Azwalaro is a NIDS based on Wireshark dissectors. It use a new format rules detection.
Azwalaro best point :
- Many dissectors on Wireshark allow MUST detect on many protocols!
- Reduce false alert because use new rule detection format
- HTTP dissector on Wireshark allow detecting on uri only (many rule use only this part!)
- wireshark dissectors allow to detect request http and reply !
(FUTUR)- intensive use smb-netbios dissector allow to reduce rules for this protocol
(FUTUR)- use SSL dissector to detect intrusion on SSL (required private key)
(FUTUR)- detecting a intrusion on MIME/Base64/UUcode attachement on SMTP or HTTP protocole for example
- migrate to WireShark. (OK)
- implement a parser with a new rule detection format. (NOT STARTED)
- writing a new output module including syslog (short)/ unified (long)/ prelude (idmef). (wireshark have -z proto,colinfo, another not started)
- create a new azwalaro binary, not use tshark binary. (NOT STARTED)
- implement detection on utf8, unicode, double encoding format, in Wireshark library. (NOT STARTED)
- convert existing dissector to module and load this module only we use. (NOT STARTED)
- maybe check performance with "Boyer-Moore" algorithm. (NOT STARTED)
- modify dissectors (http, ftp, smtp) for alerting on anomaly detection (url length, http rfc anomaly,...). (NOT STARTED)
1) ip.src == 127.0.0.1/16 and ip.dst == 127.0.0.1/32 and tcp.port == 80 and msg.name == "1: urisimple" \
and http.request.uri == "/test.cgi" # Parser multi-ligne
2) ip.src == 127.0.0.1 and ip.dst == 172.16.32.1 and tcp.port == 80 and msg.name == "2: reply404" and http.response == "404"
3) ip.src == 127.0.0.1 and ip.dst == 172.16.32.1 and tcp.port == 80 and msg.name == "3: uricontains" and lower(http.request.uri) contains "cmd.exe"
4) ip.src == 127.0.0.1 and ip.dst == 172.16.32.1 and tcp.port == 80 and msg.name == "4: uriregexp1" and http.request.uri matches "cmd.exe"
5) ip.src == 127.0.0.1 and ip.dst == 172.16.32.1 and tcp.port == 80 and msg.name == "5: uriregexp2" and http.request.uri matches "(?i)cmd.exe"
6) ip.src == 127.0.0.1 and ip.dst == 172.16.32.1 and tcp.port == 80 and msg.name == "6: uriregexp3" and http.request.uri matches "(?i)cmd.exe[^\r\n]{6}"
7) tshark -ta -T text -ni eth0 -z proto,colinfo,tcp.srcport,tcp.srcport -z proto,colinfo,tcp.dstport,tcp.dstport -R http -d tcp.port==80,http
8) Azwalaro starting, you need what dissector use and on which port :
-d tcp.port==80,http
-d tcp.port==80,http tcp.port==8080,http
read documentation filter ethereal or wireshark
For performance and security, all filter Wireshark actualy avalaible is not implemented ! (look chapter Download and Installation)
email: Azwalaro@Crusoe-Researches.com