Network Intrusion Detection
Submission Deadline:The goals of this exercise are to:
- Create a network intrusion detection system
- Gain first-hand insight into dealing with IDS evasion
NIDS Specification
Using any library of your choice, implement a network intrusion detection system that can process PCAP files. Your NIDS must be able to detect three attacks:
- ARP cache poisoning
- Oversize fragmented IPv4 packets
- TCP reset injection (graduates only)
Your NIDS should support:
- IPv4 and TCP checksum verification
- IPv4 fragment reassembly, including overlapping and out-of-bounds fragments respecting configured endpoint behavior
Your detector must take a single parameter representing the path to a configuration file. The configuration file must be in YAML, and have the following format:
pcap_path: "/data/dump.pcap" # A path to a PCAP file
ipv4_fragment_reassembly: "first" # Or "last", "linux"
Detections must be printed to stdout
. The format of a single detection is as follows:
---
timestamp: 1600890293 # UNIX timestamp
source:
mac_address: "00:11:22:33:44:55" # Source MAC address
ipv4_address: "10.0.0.1" # Source IPv4 address, or null if none
tcp_port: 34567 # Source TCP port, or null if none
target:
mac_address: "66:77:88:99:aa:bb" # Target MAC address
ipv4_address: "10.0.0.2" # Target IPv4 address, or null if none
tcp_port: 1234 # Target TCP port, or null if none
attack: "arp_cache_poisoning" # Or, "oversize_ipv4_fragments", "tcp_reset_injection"
Ensure that no other data is written to stdout
aside from a stream of detection messages, since writing other data will break YAML parsing. If you need to output debugging messages, send those to stderr
.
You can use the container image gcr.io/netsec-2020-fall/assignments/01-nids-verifier
to check that your detection output is well-formatted. For instance, given detections in /tmp/detections.yaml
:
$ podman run -it --rm -v /tmp:/data gcr.io/netsec-2020-fall/assignments/01-nids-verifier /data/detections.yaml
To test your attacks, you can use the PCAPs provided in previous labs.
Submission Instructions
Package your solution as a gzipped TAR archive. Your solution should have the following basic structure:
$ tree -F 01-nids
01-nids
├── Containerfile
└── src/
In particular, the root directory must be named 01-nids
, and the source code to your solution should be contained in src/
. Your Containerfile
should produce an image that runs your solution with a provided configuration file. For instance, given a configuration at config.yaml
in the current working directory:
$ podman run -it -v $(pwd):/data ${image_name} /data/config.yaml
must execute your detector configured using /data/config.yaml
.
Submit the solution archive to Canvas.