Network Intrusion Detection

Submission Deadline:

The goals of this exercise are to:

  1. Create a stateful network intrusion detection system
  2. Gain first-hand insight into dealing with evasion, over-stimulation, and other challenges

NIDS Specification

Using any library of your choice, implement a NIDS that can process both PCAP dump files and live traffic sniffed from a network interface. Your NIDS must be able to perform IP fragment and TCP stream reassembly, supporting different reassembly styles implemented in commodity operating system network stacks.

Your detector must take a single parameter representing the path to a configuration file. The configuration file must be in YAML, and have the following format:

interface: "eth0"               # Network interface
pcap_path: "/data/dump.pcap"    # Or, a path to a PCAP file (takes precedence over `interface`)
network: "1.1.1.1/0"            # Network to be monitored
enable_checksums: true          # Whether to compute and check IPv4/TCP checksums
ipv4_fragment_reassembly:
  default_behavior: "first"     # Or "last", "linux"
  endpoints:
    - ipv4_address: "1.1.1.1"   # IPv4 address of endpoint behavior to override
      behavior: "last"          # See `default_behavior`
tcp_reassembly:
  default_behavior: "first"     # Or "last"
  endpoints:
    - ipv4_address: "1.1.1.1"
      behavior: "last"
rules:
  - name: "example_rule"        # Rule name
    destination_port: 1234      # Destination TCP port
    content: "\x90+"            # TCP stream content regex

Rule content selectors are specified as PERL regular expressions over byte sequences comprising reassembled TCP streams.

Detections must be printed to stdout. The format of a single detection is as follows:

---
timestamp: 1548797500           # UNIX timestamp
source:
  ipv4_address: "8.8.8.8"       # Source IPv4 address
  tcp_port: 34567               # Source TCP port
target:
  ipv4_address: "1.1.1.1"       # Target IPv4 address
  tcp_port: 1234                # Target TCP port
rule: "example_rule"

Ensure that no other data is written to stdout aside from a stream of detection messages.

Finally, your NIDS must also perform a successful TCP reset of malicious TCP streams if operating in live mode.

Implementation Goals

Your NIDS implementation will be subjected to a number of test cases. When designing and implementing your NIDS, you should support:

  • IPv4 and TCP checksums, if configured
  • IPv4 fragment reassembly, including overlapping and out-of-bounds fragments respecting configured endpoint behavior
  • TCP stream reassembly, including overlapping segments respecting configured endpoint behavior
  • TCP stream timeouts
  • Resilience to denial-of-service attacks

Submission Instructions

Commit and push the source code for your monitor to GitLab in the repository ${your_gitlab_user}/nids. The latest commit on master will be considered your submitted solution. Your repository root must also contain a Dockerfile that will build an image that runs your detector with a given configuration. That is, given a built image, running

$ docker run -it -v $(pwd):/data ${image_name} /data/config.yaml

must execute your detector configured using /data/config.yaml within the resulting container.

Finally, commit a README.md that describes your NIDS, the design choices you made to satisfy the implementation goals, and justifications for those choices.