Irongeek

Simple Coffee House IDS, needs a name

51 posts in this topic

Ok, I'm working on another simple Autoit3 script. This one watches the Windows logs for common attacks that happen at an open WiFi hotspot like a coffee house (see http://www.irongeek.com/i.php?page=security/coffeecrack ). It watches three things and pops up a message in the Windows systray when it sees the following:

New or changed ARP table entry (Think poor man's ARP Watch for Windows)

New event in security log

New event in firewall log

It's a pretty ghetto excuse for an IDS, but it's something I wanted to create. Any ideas as to a catchy name? The source will be released with the exe.

-1

Share this post


Link to post
Share on other sites
DecaffeinatID ?

/me likes

0

Share this post


Link to post
Share on other sites

So far DecaffeinatID is in the lead. Whoever's name I go with, I'll link to their profile from the page or to their site if the tell me what it is.

0

Share this post


Link to post
Share on other sites

Nah, go with something more generic. Maybe SimpleIDS? Considering it's not *just* something that works at a coffee shop... it is a simple IDS meant for desktops/laptops. Think about your range of users, and how they'll stumble onto it. Likely, they'll search something like "simple IDS" or "IDS for Windows" rather than something like "IDS for use in a coffee shop."

Just my two cents.

0

Share this post


Link to post
Share on other sites

If you're going for the coffee like name then i'd go with mirrorshades' DecaffeinatID. It's unbeatable. For a more generic name, as Dirk suggested, how about...

scrutinIDS - Play on the word scrutinize

WID Awake -W(indows)I(ntrustion)D(etection), Wide awake...

IDS of Vigilance - Beware the ides of March, and so forth...

Just some ideas

--M0ralGray

0

Share this post


Link to post
Share on other sites
DecaffeinatID ?

/me likes

me too.

0

Share this post


Link to post
Share on other sites

Did anyone try it?

0

Share this post


Link to post
Share on other sites
Did anyone try it?

Nice...Please include a log file to track the history.....

0

Share this post


Link to post
Share on other sites

Few comments, don't take anything personal, mostly cosmetic concerns as I don't want to quickly bloat what is supposed to be a very lite ids:

  • The systray icon looks kinda crap at 16x16 pixels on-top of the xp classic grey in the taskbar - I can live with it
  • The systray menu might need some tweaking,
    current;
    'Ver 0.01' <- does nothing
    'Exit' <- close the program (doesn't work for me)
    'About' <- opens the website
    proposed;
    'Decaf 0.0.1..' <- in-program about box that has basic about info and a homepage link in it
    'Monitor' <- sub-menu with checkbox options of what to monitor; 'ARP Watch', 'Gateway Watch', 'Windows Firewall-log', 'Windows Security Event-log', etc
    'View Logs' <- in BOLD + functional default single-click action - added in 0.05a, /c start idslog.txt, or display it internally
    'Update' <- opens the website with version info included in link, /c start hxxp://www.irongeek.com/i.php?page=security/decaffeinatid-simple-ids-arpwatch-for-windows&ver=0.01, compare server-side to newest release
    -- <- separator bar, use one
    'Exit' <- actually close the program - added in ver 0.03 beta

  • As mentioned above, make the single-click tray-icon action to open/view the log-file and the right-click action to open the menu - added in 0.05a
  • Make the systray hover-text 'DecaffeinatID 0.01..' instead of the name of the exe, or have it display which settings are being monitored. - added the first part in ver 0.03 beta
  • If the arp-cache clears or is renewed and the same mac/ip pair show up as the last entry for that mac/ip pair, don't display the status window again though you could edit the log prefix with a duplicate/renew or whatnot. I would only display the status window if something is new or something has changed; aka possible spoofing attempts. That, or make this another configurable option under the arp-watch, to display repeat/renewed entries in the status window.
  • Perhaps a configurable, default-on warning at startup that you are about to wipe the security event logs with an ok/cancel button prior to wiping. If you hit cancel it doesn't wipe and disables the Security Event-log monitoring. That or you change how you monitor security event logs and only monitor entries since the program was started, so you don't need to wipe any logs, which would be preferable.
  • Save the menu settings as they are enabled/disabled so that they are the default action the next time the program is started. - added in ver 0.03 beta

  • Is it just me, or does the Exit option not actually work? .. you used the same call-variable $exitmenu twice - fixed in ver 0.02 beta

Otherwise it performs rather well for what it was written. Could use more features and more configurability, but it is the first beta so I'd say it is a success either way.

Did anyone try it?

Nice...Please include a log file to track the history.....

It's in the original program folder, I did suggest he have a menu option (preferably the default action) to view the logs.

Note: the default autoit tray menu handling is rather limited, you might want to try out the more advanced modern menu lib.

Edited by jabzor
0

Share this post


Link to post
Share on other sites
Ok, some of your suggestions have been implemented. Others will take time or help for other folks. Check out the new version with more settings options:

Downloading now. I'll see how easy it is to add the remaining changes, haven't played with autoit too much. :)

If you'd add a simple php wrapper to the ids homepage that parses out the version tag from the about request and compares it to the latest version that would be great.

Run(@ComSpec & ' /c start hxxp://www.irongeek.com/i.php?page=security/decaffeinatid-simple-ids-arpwatch-for-windows^&ver='&$ver, '', @SW_HIDE)

Where $ver is the autoit ids script version, in this case 0.02 (you hardcoded the script version in the about text instead of declaring an initial variable..).

Here, a preview of the GUI I wrote in;

systray:

post-3438-1213836915.png

*NOTE* - radio button were replaced with the more aesthetic check-marks.

Edited by jabzor
0

Share this post


Link to post
Share on other sites

Cool. Thanks for the help.

0

Share this post


Link to post
Share on other sites

DecaffeinatID Change Log:

06/26/2008: v0.07 Jabzor did some minor code cleanup and fixed two bugs.
- concatenation and incrementors are now used
- non-global variables are now local to their function/loop
- redundant lines and function calls were removed, increasing overall speed
- systray icon is once again set in both script and compiled format (broke the script icon in 0.03)
- gateway info now reloads every time the ARP monitor is called

06/24/2008: v0.06 Jabzor made minor improvements to the GUI.
- double-clicking the systray icon now opens the log file, right clicking still brings up the menu
- menu style now emulates windows 2003 classic, which fixes a display issue and looks nicer
- menu ini icon changed

06/22/2008: v0.05 Irongeek made major improvements to the program speed and a bug fix.
- monitoring functions are now set off via timers (FAR more responsive, less resource intensive)
- ini 'sleep' parameter is now milliseconds between timer events, Sleep=1000 is 1 second
- ARP cache parsing improved and fixed a bug if the word 'invalid' appeared

06/20/2008: v0.04 Jabzor did major rewriting, Irongeek improved the ARP monitor.
- code cleanup, organization and easier maintainability
- improved ini layout and invalid ini parsing
- improved GUI (added systray hover text, menu icons and title, check boxes, edit ini, view log, update, about)
The ModernMenu UDF by Holger Kotsch is now used for the menu system.
- ARP monitor is now more efficient

06/19/2008: v0.03 Internal, non-public release.

06/19/2008: v0.02 First public release. Thanks go out to Mirrorshades for helping name this project.

To Do:

- Irongeek needs to update the homepage to parse out the version id as to tell users if they have the newest version, or they can always just look for themselves

- Document code-changes - see change-log above

- Optional registry entry instead of ini for read-only storage, and/or the ability to specify runtime switches and/or external ini files

- Optional one-time warning about the program wiping your security event logs on startup; until event logs are monitored without wiping

- Monitor for a double-click on the tray icon, launch the default action (open logs) - added in 0.05a.

- Fix the horrible UI lag when monitoring files - timers in 0.04t, possibly eventually create independent child processes / threads / pipes / sockets / forking

- Figure out how to include the avi resource so the /art/ folder isn't needed in the build copy

- Figure out how to easily display the trayicon in both script and exe format.. - fixed in 0.06a.

- Further test so that the program can be run with a corrupted ini file and from a read-only location

- Ensure the context-menu checkbox options properly flag the functions to ignore <- High priority

- Stream-line the existing irongeek functions

- Write some wrapper functions for some of the code that repeats itself a lot (mostly mine)

- Test static vs dynamic arp entries, set option to ignore duplicate (pre-existing) arp entries and arp-renews

- Compile a list of system events to really focus on

- Detect DNS spoofing/poisoning, detect dns-server updates per adapter

- Provide a help file for users explaining settings and such

- Log time-stamp entry every time the program is started (informative, good practice and added bonus - a log is created regardless) <- High priority

- Log/Display list of known arp entries, gateways etc (the initial values) on startup <- High priority

- Test and possibly fix the security event monitor code (If I open eventvwr.msc, right-click clear the event security and go clear it doesn't trigger the monitor)

Some of the changes won't be that hard, like settings the default trayicon action when you click it or the wrapper functions to remove ugly/redundant code.

Other changes however will take time and effort, especially the biggest problem, calling separate applications and then WAITING for them while lagging out the GUI which becomes unresponsive until this has completed.

post-3438-1213927181_thumb.png

jabdecaffeinatid0.03.zip

Edited by jabzor
0

Share this post


Link to post
Share on other sites

Damn, thanks, but I'd like to iron out the slow GUI responses to changes before we post it. I'll take more of a look at the code tomorrow.

By the way, try compiling with the latest beta.

0

Share this post


Link to post
Share on other sites

Pretty sure the slow code-response existed back in the original, it just wasn't as obvious without functional menu items.

(Hit Exit and see how long it can take to stop the application in 0.02, then comment out the function calls in the while/wend loop and hit exit again, everything is instant).

- Set all of the checkboxes to unchecked or edit the ini with all 0s in the monitor entries and the gui is as responsive as any so we'll need to look at the program calls.

Going to require a different tactic than simply batching the run-commands one after each other with a pause inbetween, possibly dedicated fork / thread / pipe /etc some way to offload the gui from the background applications.

The included compile is from the newest stable, I'll try compiling with the latest beta and see if things speed up any.

And ya, don't worry about posting it on your site until things are more smoothed out, if you want to just test the menus and about box uncheck everything and it will run smooth. :)

Edited by jabzor
0

Share this post


Link to post
Share on other sites

We made need a companion process for the GUI. Unfortunately, Autoit3 is inherently single threaded. I'll look at it more tomorrow.

0

Share this post


Link to post
Share on other sites

I'm looking at the code, should't $monitorgateways be $monitorfirewall? IS $monitorfirewall even used?

Also, why is the file now encoded as UTF16?

Thanks.

0

Share this post


Link to post
Share on other sites

One last thing, I'm not very up to date on this UFD. Is there a way to tell in code the menu becomes visible? If there is, we could have it stop parsing logs when that happens so it seems more responsive.

0

Share this post


Link to post
Share on other sites
I'm looking at the code, should't $monitorgateways be $monitorfirewall? IS $monitorfirewall even used?

Also, why is the file now encoded as UTF16?

Yes, sorry that was a typo on my behalf, I'll attach a fixed version to this post.

$monitorgateways is for a future as of yet unimplemented function to monitor changes in the default gateways and their metrics (with 'route print') or at the very least calling IP_Gateway_List()

I am not sure about the speed hit but your arp-cache monitor function should really be calling IP_Gateway_List() every time instead of using the list generated at program startup.

You can see that pipes or threads / etc will be necessary.. we need to monitor the arp cache independent of the gui, same with the windows firewall and the security event log BUT the arp cache thread also needs to know the second there is a change to the gateway info so it isn't monitoring outdated information.

UTF16 is being used for multilingual support, as is the raw menu module instead of the standard though I have included both of them if a user wishes to compile for ansi.

One last thing, I'm not very up to date on this UFD. Is there a way to tell in code the menu becomes visible? If there is, we could have it stop parsing logs when that happens so it seems more responsive.

There likely is a way, but if things were threaded you could simply instantly kill or start the thread responsible for that feature and the gui would function as normal. This should be the end goal.

NOTE:

I have discovered an annoying bug between the beta 3.2.13.2 and the stable 3.2.12.1 autoit..

In the stable, reading the submenu checkboxe states works but in the beta the code doesn't work, not for me at least with the function I am using.

(GUICtrlRead($GatewayWatch),$GUI_CHECKED) or (GUICtrlRead($GatewayWatch),$GUI_UNCHECKED) doesn't work.. just returns -1 regardless of state in the beta autoit. :(

This breaks checkbox functionality of 0.03+ builds in the beta autoit, though the stable works just fine.

EDIT: attached 0.03a - utf16 script and binary compiled with latest stable, up to users to compile with beta or for ansi

(includes a bugfix for the previously mentioned typo and a msgbox to alert users that monitor gateways isn't added yet if they try and use it in the menu)

jabdecaffeinatid0.03a.zip

Edited by jabzor
0

Share this post


Link to post
Share on other sites

Cool, I'm working on a faster way to do the ARP cache refresh. If I can get that fast enough the single thread may work. I'm going to be working on this more tonight, and I may list the monitor check boxes as being "in testing" in the menu and add an option to edit the INI directly. You mentioned in the mail there is a better way to handle this conversation, want to go direct email or something?

The only problem with having the source it in UTF16 causes me is I can't use the auto tidy feature to make my code pretty, but if I encode it as ansi then the UDF include fails to work right. Weird. I can work around this.

0

Share this post


Link to post
Share on other sites
Cool, I'm working on a faster way to do the ARP cache refresh. If I can get that fast enough the single thread may work. I'm going to be working on this more tonight, and I may list the monitor check boxes as being "in testing" in the menu and add an option to edit the INI directly. You mentioned in the mail there is a better way to handle this conversation, want to go direct email or something?

The only problem with having the source it in UTF16 causes me is I can't use the auto tidy feature to make my code pretty, but if I encode it as ansi then the UDF include fails to work right. Weird. I can work around this.

Don't worry about including it until things are actually working properly or at least faster than they are. Would rather things came out later and working well than earlier and not.

We could email, or irc.binrev.net|cryptirc.net:+7000/#binrev would probably be faster.

The alternate menu include for ansi is in the zips I attached, you can use the standard one for ansi just fine if you don't want to support utf just yet, simply change the include path to the non-raw one.

Edited by jabzor
0

Share this post


Link to post
Share on other sites
Ok, I posted my changes:

http://www.irongeek.com/i.php?page=securit...tch-for-windows

Jabzor, is there a personal site you want me to link to?

Binrev is fine. ;)

One note about the 0.04 beta release, as it is packed the the end user must still copy the /art/ folder to program directory to view the about screen icon delogo.avi.

The program will run just fine without this but there will be an empty box where it should be.

I haven't figured out how to easily embed the file in the exe from within AutoIt (ResHacker after the fact works but eww) or how to access the avi icon from within itself without extracting it, while at the same time remaining functional in script form, same with the systray icon infact.

See Below:

post-3438-1214010754_thumb.png

Running from the extracted zip folders.. note /art/delogo.avi isn't in the exe path, it shouldn't have to be either but I have yet to figure out how to include files etc as mentioned above.

EDIT: Also noticed just noticed another error: - fixed in 0.04t

20080620191708: New IP in cache: invalid with MAC of 192.168.1.1 <- hrmmm?

20080620191711: New IP in cache: 192.168.1.1 with MAC of 00-0a-61-05-43-ef

I'll have to go through the code, but your more efficient arp-watch might have introduced the error.

Edited by jabzor
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now