On 16 Oct 2007 12:13:56 -0000, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Hi > > > Recently i'm working on a new IDS project. > > As a matter a fact at the moment i'm stuck in a point where i'm supposted to > decide few very important things : > > > 1) Which language?? C/C++ with its > > already implemented projects (Snort, ModSecurity), Java with its > multiplatform option?
You'll probably find you have to do the low-level stuff in something like C, or using C libraries. I'd be quite sympathetic to using Java for higher level stuff like correlation, but others may disagree. > 3) How is network IDS analizing network activity when almost every package > nowadays is encrypted? A lot of stuff these days is not encrypted, like attacks against web applications over plain HTTP. Even on other protocols, it's possible to detect an attack in progress which is exploiting a parsing weakness. I think the THCIISLAME (google it) attack is a detectable attack using an encrypted protocol(?). As another example, you can try to detect SSH brute-forcing attempts by the connection rate, even though SSH is an encrypted protocol. > 4) I'm thinking about encrypting IDS messages/alerts-packages as well? What > cipher should i use? The 'easy' answer is something like AES128 / SHA256 / CBC - if you do it right you'll prevent eavesdropping and the insertion of fake messages. You will probably want to think about preventing replay attacks as well, which is a bit harder. 'Practical Cryptography' by Ferguson and Schneier is well worth a read if you're implementing crypto - even if you use a library such as botan to implement the crypto primitives. cheers, Jamie -- Jamie Riden / [EMAIL PROTECTED] / [EMAIL PROTECTED] UK Honeynet Project: http://www.ukhoneynet.org/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
