New Project: Building an IDS/IPS
So I've got an idea for a new project but wanted to run it by everybody first to get your thoughts...but I think I could make it work. I am considering engineering my own anomaly based IDS/IPS security system. My thoughts are as follows:
- Cisco switch configured with Port Spanning to monitor traffic
- Dedicated Wireshark system to capture network activity on SPAN port
- Use scripts to automate parsing of the .pcap files of necessary/helpful information on network activity
- Backend SQL database that the script sends the parsed information to
- The SQL database will then be used to collect data for a learning period (probably 2-4 weeks). After this learning period is completed, I will use the database to build a model of expected "standard" activity on the network.
- Then (and this is the tough part) develop scripts to run consistently that monitor new activity. Certain threshholds set for different types of activity (protocol types, total traffic volume, etc...). If those thresholds are met, the system starts shutting down corresponding services and produces alerts.
- Perform PenTests then to perfect the system.
Thoughts?
- Cisco switch configured with Port Spanning to monitor traffic
- Dedicated Wireshark system to capture network activity on SPAN port
- Use scripts to automate parsing of the .pcap files of necessary/helpful information on network activity
- Backend SQL database that the script sends the parsed information to
- The SQL database will then be used to collect data for a learning period (probably 2-4 weeks). After this learning period is completed, I will use the database to build a model of expected "standard" activity on the network.
- Then (and this is the tough part) develop scripts to run consistently that monitor new activity. Certain threshholds set for different types of activity (protocol types, total traffic volume, etc...). If those thresholds are met, the system starts shutting down corresponding services and produces alerts.
- Perform PenTests then to perfect the system.
Thoughts?