# Network Intrusion Detection

The goals of this exercise are to:

1. Create a network intrusion detection system
2. Gain first-hand insight into dealing with IDS evasion

## NIDS Specification

Using any library of your choice, implement a network intrusion detection system that can process PCAP files. Your NIDS must be able to detect three attacks:

1. ARP cache poisoning
2. Oversize fragmented IPv4 packets
3. TCP reset injection (graduates only)

• IPv4 and TCP checksum verification
• IPv4 fragment reassembly, including overlapping and out-of-bounds fragments respecting configured endpoint behavior

Your detector must take a single parameter representing the path to a configuration file. The configuration file must be in YAML, and have the following format:

pcap_path: "/data/dump.pcap"        # A path to a PCAP file
ipv4_fragment_reassembly: "first"   # Or "last", "linux"

Detections must be printed to stdout. The format of a single detection is as follows:

---
timestamp: 1600890293               # UNIX timestamp
source:
tcp_port: 34567                   # Source TCP port, or null if none
target:
tcp_port: 1234                    # Target TCP port, or null if none
attack: "arp_cache_poisoning"       # Or, "oversize_ipv4_fragments", "tcp_reset_injection"

Ensure that no other data is written to stdout aside from a stream of detection messages, since writing other data will break YAML parsing. If you need to output debugging messages, send those to stderr.

You can use the container image gcr.io/netsec-2020-fall/assignments/01-nids-verifier to check that your detection output is well-formatted. For instance, given detections in /tmp/detections.yaml:

$podman run -it --rm -v /tmp:/data gcr.io/netsec-2020-fall/assignments/01-nids-verifier /data/detections.yaml To test your attacks, you can use the PCAPs provided in previous labs. ## Submission Instructions Package your solution as a gzipped TAR archive. Your solution should have the following basic structure: $ tree -F 01-nids
01-nids
├── Containerfile
└── src/

In particular, the root directory must be named 01-nids, and the source code to your solution should be contained in src/. Your Containerfile should produce an image that runs your solution with a provided configuration file. For instance, given a configuration at config.yaml in the current working directory:

$podman run -it -v$(pwd):/data \${image_name} /data/config.yaml

must execute your detector configured using /data/config.yaml.

Submit the solution archive to Canvas.