tutorials on how to use it on the tcpdump webpage.
(http://www.tcpdump.org/)

The sniffer, tcpdump use it, you can also look closer to its sources.

If it's just for a graduation project, you'll not need to fight very much to have 
something funny.


-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------