Detecting Anonymous Proxy Usage Final Report



Download 0.59 Mb.
Page5/20
Date16.07.2017
Size0.59 Mb.
#23501
1   2   3   4   5   6   7   8   9   ...   20

2.10 Snort


Snort is an open source network intrusion detection and prevention system that was created by Martin Roesch and released in 1998; the Snort program is able to run quietly in the background, providing real time traffic analysis and packet logging within networks20. Snort has many useful capabilities in terms of detecting attacks and probes, some of these include: Stealth port scans, Operating System Fingerprinting attempts, Server Message Block (SMB) probes, Buffer Overflows and Common Gateway Interface (CGI) attacks (Stanger et al, 2007). Sourcefire, a company that was founded by Roesch, currently owns and continues to develop Snort. The program has had millions of downloads and currently has nearly 400,000 registered users20.

Snort provides three different functions/modes, these are:



  1. Sniffer Mode

  2. Packet Logger Mode

  3. Network Intrusion Detection System (NIDS) Mode

Sniffer mode reads all the packets that are going through the network; it will then display all the packets that were read from the network on the console. This process runs continuously until the user turns it off. Packet logger mode like the sniffer mode will read all the packets going through the network; however it will save the packets to a disk instead of displaying them continuously on the console. The NIDS mode will monitor all traffic that moves through the network and will detect any intrusions that occur. This is the most complex mode of Snort (Sourcefire, 2013). The installation of the NIDS can be complicated; however there is a step by step guide in order for the program to be installed correctly. SNORT can be used in conjunction with other programs in order to analyse the data that is going through the network, an example of one such program is BASE (Basic Analysis and Security Engine).

Figure - BASE21

Figure shows a simple screenshot of how the BASE system looks when it’s using Snort. BASE is a web interface that analysis the intrusions that are detected from the Snort IDS (intrusion detection system), within the program users can also use the simple web-based setup program for those that might not be comfortable in editing files22.

2.11 Wireshark


Wireshark is a network protocol analyser that was setup in 1998; it is currently one of the most popular network protocol analysers in the world and has won many awards23. The program records all the packets going through the network that is connected to the local machine. This makes it easier for the user to analyse the different packets and gain a better understanding of all the different packets.

Figure - Wireshark24



Figure shows an example of a sample packet capture; from this you can see a timestamp of the packet, the source and destination IP, the different types of Protocols and some information about the packet. The user can also specify a certain IP or Port number that they would like to monitor, this can be entered in the filter, for example if the user entered ip.src==190.61.190.111 && tcp.port==80, this would filter the program just to show traffic from the IP of 190.61.190.111 and through port 80.

3. Requirements Analysis


The aim of the requirement analysis is to clearly describe the following in more detail:

  • The problem associated with the current ways to detect anonymous proxies.

  • How to improve on the current methods to provide the best solution in order to detect the anonymous proxies.

  • The functional and non-functional requirements of the system.

  • The hardware and software requirements that are needed to create the system.

  • The different design methodologies available and which one suits the system.

  • A plan of the system’s structure.

3.1 Project Problem Statement


One of the major problems facing network administrators in organisations is being able to block websites that are harmful or result in the loss of productivity. As discussed in section 2.6 and 2.7 the main way to do this was through IP Blocking and Access Control lists. These methods initially were quite successful; however with more and more proxy URL’s popping up every day, having to continuously update both these utilities is a burden on the network administrators in relation to the time it takes, not to mention the company’s resources.

3.2 Project Solution Overview


The proposed project solution is to produce an intrusion detection system (IDS) capable of detecting whether an anonymous proxy is being used in a network. Firstly the system will monitor all the inbound and outbound traffic in the network, to do this a program such as Wireshark or Snort can be used. Each of the two programs has abilities to log all the information into a text file, this text file will contain all the data that the IDS needs when it is running. The IDS will have string sets that will be able to match up with the proxy server characteristics. The different anonymous proxies and onion routing browsers will have different characteristics, once all of the characteristics have been met, the IDS will alert the user that there has been a proxy detected in the system. It will display what proxy or onion router is being used and from the timestamp in the text file, the administrator will be able to find out when the proxy was in use. The administrator will be able to add the proxy to a blacklist once one has been found. The IDS will be able to run silently in the background, only alerting the administrator when a threat has been found.

3.3 Functional Requirements


The functional requirements of the system are described below. When developing a system within Software Engineering sector, the functional requirements are defined as how the system behaves when it is being used. The functional requirements will be split up into the user requirements and the system requirements.

3.3.1 User Requirements


This section will describe the user’s requirements, the user’s requirements will show what the user should be able to achieve from the program. Listed below are the different tasks the user will be able to do with the system.

  • Capture all the traffic within the network using Wireshark or Snort.

  • From the resulting text (.txt) file, the user will be able to insert it into the command line program manually, or just let the program run on its own. The program will have a real time analysis of all the packets in the network.

  • Receive feedback from the program if any proxies have been detected.

  • Be able to locate the exact time the proxy was in use and subsequently ban the proxy if it is deemed to be used in an unsafe way.

  • Have an instruction set on how the system works, and how to troubleshoot any problems.

3.3.2 System Requirements


This section outlines the system requirements; the system requirements outline the different functionality within the system. These requirements are listed below:

  • An internet connection will be required for packets to be sent and received through the network. The packets will then be logged through either Wireshark or Snort.

  • The system will be able to accept text files and scan through them looking for different character strings.

  • The system will store details of any proxies found, and let the network administrator know if a proxy is found.

  • If the user enters an incorrect file into the system a warning message will be shown.

Download 0.59 Mb.

Share with your friends:
1   2   3   4   5   6   7   8   9   ...   20




The database is protected by copyright ©ininet.org 2024
send message

    Main page