Although you eliminated one buffer overflow in the blame server in Project 1, and secured its communications in Project 2, not all users have upgraded to the non-vulnerable version of blame yet. Your job for this final project is to develop a network intrusion detection system which monitors network packets for exploit attempts and notifies the user of any suspicious activity.
Create a network intrusion detection system which is capable of monitoring traffic to or from a single host on the network. You should use the pcap library to receive packets, and perl-compatible regular expressions to create your rules. Your program should take two command-line arguments: the first is a rule file (whose syntax is defined below), and the second is a pcap trace file, several of which will be provided for your testing. Your IDS should process each packet in the trace, and as rules are matched print an alert to standard out.
There are two types of rules: stream rules and protocol rules. Stream rules require you to reconstruct the send or receive stream of a TCP connection, and then apply a regular expression to the entire stream. Stevens' TCP/IP Illustrated and Unix Network Programming are good references if you are unfamiliar with how TCP reconstruction works. For this project it is acceptable to wait until a TCP session is finished (or there are no more packets to process) before checking for matches. Protocol rules specify an exchange of messages which are assumed to be in single packets (a naive assumption it turns out, but a decent first step). The sub-rules may match the flags, body, or both on each packet. Each sub-rule must be matched in order and with no intermediate packets to/from the same ports and IPs for a protocol rule to match. You may use lex/yacc to construct your parser if you are familiar with these tools; the grammar has been designed to be easily parsed without these tools.
Your program must work on the eniac-l.seas.upenn.edu machine pool.
This project is to be done in groups of two or three, with no exceptions. One member of each group should e-mail the names and e-mail addresses of everyone in their group to ecronin at cis.upenn.edu by Friday, April 8. Any students registered for the course but not in a group will be randomly grouped over the weekend. After April 10, no group changes may be made.
When submitting project 3, please only do so from one group member's account. If you submit from multiple accounts you must e-mail a TA before the submission deadline telling us which one to grade.
Your final submission should consist of a well commented program and a makefile or instructions on how to compile it. You should also submit a file documenting the design of your intrusion detection system, and how you evaluated its correctness (e.g. extra rulefiles). Please submit your documentation as text or PDF.
A rule file consists of exactly one host entry (which must be first), and arbitrarily many rule entries. The grammar for the configuration file is:
<host> ::= host=<ip>\n\n
<rule> ::= name=<string>\n
<tcp_stream_rule>|<protocol_rule>\n
<tcp_stream_rule> ::= type=tcp_stream\n
src_port=(any|<port>)\n
dst_port=(any|<port>)\n
ip=(any|<ip>)\n
(send|recv)=<regexp>\n
<protocol_rule> ::= type=protocol\n
proto=tcp|udp\n
src_port=(any|<port>)\n
dst_port=(any|<port>)\n
ip=(any|<ip>)\n
<sub_rule>
<sub_rule>*
<sub_rule> ::= (send|recv)=<regexp> (with flags=<flags>)?\n
<string> ::= alpha-numeric string
<ip> ::= string of form [0-255].[0-255].[0-255].[0-255]
<port> ::= string of form [0-65535]
<regexp> ::= Perl Regular Expression
<flags> ::= <flag>*
<flag> ::= S|A|F|R|P|U
Each rule begins with a name, which should be used when printing a notice every time that rule is matched by a connection or packet. "ip", "dst_port", and "recv" all refer to the remote side of a connection.
Blame Attack 1
A very simple rule which looks for the "Now I own your computer" string contained in Project 1's shellcode.
host=192.168.0.1 name=Blame Attack 1 type=protocol proto=tcp src_port=5551 dst_port=any ip=any recv="Now I own your computer"
Try with: trace1.pcap (false positive), trace2.pcap, trace3.pcap (false negative)
Blame Attack 2
Same as Blame Attack 1, except use TCP stream reconstruction.
host=192.168.0.1 name=Blame Attack 2 type=tcp_stream src_port=5551 dst_port=any ip=any recv="Now I own your computer"
Try with: trace1.pcap (false positive), trace2.pcap, trace3.pcap
Blame Attack 3
A more sophisticated rule which matches a sequence of instructions found in the shellcode to reduce false positives.
host=192.168.0.1
name=Blame Attack 3
type=tcp_stream
src_port=5551
dst_port=any
ip=any
recv="\x90{10}.*\xcd\x80"
Try with: trace1.pcap, trace2.pcap, trace3.pcap
Plaintext POP
Detect insecure logins to mailserver
host=192.168.0.1 name=Plaintext POP type=protocol proto=tcp src_port=110 dst_port=any ip=any send="\+OK.*\r\n" recv="USER .*\r\n" send="\+OK.*\r\n" recv="PASS.*\r\n" send="\+OK.*\r\n"
Try with: trace4.pcap
XMAS port scan
Detect someone attempting to do a XMAS portscan on any port
host=192.168.0.1 name=XMAS scan type=protocol proto=tcp src_port=any dst_port=any ip=any recv=".*" with flags=FUP
Try with: trace5.pcap
NULL scan against webserver
Detect someone attempting to do a NULL scan portscan on the webserver port (80)
host=192.168.0.1 name=NULL scan type=protocol proto=tcp src_port=80 dst_port=any ip=any recv=".*" with flags=
Try with: trace6.pcap
All pcap files provided have been sanitized. The host to protect has been given the IP address 192.168.0.1, and other IPs have been changed if needed. To see the contents of these files, you can use tcpdump -r file.pcap
You can use the "netdude" tool to modify and create pcap traces for your tests. Instructions for access on the eniac-l cluster are posted in the course newsgroup.
Netdude documentation page