Curiosity is in our nature; we are a social and adventurous species by default. Our predecessors would set on missions thousands of years ago, seeking to uncover the secrets of our planet. In the modern era, with all of the gadgets and invisible connections that allow us to be “present” anywhere on this planet, our inner explorer seems to be less prominent due to a seemingly smaller surface of “unknown”. But by contrast, this apparent illusion of a smaller world has made it even bigger. Just think about it for a moment; there are a billion invisible roads around us with data flying from one end to the other that we never feel, see, or hear. In the past, people were not able to comprehend or be aware of the whole 196.9 million mi² – Earth surface area, and while we are aware of that today, the number is exponentially larger because of an innumerable amount of virtual connections surrounding us.
So what does this have to do with what I am doing? Everything, actually. I am extremely intrigued by how there is so much going on around us, yet we know little-to-nothing about it; more specifically, about network connections. Our gadgets are merely needles in a haystack, a big haystack, of Internet-connected machines, open for anyone to <attempt to> interact with them. This is a great thing (makes the world appear smaller, remember?), as long as everyone is acting according to ethical codes and is utilizing this amazing technology not to harm anyone. Let’s not fool ourselves – we do not live in a world where everyone wishes us all the happiness in the world. The latter sort of pisses me off, especially because it is SO EASY to inflict harm to someone via the Internet. Enter, IDS project.
Our systems tend to have intrusion detection (IDS) or intrusion prevention (IPS) solutions pre-packaged and configured to run in the background, so we never have to interact with them. This is great, but we never really get to see what is going on inside, especially if we lack knowledge of how the software works, what protocols are being used, etc. I’ve taken on a task to configure a honeypot server with a signature-based IDS and track every single stream of data that attempts to reach it. A honeypot server is considered to be an entity in a network, physical or virtual, with a task to attract especially harmful traffic in order to get a better understanding of who, what, how, and from where are threats emerging.
The server is running Ubuntu 16.04 x86, which works great since I am not seeking to break down malware and whatnot (in which case I would likely be using Win server). The data is captured, parsed, and then stored in a MySQL database. Here is the second part of the project: a dynamic and fully-scalable query engine for the database. The software I am using does not come with a very visually pleasing or easy to use interface, thus I decided to make one, because how hard can it be to make a completely customizable db interface.
The visuals are much more helpful with the representation than what it is about to follow.
On my honeypot server, Ubuntu, I have installed SNORT to function as an IPS/IDS. SNORT is an amazing piece of open source software used for IPS/IDS. In conjunction with SNORT, the system is running Barnyard2, PulledPork, and BASE. Some other tools supporting SNORT are: pcap, PCRE, Libdnet, DAQ.
Barnyard2 greatly reduces the load on the system, by storing SNORT’s output into a MySQL database. Super helpful on my server with a relatively weak resource pool.
PulledPork is simply a tool that keeps SNORT up to date (works via crontab).
BASE is a web interface for viewing and managing SNORT rules. However, it is outdated and hence I’m attempting to create my own sometime along the road.
A truly magnificent and hands-down the best guide, among any type of installation/configuration of any software or process I ever came across, for installing SNORT can be found on SublimeRobots.
The other server, which is hosting my web GUI, is also running Ubuntu 16.04 x86. On top of it lie Apache2, PHP7, and MySQL, with Slim v3 as a lightweight micro-framework. To access it, click here. To play with my honeypot server database, follow this link.
The endgame is to come up with a cool and efficient way for analyzing, correlating, and displaying the data captured by SNORT. Ultimately, I would like to achieve a fully-customizable GUI to satisfy these parameters. I realize I could just download a giant PCAP from the Internet and play with the data in an existent data analytics software, but where is the fun in that? Doing everything from scratch will be much more valuable. And fun.
The next step is to configure SNORT to run in promiscuous mode to enhance its functionality and packet-capture capability.
The query-engine part of the project will require a lot of tedious work to achieve a truly elastic capability-set, however, this is something I thoroughly enjoy and I am looking forward to the long nights of coding.
Based on the progression, I will likely scale the server presence to multiple units in different locations across the world. I really want to see how different virtual (and geo) locations differentiate by what goes in and out.
Channeling my inner explorer has brought me to various interesting places in life. This time the exploring part is rather stationary, but I strongly hope it leads me to a better, deeper understanding of the virtual world around us.
Thank you for your time!