well now the sniffer part of the IDS is finished and we're trying to design the analysis engine
we already agreed on taking the snort signatures load them to memory and we'll start the signature matching
if you want to think with us about new ideas to do the signature matching and trying to detect the signatures in the packets
you're welcome

we have some constraints that we 're trying to make as efficient as possible because we don't want to degrade the performance of the system a lot
:confused:

any suggestions are welcome

Congratulations.

Just I have a little question.
Have you ever thought about the license ??
You use OpenSource tools, are you aware of that ?
It would be nice if you can post the code somewhere.
May be you can use sourceforge ( www.sourceforge.net )

Regards
Mohamed Eldesoky

i know that we're using open source tools
about releasing the code
we have to write it first :)
plus i have to ask the others
but i don't think that someone will mind unless they have other plans with it later
who knows :confused:
let's write it first then do the thinking about what to do with it

well first you have to learn to be more communicative.
meanning, you come ask for help, when you get help you dont give feedback, and when you had another question you asked in private.
so here is the deal, I could help you, but you will have to learn to more communicative, and you need to post the code you already wrote, plus anything useful like a design document, if you have one of course :) .

woow, woow
don't be mad at me
first of all i was not uncooperative at all
the private message was because i didn't know the reply
thing at the beginnning

the thing that you might be right about is the libpcap thing:
the "any " in the pcap_open_live works fine and it sniffs all devices including the loopback

the problem with my code was that i needed to typecast the filename and pass it to the callback function ( print_packet)
here are the changes which made it work:

pcap_loop(session, 150, print_packet, (u_char *)opfile);

void print_packet( u_char *args, const struct pcap_pkthdr* pkthdr, const u_char* packet)

pcap_dump((pcap_dumper_t *)args, pkthdr, packet);

then a small problem with the sniffer popped up and we needed to add some code and then test it

i'm not going to release code till i'm sure it works 100% fine

i 'm going to release a libpcap tutorial at the end of the project

also about the design document we're still doing it and as soon as we finish any documents
i'll post them

what i can tell till now is:

sniffer is logging packets to files
it has to be as simple as possible and fast so it won't drop any packets to keep up with the 100 Mb ethernet

then another process ( or thread ) not sure yet will:

1- group the packet according to a certain criteria ( port- protocol (tcp-udp-icmp))

2- do signature matching with the snort signature which wo would load to memory at the beginning launching the ids

now the trick is to find an efficient way to do the grouping to do as less signature comparisons ( matching) as possible
so your help is very appreciated here
we agreed to start with the following snort signature files:

ftp-telnet-scans-icmp-http-shellcodes

then we'll add the others

also i'm reading the CIDF specs to see if i can implement what they say in our system

that's all till now
waiting for the comments and feedback
as soon as there's something new i'll post it

Originally posted by k_hassib


i'm not going to release code till i'm sure it works 100% fine

i 'm going to release a libpcap tutorial at the end of the project

also about the design document we're still doing it and as soon as we finish any documents
i'll post them


I think sleepy made it clear.
Also, why you won't release until it is working 100% ??
I don't like that attitude.

i'm not releasing code till it's 100% cause if i take the responsibility to release something to the open at least you have to be sure that anyone using it won't run into any trouble when using it
i have experience using other's code that " should" have been workin and turns out it has mistakes
and i spent a long time trying to figure out what was wrong
that's why i'm not going to do the same thing to someone else

you know, code doesnt have to be fully functional to be released.
The point of releasing the code is not like it is going to be used in production systems or anything, it is just so other people could contribute to it.
Major projects usually have 2 or more trees, also known as branches : for example debian has stable and unstable, openbsd has current and release , in the company I work for we have Dev and release.
people working on the project contribute their code in dev, then it goes through QA and then it is integrated into release.
so , not releasing your code because you think it is unuseful is really not the smartest execuse, We know it is not.I mean the whole project is not useful I think , it is more like a proof of concept. I think you should not have wasted your time with this project unless you make a siginificant performance improvement over snort.but now that the word is out, if you need people to help you then you will need to share code.
we can talk theory all night, and I can tell you go google. is that what you want?

you people are really good in talking plain theories
here's the deal and that's it
all we wrote till now is a lausy 400 lines of code
the sniffer will be ready in a couple of days and i'll release it
after that we will be working on the analysis engine for a long time
then the database part and the response ( GUI)
we didn't write anything for it, just design on paper
i'm writing a document ( academic) about our design and i'll release it when it's finished
now there are certain points which have to be clear
we're still students and we have 7 other subjects to work on and to pass
to graduate ortherwise the whole project has no meaning
so our work and time for the project are limited
not like a full time programmer which works on it in a company
when you 're a student your goals and view of things are differnet than when you work in a company for a couple of years and have a lot of experience
this is my project and i'm the one who decides what's useful and what's not and what the goals of it are
not you
also trust me i don't need to hear the crap about don't waste time on this project if you're not going to do this and that
i don't care if the goals are not satisfying for you but for us
we would be satisfied if we managed to get the system working witha good performance( not snort like)
i mean it would be really nice and good to try to add performance over snort
but we don't have the time and resources and knowledge to do it now
maybe later
besides you're missing the whole idea behind the project
to learn team work , solving design issues, coordinating work
to learn new things ( security- ID- network programming)
and all the other skills you gain when you work on teh graduation project

when i turned to this forum it was because i know there are a lot of people out there that would add valuable coments to our work and help improve it
but i didn't expect people wit attitude telling me what to do and what not
also i don't need some one going hard on me and picking up on me because he does not like the way i write code or manage my work or my theories ( i already have enough of them at school :))
dude what you're saying is useful and helpful but i don't like the way you're saying it
as i said before the project will go on as we see it and if that's not ok with you
walk away
i mean it would be nice of you if you help and we would appreciate it, but it's not like we're going to pay you
that's all i have to say
and in case you walk away it was nice to have this argument with you
still i respect your opinion
but people are not the same
salam

i mean it would be nice of you if you help and we would appreciate it, but it's not like we're going to pay you

I see you didn't understand the spirit of OpenSource yet.

Regards
Mohamed Eldesoky

Guys, I don't think the university doctor will appreciate the world contributing to his work (they wouldn't mind if someone was around to give them pointers/hints... just not do the code for them). After all, a school project is done so that the supervisor can judge upon one's competence solely... not the entire community's skills.

Then again I might be missing the point...

Yea, lay off him.

I've got an ident server, and I'm not releasing that either until it works like I want it to.

Where do you draw the line? If someone begins a 1,000,000 line code project, are they obliged to release each and every single line the second it is synced to disk?

That has nothing to do with 'the spirit of open source' either. Apache is open source, and yet they keep a tight group of insiders working exclusively on the codebase.

*BSD is open source too, and it's the same there.

Free software doesn't mean that the developer has to listen to each and every little whim the community has.

Free software doesn't mean that the developer has to listen to each and every little whim the community has.

I am not saying he should listen to each and every little whim.
I objected on the word of money payment !!!

Also, he can follow what he likes, and just ignore what he doesn't like to be in his project, instead of attacking others !!
I was a student too, and I know how one likes to direct his project.

Regards
Mohamed Eldesoky

ok guys thanks for your comments
i think we don't really need to start an argument about each others opinion in releasing code
because it's really different in everyones view
the point about the doctor is also true
i don't want someone to do the work for me
when i finish something or have an idea and i want to discuss it
that's what i need from this thread
so as ii said as soon as something is done and in good shape it will come out to have your opinions
thanks a lot ;)