Network Intrusion Detection

Submission Deadline:

The goals of this exercise are to:

  1. Create a network intrusion detection system
  2. Gain first-hand insight into dealing with IDS evasion

NIDS Specification

Using any library of your choice, implement a network intrusion detection system that can process PCAP files. Your NIDS must be able to detect three attacks:

  1. ARP cache poisoning
  2. Oversize fragmented IPv4 packets
  3. TCP reset injection (graduates only)

Your NIDS should support:

  • IPv4 and TCP checksum verification
  • IPv4 fragment reassembly, including overlapping and out-of-bounds fragments respecting configured endpoint behavior

Your detector must take a single parameter representing the path to a configuration file. The configuration file must be in YAML, and have the following format:

pcap_path: "/data/dump.pcap"        # A path to a PCAP file
ipv4_fragment_reassembly: "first"   # Or "last", "linux"

Detections must be printed to stdout. The format of a single detection is as follows:

timestamp: 1600890293               # UNIX timestamp
  mac_address: "00:11:22:33:44:55"  # Source MAC address
  ipv4_address: ""          # Source IPv4 address, or null if none
  tcp_port: 34567                   # Source TCP port, or null if none
  mac_address: "66:77:88:99:aa:bb"  # Target MAC address
  ipv4_address: ""          # Target IPv4 address, or null if none
  tcp_port: 1234                    # Target TCP port, or null if none
attack: "arp_cache_poisoning"       # Or, "oversize_ipv4_fragments", "tcp_reset_injection"

Ensure that no other data is written to stdout aside from a stream of detection messages, since writing other data will break YAML parsing. If you need to output debugging messages, send those to stderr.

You can use the container image to check that your detection output is well-formatted. For instance, given detections in /tmp/detections.yaml:

$ podman run -it --rm -v /tmp:/data /data/detections.yaml

To test your attacks, you can use the PCAPs provided in previous labs.

Submission Instructions

Package your solution as a gzipped TAR archive. Your solution should have the following basic structure:

$ tree -F 01-nids
├── Containerfile
└── src/

In particular, the root directory must be named 01-nids, and the source code to your solution should be contained in src/. Your Containerfile should produce an image that runs your solution with a provided configuration file. For instance, given a configuration at config.yaml in the current working directory:

$ podman run -it -v $(pwd):/data ${image_name} /data/config.yaml

must execute your detector configured using /data/config.yaml.

Submit the solution archive to Canvas.