As the system runs on a local machine the use of a database is not necessary. The IDS stores each proxy found in a text file which is similar to the output received when Wireshark is used to examine the network packets. However the size of the text file is greatly reduced depending on how many proxies are in use on the network. The file is designed with the user in mind and only the necessary details are printed to it. The details that are printed to the log can be viewed in Table .
-Proxy Name
|
-Date and Time of Proxy Usage
|
-Destination MAC
|
-Source MAC
|
-Protocol
|
-Version
|
-IP Header Length
|
-Time to Live (TTL)
|
-Source IP Address
|
-Destination IP Address
|
-Source Port
|
-Destination Port
|
-Sequence Number
|
-Acknowledgment
|
-TCP Header Length
|
-Data
|
-Host
|
-User Agent
|
-Accept (html, xml, etc.)
|
-Accept-Language
|
-Accept Encoding
|
-Referrer
|
-Cookie
|
-Connection Type
|
Table - Network Packet Details
A number of the packets may not contain all of the details that are listed in Table 5. However they will contain the majority. The most important details contained in the network packets are the Proxy Name, the Date and Time of Proxy Usage, the Destination MAC, Source MAC, both the Source and Destination IP Addresses and the Source and Destination Port. All this information should give the network administrator enough details to track down the proxy usage.
Due to the large amount of network packets, if there is prolonged proxy usage without the network administrator addressing the situation then the log file could become very large and may take a while to open, therefore it is a good idea to monitor the program, and restart it if the file is getting too big. Restarting the program will simply create a new log file with a new timestamp.
6. Implementation
This section of the report will look at the program in more detail; each of the different parts discussed in the design phase will be documented, giving a more thorough understanding of how the system works.
As the proxies had to be hosted on a web server, a server had to be sourced. WAMP v2.4 was the version used. It contains Apache 2.4.4, MySQL 5.6.12 and PHP 5.4.12.
Figure - Wamp Server Menu
The wamp server menu can be seen in Figure , one of the main sections of wamp is the www directory, and this directory is where each of the different proxies is stored. Different versions of Apache and PHP can be downloaded and installed by selecting the Apache folder/PHP folder then selecting the version. Selecting a different version can be necessary for older versions of the proxy that may not be able to use the newest version of PHP. To make sure the wamp server is working correctly, open a web browser and in the address bar type in http://localhost, if the wamp server homepage appears, the wamp server is working correctly.
When the WAMP server is functioning correctly, the proxies can be downloaded and placed in the server, the Tor Browser can also be downloaded; however it does not need to be placed within the server. The Tor browser can be downloaded directly from the tor project website32. The download contains a Vidalia Control Panel and the Tor web browser itself. Each of the three web scripts were downloaded next, PHPProxy33, Glype34 and CGIProxy35, all of the proxies were available to download as a ZIP file, which can be extracted into the www directory on the wamp server. The files however have to be edited before they can be used properly on the server. Perl has to be downloaded before the CGI Proxy can be used; CGI functionality also has to be enabled. PHP functionality has to be enabled before the PHPProxy and Glype web scripts can be used. Whenever these steps are performed each of the web scripts can be used to browse the internet anonymously. Free proxies can also be found online that enable you to test the system and also to compare the network packets, there are many lists that contain these proxies, a sample of the list can be found at http://list.glype.com/.
6.2 Network Packet Capturing
When the proxies are running the network packets have to be captured, to do this Wireshark had to be downloaded and installed36. The network protocol analysers download package comes with WinPcap, which is needed for the live capture of packets.
Figure - Wireshark Capture Screen
After the download and installation was completed the program can be used straight-away. Figure shows a list of the different connections that can be selected, for this project the Wireless Network Connection was selected as the computer used was a laptop which was not connected to a wired network. Wireshark provides many different options for when it is capturing the packets, as there can be hundreds of packets coming into the system every few seconds, this can be very hard to read when they are exported to a text file, therefore changing some of the options to limit the packets captured is vitally important.
Wireshark was used to capture samples of packets from each of the different proxies and also from the Tor browser. While doing this a Python program was acquired, this code was also used to sniff for network packets. The code initially printed all the packets out to the command line or to IDLE, as the code was open source it could be edited which made using the code very convenient. It was decided to continue to use the Python network analysis code as part of an integral part of the IDS. This meant the use of Wireshark was no longer needed, as the desired outcome of the IDS was to be a standalone system.
As the code just printed to the command line, this made it difficult to read the packets and often caused the command line to freeze due to the large amount of packets in the network. The first step was to get it to print the code to a log file. This was done by creating a directory to store the log files in.
Figure - Creating Directory and Log
Once the directory was created it would be checked each time the program is run, just to make sure it exists, if it doesn’t it will create it. The log file is the next item that is created each time the program is started, this however is different from the directory as it is not always static, the log file created will have the date and the time that it was created in its unique name. Figure shows the completed code that was used to create the directory and the log files.
After the log file code was finished, selecting the network interface that needed to be scanned had to be coded. The original code had the function to search for the network devices, however selecting the devices when they were printed was time consuming.
Figure - Scanning for Network Interfaces
The code in Figure would simply scan through all the network devices and print them to the console, giving each a number so the network administrator would be able to select them easily, this saved a lot of time compared to having to write the device you wanted to copy each time the program ran. Once these steps were completed the network packets could be ‘sniffed’ and printed out to a log file for analysis.
Share with your friends: |