This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can I benefit from Lua API to make an intrusion detection?

0

Hi, Can I benefit from the Lua API to make a program that make kind of intrusion detection in real time, by running a lua program that filters specific packets,extract some fields from them and make some process on them to detect some cases of intrusion, could this be a working idea???

asked 19 Nov '12, 11:04

Leena's gravatar image

Leena
51171821
accept rate: 0%

hi @helloworld, I would like to know your opinion about this question

(12 Apr '13, 10:32) Leena

One Answer:

2

An IDS is only useful if it runs all the time monitoring traffic.

Unfortunately it's not a good idea to run Wireshark for a long time capturing data, as it will build internal state in memory and thus the memory consumption will constantly get larger until the OS runs out of memory.

If you want to use Lua, I suggest to look at a pcap library for Lua.

https://github.com/sam-github/pcap-lua

However, that library will only give access to the "raw" packets. So, you won't have all the dissecting functionality of Wireshark, which in turn makes it harder to create an IDS, as you will have to inspect (dissect) the protocols yourself to a level that is useful for an IDS.

UPDATE: I have just found an interesting open source project.

WireShnork - A Snort plugin for Wireshark

http://honeynet.org/node/790

Maybe you can benefit from that code and/or their ideas ;-)

Regards
Kurt

answered 19 Nov '12, 11:19

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 20 Nov '12, 03:13

Thanks alot for your answer,it's very useful to me. But I have further quesions; what do you mean by long time( how long??). another question: can you think about another solution for this problem ( with keeping use wireshark ), the one you gave to me about using lipcap is good but still I want to run wireshark for some reasons , any suggestion for the memory problem? does creating capture files as in (capture-options-use multiple files ) help?? Thanks alot

(19 Nov '12, 23:36) Leena

what do you mean by long time( how long??).

it depends on the amount of traffic and the PC where you capture the data (amount of RAM). Can be seconds, minutes, hours.

can you think about another solution for this problem ( with keeping use wireshark ),

Only by making substantial changes to the internals of Wireshark, like dropping any data gathered after a TCP connection has been closed, as the IDS has seen the interesting parts.

any suggestion for the memory problem?

Well, buy a system with 256 GByte RAM. But that will only delay the problem ;-)

does creating capture files as in (capture-options-use multiple files )

Probably. If it is sufficient for your IDS that one process captures data and writes it to disk while another process (much later) analyzes the data, that could possibly be a solution. However, due to the delay between data capturing and analysis, the IDS would be a rather bad IDS, as the attack had been already taken place while you detect it in the capture file.

Why do you want to write your own IDS (there are free alternatives like snort, which you could extend/modify to match your requirements) and why do you need Wireshark for that? If we learn more about your project, maybe we can suggest another solution.

(19 Nov '12, 23:56) Kurt Knochner ♦

my supervisor who specified using wireshark,It is an idea and I should find if it is workingor not.I extract some fields from the packet header to take a look at the network traffic if there is any possiblity for the existance of some threats.I found Lua API easy and there is not too many work on it as I read in one of your site Q.(Lua binding\integration-documentation), so I'd like to benefit from it.I need the wireshark files to be kept for the network administrator;in case of an alert is issued,and to extend work in future;keeping raw packets. Your opinion will be very appreciated,Thanks.

(20 Nov '12, 01:27) Leena

I forgot to mention that I take a look at the traffic at the end of each minute or less. Could be generating a file for each period is useful and make less load to the memory?? I'm not a good programmer so I don't have an idea about issues like this.

(20 Nov '12, 01:32) Leena

I forgot to mention that I take a look at the traffic at the end of each minute or less

Well, as I said. If that is good enough for your IDS, you could capture files with dumpcap (option: -i) for a period of one minute and write those files to disk (repeat that step indefinitely). Then a second process takes those files (hopefully small enough to process them in time) and analyzes them with tshark and your Lua code. After the analysis those files will be deleted.

For a low traffic environment this might work (somehow). In a high traffic environment you might get into trouble, if there is more data coming in, than you can process at the same time.

(20 Nov '12, 01:48) Kurt Knochner ♦

how can I do this((hopefully small enough to process them in time) and analyzes them )?? I don't know how to pass the files to tshark automatically.

(20 Nov '12, 03:55) Leena

You will need some programming knowledge to automate that. Either with a typical programming language like C, C++, C# or with a scripting language like Perl, Python, Lua, etc.

You need to write a program, that:

  • scans a directory for new capture files
  • as soon as a new capture file is detected, you start tshark with the option -r and the newly detected file: tshark -r file0005.cap
  • you parse the output of tshark with your tool
  • repeat these steps in a loop
(20 Nov '12, 06:38) Kurt Knochner ♦

sorry, but I don't understand(•scans a directory for new capture files) can you explain it with an example??

(21 Nov '12, 17:35) Leena
showing 5 of 8 show 3 more comments