Hey all!
I'm currently working on designing a instrusion detection system written in pure
asm. I'm just trying to flowchart it for now 2 be sure the logic works out.
I'm wanting it to have real-time monitoring. the ablitiy 2 monitor it self, it can't
slow down the cpu, observe deviations from normal behavior,easliy cope with sys
changes such as adding new apps and difficult 2 fool.
looking for ideas on how to implent some of these features.

also, coders interested in working on project with me
thx in advance.:alright:
Posted on 2003-02-08 15:57:46 by Tweak
What?
Posted on 2003-02-08 21:44:10 by comrade
Well I'm more into security and was thinking of writing a IDS (intrusion dectection
system) for home users to help proctect their computers against hackers and trojans.
Was wandering if anyone could help learn how such a system works and how I could code one.
Posted on 2003-02-09 05:07:07 by Tweak
Well I suppose it would have to monitor network-related values on system constantly, and report if anything goes "suspicious".
Posted on 2003-02-10 19:20:34 by comrade
yea, I know

Sorry if I didn't mention this before. But I was looking for new ideas that any one might have. I want it to have real-time montioring features.
Thanks for posting thou U still made so good ideas brew up in tha head.
*puts down coffe* back to tha drawing board.
Posted on 2003-02-14 17:20:09 by Tweak
well look at the linux world. The IDS there are seperated in 2 families usually:

file monitoring
network monitoring

I only like the first ones. After all it's the files that make the settings and they are important. (so you need to know when/if they have been changed)
the network monitoring ones usually only are good for clogging up your network. (ethernet race conditions) :/

Maybe you should read some reports on linux & windows IDS and see how their features are hailed.

in the FAQ you'll find a routine to calculate some hashes
Posted on 2003-02-15 04:04:40 by Hiroshimator
thx Hiro

thats what I was looking for some info that I can study or read to see how different IDS work the advice on file montioring IDS seems to be interesting.

Guess it's time to fire up that trusty Go0gle
it always finds what I'm looking for and is how I found this site. Man U got to love Win32 ASM'ers this place is vortex of a true coder.

Thx for all your info, hope to release this IDS soon.
Posted on 2003-02-15 21:35:27 by Tweak
Is this IDS system a remote hardware setup with sensors, like in a home alarm, for PC protection alone, or both???

Plus, which OS you plan on running it on?

If you're gonna run it on a Windows machine, I'd do research on Winsock and socket based communications for firewall support, registry & file monitoring for internal protection, and if you want a program that protect's itself, add a custom designed AI which is event driven, or a message detection implemented, have it make validity checks etc. on itself whenever certain events take place to assure modifications haven't happened, you do this by setting a standard for the application, gather various known constant/unchangable information about the designed application, and then use that information for comparisons for your validity checks...

If you want to do trojan scanning, well, that's another story, pretty difficult and probably impossible to ever make 1 that's complete in every aspect, since if everything could be predicted infections would never take place, it is, however, not that hard to make a basic port based scanner, but if you want a hueristic scanner for files, you'd have to implement some sort of definition library to check for common trojan code snippet's, to do that, either find an existing free definition file that contains this information and use it for comparison, or implement your own basic rule set and start from scratch, example:

Question:
On a windows machine, what is 1 common method alot of trojans & viruses have over the years used to startup everytime you boot your computer to make sure a system is compromised at boot time and running in background?

Answer:
The startup section of the registry...


Now if you want some strong local protection against remote threat's that will accurately detect problems with internet vs. actual hacking, creating a packet monitor and using a basic rule set/filter for it and have the ability to decode various packet protocol and view the data within each packet is probably the best thing...


There's some security! ;o)


E4 Unofficial:
http://e4.web1000.com
Posted on 2003-03-05 02:04:53 by Knight Chat X
Mostly software,

OS Platform: Windows XP, 2000, NT

yes it must check itself for validity, was tyring to create my own basic rule set seems to me the best way. packet montioring? Seems hard but if theres a will there a way.
Posted on 2003-03-07 15:50:06 by Tweak
Yep, hard but not impossible, the hardest part bout a packet monitor is implementing various standard protocols so when data is viewed it is decoded properly.

The best thing about a packet monitor is you can tell who's connected to what port on your system, see how the data flows in & out through the ports and how much, if a hacker scans your system you can see it, if you wish to see more of the communication between the local and remote PC, you can look inside the packet.

If there's currently a wave of internet attack's, you can verify certain things with it specific to connection quality.

Such as when the Slammer Worm was making hit's, and it was causing problems acrossed the world, I was using 1 and it helped me determine the problem before it was reported, I'll probably release that data someday as I don't believe the worm has been completely relieved...
Posted on 2003-03-08 01:48:41 by Knight Chat X
Well it seems to me. That I'm not that experienced in asm to write such a app
right now so I'm going to be putting this app off until a later time. Until I get some more practice in asm. I see I have a lot to learn before I take on such an app.

But I will still be researching upon it to learn more about them. Then I will write the app I only a student and it seems that everyone knows more than me. But I not giving up the project just putting it off until a later time. "This Summer" when I have more time and not coding school projects.

I hope everyone understands and don't flame me for this desicon. -Tweak-
Posted on 2003-03-13 11:18:47 by Tweak