Learning GNS3 at workplace.
Been enjoying it so far. Recommended a community forums for cisco simulator.
http://7200emu.hacki.at/
Friday, July 26, 2013
Saturday, April 20, 2013
GANIDS (beta 0.9) - Genetic Algorithms for Deriving Network Intrusion Rules
GANIDS (beta 0.9) - Genetic Algorithms for Deriving Network Intrusion Rules
For the past month since late March 2013 to today 20th April 2013, I have been developing a Genetic Algorithm that can be used to derive rules for signature-based Network Intrusion Detection Systems(i.e. Snort, Bro etc.) using Python 2.7.3 and DEAP 0.9 (a Python Evolutionary Algorithm library), and DARPA dataset as training and testing data.
"In the computer science field of artificial intelligence, a genetic algorithm (GA) is a search heuristic that mimics the process of natural evolution. This heuristic (also sometimes called a metaheuristic) is routinely used to generate useful solutions to optimization and search problems" - Wikipedia
By following the papers of Wei Li and Ren Hui Gong, and Brian E. Lavender, I'm able to implement my own with many modifications, serveral add-ons, and optimizations.
Li suggested an approach to use GA in IDS for anomaly detection and provided a fitness function and chromosome structure. Li promised to deliver the code but it was never published.
Gong then used Li's approach to provide pseudo codes and class diagram, and certain amount of clarity about the evolutionary process have been given. However, there was not much guideline on how the selection, crossover, and mutation operators could be be implemented. Gong suggested using ECJ Java Library to code the genetic algorithm but his code was never published anywhere.
Brian E. Lavender was the first person who successfully implemented a genetic algorithm for this approach following the guidelines of the first two. Brian also provided a clearer modified version of pseudo code, a detailed guideline on how to build selection, crossover, and mutation operators. He is currently also the only person who published his code in his project report. His program is called netGA.
However, while netGA meets its functional requirement and can generate rules with optimized fitness values, it still lacks in extensibility. It was modeled to run only on one sample of DARPA audit training and testing dataset. Many certain options and optimizations could be added if it was to run well on other datasets. And that is what I plan to implement and improve on.
Nonetheless, Brian had paved for me a stepping stone that conclusively proves the possibility of integration between Network Intrusion Detection System and Genetic Algorithms. He has also been providing help and advices in the emails we have been exchanging. So I'd like to thank Brian here.
At the moment I call my GA program GANIDS (Renamed to AceGA). It works well on different DARPA datasets, but still needs revisions.
I'll be sure to update the details and write a documentation about it soon.
Please feel free to have a test run and constructively critique.
https://github.com/nixor/GANIDS
Thanks.
(p.s. change the link colors for ****'s sake!)
For the past month since late March 2013 to today 20th April 2013, I have been developing a Genetic Algorithm that can be used to derive rules for signature-based Network Intrusion Detection Systems(i.e. Snort, Bro etc.) using Python 2.7.3 and DEAP 0.9 (a Python Evolutionary Algorithm library), and DARPA dataset as training and testing data.
"In the computer science field of artificial intelligence, a genetic algorithm (GA) is a search heuristic that mimics the process of natural evolution. This heuristic (also sometimes called a metaheuristic) is routinely used to generate useful solutions to optimization and search problems" - Wikipedia
By following the papers of Wei Li and Ren Hui Gong, and Brian E. Lavender, I'm able to implement my own with many modifications, serveral add-ons, and optimizations.
Li suggested an approach to use GA in IDS for anomaly detection and provided a fitness function and chromosome structure. Li promised to deliver the code but it was never published.
Gong then used Li's approach to provide pseudo codes and class diagram, and certain amount of clarity about the evolutionary process have been given. However, there was not much guideline on how the selection, crossover, and mutation operators could be be implemented. Gong suggested using ECJ Java Library to code the genetic algorithm but his code was never published anywhere.
Brian E. Lavender was the first person who successfully implemented a genetic algorithm for this approach following the guidelines of the first two. Brian also provided a clearer modified version of pseudo code, a detailed guideline on how to build selection, crossover, and mutation operators. He is currently also the only person who published his code in his project report. His program is called netGA.
However, while netGA meets its functional requirement and can generate rules with optimized fitness values, it still lacks in extensibility. It was modeled to run only on one sample of DARPA audit training and testing dataset. Many certain options and optimizations could be added if it was to run well on other datasets. And that is what I plan to implement and improve on.
Nonetheless, Brian had paved for me a stepping stone that conclusively proves the possibility of integration between Network Intrusion Detection System and Genetic Algorithms. He has also been providing help and advices in the emails we have been exchanging. So I'd like to thank Brian here.
At the moment I call my GA program GANIDS (Renamed to AceGA). It works well on different DARPA datasets, but still needs revisions.
I'll be sure to update the details and write a documentation about it soon.
Please feel free to have a test run and constructively critique.
https://github.com/nixor/GANIDS
Thanks.
(p.s. change the link colors for ****'s sake!)
Wednesday, March 20, 2013
Sunday, March 17, 2013
Thursday, March 14, 2013
Wireless Adapter TL-WN7200ND with Kismet and OpenWRT Router TL-WDR4300
Hi,
I bought a wireless adapter TP-Link TL-WN7200ND today.
Features:
1. I'm able to run it in Backtrack with injection mode and monitor mode just fine.
2. I can also use it as another wifi-interface on my router TP-Link TL-WDR4300, set it to monitor mode and use it to transmit packets that the kismet drone captured, parallely with the built in 2.4GHz band interface.
3. It can be used as another attached AP as well with a very high Tx transmitting power 500mW, creating semi-trio band router for TL-WDR4300 (opposed to the original dual bands 5 GHz and 2.4 GHz, now we have two 2.4 GHz and one 5GHz). Thus, We will cover these below.
Technical Infos:
A. How to get it to work with Backtrack
I won't say much but just have a look at this page. Search on that page for the word 'Bolivia'. ;)
B. How to get it to work with an OpenWRT router
So after plugging it in to the robust TL-WDR4300 router running Attitude Adjustment 12.09rc1 (Yours could be a different router, or a different version of OpenWRT firmware), you should install these packages.
Now use the command 'wifi detect' to let the router know the existence of your new adapter.
Please test to see what the command prints first, because we are going to merge the result with our existing /etc/config/wireless
cd ~
wifi detect > newwifi
cat newifi
it should display:
config wifi-device radio2
option type mac80211
option channel 11
option macaddr 6F:79:AA:BB:CC:D2
option hwmode 11ng
option htmode HT20
list ht_capab GF
list ht_capab SHORT-GI-20
list ht_capab SHORT-GI-40
list ht_capab RX-STBC1
# REMOVE THIS LINE TO ENABLE WIFI:
option disabled 1 #(You might want to put this to 0)
config wifi-iface
option device radio2
option network lan
option mode ap
option ssid OpenWrt
option encryption none
If so you are good to go, so type in these commands to merge the result with the existing /etc/config/wireless:
wifi detect >> /etc/config/wireless
Next, reboot your router, and you should have another Wifi AP running, you can double check with the LuCI web UI in the wifi section.
Now you have got yourself a Trio bands router :D !!
C. How to use it to pass captured packets from Kismet Drone.
If you haven't a clue yet what this is, please check this page: here.
(It will tell you what Kismet is, and how to edit the .conf files in general)
So go to the /etc/kismet/kismet_drone.conf
The only line you need to add or change is this:
ncsource=wlan2:type=rt2870sta
You can also run 2 ncsources with a kismet drone at once, I have tested and I think it works together. (If somehow one source fails, the other would still continue to work, no worries.)
So after running this command it should show something this:
kismet_drone
Notes:
Thanks for reading, I'm happy that the traffic to my blog increases alot, although no one's ever commented :( haha. I'm not driven to get attention but if you think some of these posts are useful to you, please comment or +1 for me, it would mean so much....
And if I ever make any mistake, please kindly correct, or positively criticize at will :)
Coming next: Integration of OpenWRT + Kismet + Snort
References:
https://gpuhash.com/?menu=en-articles-view-2
(To help fix the low Tx power issue)
http://www.sans.org/reading_room/whitepapers/wireless/remote-access-point-ids_33914
(Best paper yet for my research)
http://www.andrewklau.com/openwrt-and-a-4-usb-wifi-adapter/
(OpenWRT and kmod-2800-usb)
I bought a wireless adapter TP-Link TL-WN7200ND today.
Features:
1. I'm able to run it in Backtrack with injection mode and monitor mode just fine.
2. I can also use it as another wifi-interface on my router TP-Link TL-WDR4300, set it to monitor mode and use it to transmit packets that the kismet drone captured, parallely with the built in 2.4GHz band interface.
3. It can be used as another attached AP as well with a very high Tx transmitting power 500mW, creating semi-trio band router for TL-WDR4300 (opposed to the original dual bands 5 GHz and 2.4 GHz, now we have two 2.4 GHz and one 5GHz). Thus, We will cover these below.
Technical Infos:
- Wireless Standards: IEEE 802.11n, IEEE 802.11g, IEEE 802.11b
- Frequency: 2.400-2.4835GHz
- 20dBm (EIRP, For countries using CE Standards) 100mW
- 27dBm (EIRP, For countries using FCC Standards) 500mW
- kismet drone ncsource type=rt2870sta (/etc/kismet/kismet_drone.conf)
- Chipset: Ralink RT3070
A. How to get it to work with Backtrack
I won't say much but just have a look at this page. Search on that page for the word 'Bolivia'. ;)
B. How to get it to work with an OpenWRT router
So after plugging it in to the robust TL-WDR4300 router running Attitude Adjustment 12.09rc1 (Yours could be a different router, or a different version of OpenWRT firmware), you should install these packages.
opkg update opkg install kmod-rt2800-lib kmod-rt2800-usb kmod-rt2x00-lib kmod-rt2x00-usb
Now use the command 'wifi detect' to let the router know the existence of your new adapter.
Please test to see what the command prints first, because we are going to merge the result with our existing /etc/config/wireless
cd ~
wifi detect > newwifi
cat newifi
it should display:
config wifi-device radio2
option type mac80211
option channel 11
option macaddr 6F:79:AA:BB:CC:D2
option hwmode 11ng
option htmode HT20
list ht_capab GF
list ht_capab SHORT-GI-20
list ht_capab SHORT-GI-40
list ht_capab RX-STBC1
# REMOVE THIS LINE TO ENABLE WIFI:
option disabled 1 #(You might want to put this to 0)
config wifi-iface
option device radio2
option network lan
option mode ap
option ssid OpenWrt
option encryption none
If so you are good to go, so type in these commands to merge the result with the existing /etc/config/wireless:
wifi detect >> /etc/config/wireless
Next, reboot your router, and you should have another Wifi AP running, you can double check with the LuCI web UI in the wifi section.
Now you have got yourself a Trio bands router :D !!
C. How to use it to pass captured packets from Kismet Drone.
If you haven't a clue yet what this is, please check this page: here.
(It will tell you what Kismet is, and how to edit the .conf files in general)
So go to the /etc/kismet/kismet_drone.conf
The only line you need to add or change is this:
ncsource=wlan2:type=rt2870sta
Notice the type=rt2870sta
(Look at this from the Documentation page at Kismet for other types section 7)You can also run 2 ncsources with a kismet drone at once, I have tested and I think it works together. (If somehow one source fails, the other would still continue to work, no worries.)
So after running this command it should show something this:
kismet_drone
Notes:
Thanks for reading, I'm happy that the traffic to my blog increases alot, although no one's ever commented :( haha. I'm not driven to get attention but if you think some of these posts are useful to you, please comment or +1 for me, it would mean so much....
And if I ever make any mistake, please kindly correct, or positively criticize at will :)
Coming next: Integration of OpenWRT + Kismet + Snort
References:
https://gpuhash.com/?menu=en-articles-view-2
(To help fix the low Tx power issue)
http://www.sans.org/reading_room/whitepapers/wireless/remote-access-point-ids_33914
(Best paper yet for my research)
http://www.andrewklau.com/openwrt-and-a-4-usb-wifi-adapter/
(OpenWRT and kmod-2800-usb)
Friday, March 8, 2013
Running Kismet on OpenWRT with TP-Link TL-WDR4300 and Backtrack 5 R3
After learning approximately 3 days I have got Kismet to work. I can't put blame on anyone but myself but I'd have to say that much of the content of the outdated guides on the Internet often do not apply anymore. Here are a few details, tips + tricks on what I have learned and notice that people often miss.
Tools Info: (Yours could definitely be different)
Hardware: TP-Link TL-WDR4300 (With OpenWRT Attitude Adjustment 12.09rc1 firmware)
Server OS: Backtrack 5 R3 (not the safest way, but able to run Kismet for now)
Kismet Drone: version 2010-07-R1-
Kismet Server + Client: version 2011-03-R2
1. Kismet versions compatibility:
Kismet drones since the version=newcore.1 are designed to be forward compatible, as long as it's newer than 2009 version. So even if the newer Kismet server versions (say 2010 or 2011) are used, you should be able to connect your Kismet server to the drone in your router.
2. Router Wireless card MONITOR mode: (ssh to your router)
If your router supports monitor mode, you might as well set it to the monitor mode to begin with even before running Kismet. This can be done by configuring the file in your router at /etc/config/wireless, or on the LuCi web UI.
config wifi-iface
option device radio0
option network lan
option mode monitor
option ssid OpenWrt
#option encryption none ##comment or delete this line if it exists##
3. Kismet drone config file: (ssh to your router)
cd /
find -name kismet_drone.conf
'ncsource' parameters
Notably, most new beginners would have problems with 'ncsource' parameters, and may fall short on searching for answers on the internet. Mostly you'd find outdated guides that still use the old 'source' and not the new 'ncsource', they are different entirely!!! (well not that entirely).
So what you'd need to do is:
Try to see what type of your wireless network interface card(WNIC) on your router is by command 'iwconfig' or 'iw info wlan0'. Then consult the Kismet readme page (Documentation) in section 5 and 7.
Basically you'd need to use smth like 'ncsource=wlan0:type=[yourcardtype]'
ex. 'ncsource=wlan0:type=ath9k'
ex. 'ncsource=wlan0:type=ath9k,forcevap=false,hop=false,channel=5'
where 'forcevap' is not needed because we have already put the WNIC into monitor mode, it would take away the annoying error message.
'hop' could be set to false for WNICs those don't support channel hopping.
'channel' just specifies a channel to detect traffic on.
The newer versions of drone are written to auto-detect the types but sometimes they don't so you might need to specify. Even sometimes, I have heard, they falsely detect your WNIC for another type which would reduce the performance of Kismet.
When you run kismet_drone on your router, you can specify option -f to locate your kismet_drone.conf file. Because some people might install kismet on their usb instead of into the Flash memory of router.
~#: kismet_drone -f /mnt/usb/etc/kismet/kismet_drone.conf
When you run it, you might see some error messages but they are okay as long as it's not a "FATAL ERROR: Blah blah blah" with a capitol F.
4. Kismet Server config file: (on your linux server)
The newer versions of Kismet omit the kismet_client.conf file and merge it with kismet.conf (server config file) which could be found at either /etc/kismet/kismet.conf (on Ubuntu it's here) or /usr/local/etc/kismet.conf (on BT5 it's here).
For kismet server: I just use 'ncsource=drone:host=[routerIP],port=[kismetDronelistenPortOnRouter]'
ex. 'ncsource=drone:host=10.0.0.1,port=2502'
For futher info, please refer to the Kismet readme page (Documentation) in section 5 and 7.
5. Keep getting ERROR: Could not connect to Kismet server 'localhost:2501'
This problem happens for some when trying to connect kismet client with kismet server.
Here, some suggests to add this line to your server /etc/hosts file:
127.0.0.1 localhost.localdomain localhost
(But on BT5 R3 I already have it in there)
Sometimes the problem is just this.
For the time being I learn that you wouldn't need to start another terminal for 'kismet_server' to run. You only need to run 'kismet', and a gui will pop-up, in there you can start a server and it will auto connect with the kismet client.
Last Notes:
I find this paper to be extremely helpful and most up-to-date, it's written by laserpad of the Kismet community. (Thank you)
http://www.giac.org/paper/gcih/18158/remote-access-point-ids/115738 [pdf]
Other than that, I would suggest sticking with the Kismet Documentation which is very resourceful by itself.
Please kindly leave suggestions and comments, I might write a more complete version of this later when I learn more about kismet for beginners who struggle to get Kismet to run. Thanks!
Thursday, March 7, 2013
OpenWrt Kismet and Kernel 2.6 on WRT54GL
The site here contains the most up-to-date instructions to install Kismet drone on the WRT54G series
http://www.supertechguy.com/help/security/kismet-drone
It suggests that:
" If a build with the Linux 2.6 kernel is available for your hardware, you should use it."
It took me after a while to figure how to upgrade OpenWrt from linux kernel 2.4 to 2.6, luckily it turned out that everything is already in the wiki page on OpenWrt website, but not very obvious.
What you'd need to do to upgrade to kernel 2.6 is to upgrade OpenWrt firmware image by just flashing on the LuCI web GUI with this Broadcom47xx image:
Now I have 2.6 kernel with Kismet-drone installed, with 232.00 KB left in the Flash ROM.
[Note: I have tried to run Kismet drone on TP-LINK TL-WDR4300 today, so far no luck. Possibly I still don't know how to configure the ncsource in /etc/kismet/kismet_drone.conf]
Any suggestions/comments would be much appreciated.
http://www.supertechguy.com/help/security/kismet-drone
It suggests that:
" If a build with the Linux 2.6 kernel is available for your hardware, you should use it."
It took me after a while to figure how to upgrade OpenWrt from linux kernel 2.4 to 2.6, luckily it turned out that everything is already in the wiki page on OpenWrt website, but not very obvious.
What you'd need to do to upgrade to kernel 2.6 is to upgrade OpenWrt firmware image by just flashing on the LuCI web GUI with this Broadcom47xx image:
http://downloads.openwrt.org/backfire/10.03.1/brcm47xx/openwrt-brcm47xx-squashfs.trx
Now I have 2.6 kernel with Kismet-drone installed, with 232.00 KB left in the Flash ROM.
[Note: I have tried to run Kismet drone on TP-LINK TL-WDR4300 today, so far no luck. Possibly I still don't know how to configure the ncsource in /etc/kismet/kismet_drone.conf]
Any suggestions/comments would be much appreciated.
Monday, March 4, 2013
Installing packages into USB on TL-WDR4300 OpenWRT
Subsequently of my buying TP-LINK TL-WDR4300 router, due to the good old Linksys WRT54GL hasn't enough FLASH/RAM/CPU, the first thing I did was to try installing OpenWRT on it.
Turned out that it was easier than I thought, you could just flash Attitude Adjustment 12.09rc1 from the web GUI of the factory firmware. Detailed instruction here for where to download the image.
Secondly I installed packages required for using USB storage, this process was simple enough if you understand how to format your usb to specific preferred filesystems (ext2,3,4) I use gparted [just sudo apt-get install gparted, on a debian dist]. VFAT and NTFS are not agreeably supported due to their slowness, such and such. Also to my understanding, you'd need ext2,3,4 filesystems if you were to install packages on them.
Steps:
1.) USB storage required packages
2.) How to install (other) packages to your USB device
What I've learned:
There are three files you need to configure in order for this to work every time even after a router reboot.
- /etc/config/fstab (this is my configuration):
option target /mnt/usb # Don't forget to mkdir -p /mnt/usb first
option device /dev/sda1
option fstype ext2
option options rw,sync
option enabled 1
option enabled_fsck 0
- /etc/profile : [These three lines are preferably added below the existing export(s)]
export PATH=$PATH:$USB/usr/bin:$USB/usr/sbin # This PATH is dependent on existing $PATH
export LD_LIBRARY_PATH=$USB/lib:$USB/usr/lib
- /etc/opkg.conf : [Just change this line]
# this is to indicate that there is a destination you'd like to install your packages to named "usb"
Now with all that done, insert your usb (up to this point I assume that you must have installed the packages required in the first step).
To start using the usb run:
root@router~#: /etc/init.d/fstab start
To auto-mount usb to fstab every time the router starts(or restarts) run:
root@router~#: /etc/init.d/fstab enable
You might as well want to source the /etc/profile so that the paths can be used instantly:
root@router~#: source /etc/profile
Then run these commands to update and install packages
opkg update
opkg install -d usb PACKAGENAME
Note that you'd better check that your USB functions well and isn't damaged.
Have fun!
Sunday, March 3, 2013
Senior project initiation
Senior project initiated.
Goal: Intrusion Detection (and prevention) System.
Technologies and tools to be used:
- OpenWRT (Backfire 10.01 and Attitude Adjustment 12.09rc1)
- Linksys WRT54GL and TP-LINK TL-WDR4300 routers.
- USB Wireless Adapter TP-LINK TL-WN7200ND
- Linux server ~[bt/ububtu]
- Kismet
- Snort (For testing rules, as ids)
- tcpreplay (for testing rules, using sample_data.tcpdump to generate connections)
- Python
- scapy (Packet manipulator)
- wireshark (packet analyzer)
- nmap (port scanner)
- pypy (speeds up python)
- python-deap library V0.9 (For Evolutionary Algorithms)
- Genetic Algorithm/Genetic Programming
Good luck.
Subscribe to:
Posts (Atom)