Hi, Can I benefit from the Lua API to make a program that make kind of intrusion detection in real time, by running a lua program that filters specific packets,extract some fields from them and make some process on them to detect some cases of intrusion, could this be a working idea??? asked 19 Nov '12, 11:04 Leena |
One Answer:
An IDS is only useful if it runs all the time monitoring traffic. Unfortunately it's not a good idea to run Wireshark for a long time capturing data, as it will build internal state in memory and thus the memory consumption will constantly get larger until the OS runs out of memory. If you want to use Lua, I suggest to look at a pcap library for Lua.
However, that library will only give access to the "raw" packets. So, you won't have all the dissecting functionality of Wireshark, which in turn makes it harder to create an IDS, as you will have to inspect (dissect) the protocols yourself to a level that is useful for an IDS. UPDATE: I have just found an interesting open source project. WireShnork - A Snort plugin for Wireshark
Maybe you can benefit from that code and/or their ideas ;-) Regards answered 19 Nov '12, 11:19 Kurt Knochner ♦ edited 20 Nov '12, 03:13 Thanks alot for your answer,it's very useful to me. But I have further quesions; what do you mean by long time( how long??). another question: can you think about another solution for this problem ( with keeping use wireshark ), the one you gave to me about using lipcap is good but still I want to run wireshark for some reasons , any suggestion for the memory problem? does creating capture files as in (capture-options-use multiple files ) help?? Thanks alot (19 Nov '12, 23:36) Leena
it depends on the amount of traffic and the PC where you capture the data (amount of RAM). Can be seconds, minutes, hours.
Only by making substantial changes to the internals of Wireshark, like dropping any data gathered after a TCP connection has been closed, as the IDS has seen the interesting parts.
Well, buy a system with 256 GByte RAM. But that will only delay the problem ;-)
Probably. If it is sufficient for your IDS that one process captures data and writes it to disk while another process (much later) analyzes the data, that could possibly be a solution. However, due to the delay between data capturing and analysis, the IDS would be a rather bad IDS, as the attack had been already taken place while you detect it in the capture file. Why do you want to write your own IDS (there are free alternatives like snort, which you could extend/modify to match your requirements) and why do you need Wireshark for that? If we learn more about your project, maybe we can suggest another solution. (19 Nov '12, 23:56) Kurt Knochner ♦ my supervisor who specified using wireshark,It is an idea and I should find if it is workingor not.I extract some fields from the packet header to take a look at the network traffic if there is any possiblity for the existance of some threats.I found Lua API easy and there is not too many work on it as I read in one of your site Q.(Lua binding\integration-documentation), so I'd like to benefit from it.I need the wireshark files to be kept for the network administrator;in case of an alert is issued,and to extend work in future;keeping raw packets. Your opinion will be very appreciated,Thanks. (20 Nov '12, 01:27) Leena I forgot to mention that I take a look at the traffic at the end of each minute or less. Could be generating a file for each period is useful and make less load to the memory?? I'm not a good programmer so I don't have an idea about issues like this. (20 Nov '12, 01:32) Leena
Well, as I said. If that is good enough for your IDS, you could capture files with For a low traffic environment this might work (somehow). In a high traffic environment you might get into trouble, if there is more data coming in, than you can process at the same time. (20 Nov '12, 01:48) Kurt Knochner ♦ how can I do this((hopefully small enough to process them in time) and analyzes them )?? I don't know how to pass the files to tshark automatically. (20 Nov '12, 03:55) Leena You will need some programming knowledge to automate that. Either with a typical programming language like C, C++, C# or with a scripting language like Perl, Python, Lua, etc. You need to write a program, that:
(20 Nov '12, 06:38) Kurt Knochner ♦ sorry, but I don't understand(•scans a directory for new capture files) can you explain it with an example?? (21 Nov '12, 17:35) Leena showing 5 of 8 show 3 more comments |
hi @helloworld, I would like to know your opinion about this question