Pharos Network Intrusion Prevention System

Anything and Everything about Uplink

Moderators: jelco, bert_the_turtle, Chris, Icepick, Rkiver

lattera
level4
level4
Posts: 722
Joined: Mon Jun 24, 2002 2:25 am

Postby lattera » Wed Jan 14, 2004 5:08 pm

Well, I can now say what my new project is...

It's an intrusion prevention system, called Pharos.

If a packet's payload matches a payload in a database, the packet is discarded.

Development information can be found on the Pharos forum of the NoSleep BBS (http://forums.nosleep.info/).

For those who wish to help, you need:

1. A spare FreeBSD box (preferably more than one, for testing purposes)
2. Good C skills :)
3. Time, and lots of it :) :)

Thanks,

lattera
Stewsburntmonkey
level5
level5
Posts: 11553
Joined: Wed Jul 10, 2002 7:44 pm
Location: Nashville, TN
Contact:

Postby Stewsburntmonkey » Wed Jan 14, 2004 5:29 pm

This is different from other IDSs how?  :)
ToRmEnToR
level5
level5
Posts: 2420
Joined: Sun Jul 14, 2002 5:48 pm
Location: Israel
Contact:

Postby ToRmEnToR » Wed Jan 14, 2004 5:34 pm

it has a seksy name :D

and also i think its about prevention, not detection... or does an IDS discard evil packets too?
meow
lattera
level4
level4
Posts: 722
Joined: Mon Jun 24, 2002 2:25 am

Postby lattera » Wed Jan 14, 2004 5:35 pm

An IDS detects packets, but not discards them.

An IPS is an IDS that discards packets...
Stewsburntmonkey
level5
level5
Posts: 11553
Joined: Wed Jul 10, 2002 7:44 pm
Location: Nashville, TN
Contact:

Postby Stewsburntmonkey » Wed Jan 14, 2004 5:38 pm

I have seen a lot of IDS that also suppress malicious packets (many are coupled with an anti-virus program), and then there are many full fledged IPSs out there.  I was just wondering why this would be better.  :)

(Edited by Stewsburntmonkey at 10:40 am on Jan. 14, 2004)
lattera
level4
level4
Posts: 722
Joined: Mon Jun 24, 2002 2:25 am

Postby lattera » Wed Jan 14, 2004 5:46 pm

The problem with most IDSs, is that you can't run any actual daemons/servers with them. You can't have both the IDS listening on port 80 and an HTTP server listening on port 80 (well, you probably can, but that'd require major kernel code changed).

My IPS is better, because:

1. It listens on the TCP/IP stack on different interfaces (via ipfw divert).
2. It will have heuristics analysis (not right now, but later on)
3. It will eventually have 0% false positives
4. It's main development system is FreeBSD, so that already makes it l33t3r than all ;)
Stewsburntmonkey
level5
level5
Posts: 11553
Joined: Wed Jul 10, 2002 7:44 pm
Location: Nashville, TN
Contact:

Postby Stewsburntmonkey » Wed Jan 14, 2004 5:54 pm

Heh, 0% false positives, silly man.  

I am just asking how this is different from all the other IPSs out there, some with millions of dollars in devopment budgets.  It is also perfectly easy to run an HTTP server with a IDS/IPS going.  :)
lattera
level4
level4
Posts: 722
Joined: Mon Jun 24, 2002 2:25 am

Postby lattera » Wed Jan 14, 2004 5:57 pm

well, ya, if you have the HTTP server listening on a different port...

The thing with other IPSs, is that none of them are free (well, one, but it's disqualified because it requires Snort).
Stewsburntmonkey
level5
level5
Posts: 11553
Joined: Wed Jul 10, 2002 7:44 pm
Location: Nashville, TN
Contact:

Postby Stewsburntmonkey » Wed Jan 14, 2004 6:40 pm

Snort is also free. . .  Well anyway good luck, just wouldn't want you to be waisting your time.  :)
lattera
level4
level4
Posts: 722
Joined: Mon Jun 24, 2002 2:25 am

Postby lattera » Wed Jan 14, 2004 10:08 pm

Snort is an IDS, not an IPS...
Stewsburntmonkey
level5
level5
Posts: 11553
Joined: Wed Jul 10, 2002 7:44 pm
Location: Nashville, TN
Contact:

Postby Stewsburntmonkey » Wed Jan 14, 2004 10:11 pm

Quote: from lattera on 10:57 am on Jan. 14, 2004[br]
The thing with other IPSs, is that none of them are free (well, one, but it's disqualified because it requires Snort).


You acted like requiring Snort was somehow and issue.  I have seen several good IPSs running off Snort.  An IPS needs a good IDS at its heart to work, so using Snort is a great way to go.  Snort is open source and freely avalible.  Plus it works well.  I just see no reason to reinvent the wheel.  :)
lattera
level4
level4
Posts: 722
Joined: Mon Jun 24, 2002 2:25 am

Postby lattera » Fri Jan 16, 2004 2:50 pm

Also, that IPS that uses snort is for Linux (uses IPTables), so that's ruled it out as well :)
Stewsburntmonkey
level5
level5
Posts: 11553
Joined: Wed Jul 10, 2002 7:44 pm
Location: Nashville, TN
Contact:

Postby Stewsburntmonkey » Fri Jan 16, 2004 8:19 pm

I've seen atleast one for Windows, but I guess that doesn't help you does it.  (BSD loser ;) ).  

(Edited by Stewsburntmonkey at 1:19 pm on Jan. 16, 2004)
TimTim
level4
level4
Posts: 772
Joined: Wed Apr 17, 2002 8:42 pm

Postby TimTim » Fri Jan 16, 2004 8:26 pm

Quote: from Stewsburntmonkey on 7:19 pm on Jan. 16, 2004[br](BSD loser ;)


What bsd sucks now? Bah i've downloaded a copy for use as a server in school, no way i'm downloading a copy of *nix, maybe in school though ¬_¬
Stewsburntmonkey
level5
level5
Posts: 11553
Joined: Wed Jul 10, 2002 7:44 pm
Location: Nashville, TN
Contact:

Postby Stewsburntmonkey » Fri Jan 16, 2004 8:30 pm

BSD is *nix . . .

Anyway, I'm just playing with lattera, see the " ;) ".  BSD is a very good OS especially for servers and such.  :)

Return to “General”

Who is online

Users browsing this forum: No registered users and 2 guests