Ethereal-users: [Ethereal-users] Port of Net::Pcap complete!!!

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Flowers, Jay" <Jay_Flowers@xxxxxxxxxx>
Date: Fri, 11 Jan 2002 07:34:02 -0500
First:

Wayne Rogers (mostly him) and I have completed a port of the *inx Perl
Module Net::Pcap.  We would like to post it on Cpan, but need some testing
first.  If any of you could use this module and would be willing to help
test it please send me or Wayne (wayne_rogers@xxxxxxxxxx) an email.

 

Second:

We are porting Net::Pcap to widows to make a distributed NIDS that will work
on both Win32 and *nix platforms.  If anyone would like to participate small
or large please send me an email.

 

The general plan so far:

Write the client and server app in Perl and then use something like Perl2Exe
to make and executable out of the scripts.

 

The four major things that I don't see in the other open source NIDSs: Not
distributed, one machine is scanning all the network traffic If it is
distributed it doesn't run on Win32 they do not take any actions other than
logging or notification they do not address DHCP spoofing or Arp attacks

 

The last one amazes me the most.  I have already found several solutions to
the DHCP spoofing, and Arp attacks.  I have not decided which are the best
yet, I need to test which are the most robust.

 

Most of the work as far as rules to pass the traffic through have already
been done in Snort.  I was thinking that the best thing to do would be to
store several sets of rules on the server.  Then to configure the server to
apply the appropriate set of rules to each client app.  The client app would
report to the server any activity that matched its rules.  Then the server
can take action(s) based on its rules.  For instances if a client reported
to the server that it received an Arp spoof attach, the server could to do
several things at this point.  It would of course log this and email the
administrator, but it could also; log all of the compromised clients current
connections to the external net, order one of the clients on that segment to
send a crafted arp packet to correct the arp spoof, shutdown the compromised
client, shutdown the port of the switch that the client is connected to, or
just kill all it's connections to the external net, or ... I am not sure yet
which are the best actions to include in the app.

 

I could go on and on about this, but that is not for this mailing list.  If
you are interested please give me a shout.  

 

Thanks for listening to me ramble

 

Jay Flowers

 

 

 

Jay Flowers

Integic Health Care