Detect port scanning without psad - write own IDS

Applications Cybersecurity
1

Hi gurus,

1st:
Is possible to detect port scanning just by using utilities included in linux (netstat, iptables...), Yes there is utility called psad but I would write some scripts for my own and learn something new :slight_smile:

2nd:
Could you point me to good tutorial for writing own Intrusion Detection System?
I am not a C++ geeg, so first thing that comes to my mind is that i will use simple BASH SCRIPT that will interact with iptables and monitor user activity, network activity etc. (but I thing that would not be good solution due to performance and capabilities, and also I am not familliar with memory in linux at all).
I was reading aboud SNORT HIDS, NIDS...
AFAIK some information can be obtainet from /proc but I have no idea which values should be monitored.
Could you please point me to some good resources It would be good if there would be some example code.

Thanks a lot

2

If you want to create a NIDS, at it's most basic level it is collection and analysis:

a) Grab packets off the wire (e.g. tcpdump)
b) Scan the dumped data for stuff you want to search for* (e.g. ngrep - network grep)

  • matching against a database of signatures of "known bad stuff" or track behavioural anomalies with a statistical model.
    c) Do something, perhaps sending an alert via SMTP message or SNMP trap.

Do not underestimate the enormous amount of work involved with such a project.