I am Interested also in detection units. My project is about cooperative IDS in cloud and planning to expand NeSSi2 with special detection units,
I have some questions regarding this and thanks previously for your kind response,
1- I would like to implement a signature-based IDS based on comparison with Snort library, so is the attack simulated in NeSSi2 has special signature can be compared to standard ones?
2- Regarding the previous examples posted, I wasn't sure how to integrate them in my NeSSi2 backend and how to use them after that, and couldn't also find any help in the manual. So, could you kindly guide me to the steps as a Nessi2 beginner?
3- I am Interested also in prevention techniques and wondering how Nessi2 could manage to simulate such methods as part from the detection units (not from the firewall)
finally I will really appreciate if you have any addition tutorials, documents, lecture or even artifacts that can help me in my work.
Thanks allot for your help,
Regards,
Last edit: Zahraa.ad 2014-02-14
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
the concept of detection units is only for backward compatibility in NeSSi2, since it is used by some of our internal research projects. We decided to retire detection units, since they did not provide any real benefit to the more general concept of NeSSi2 applications.
What you need for your planned work:
Regarding 1:
Implement a NeSSi2 application that is based on a super class for promiscuous application, the firewall example application in NeSSi2 is a good example. This NeSSi2 application would receive all packets and could check your rules.
For comparing with Snort rules, you either can implement a second NeSSi2 application that uses Snort or you could use the sniffer example application to write PCAP files to file system and use that as an input for Snort. Note: There a two possible problems, the network packets only contain time information and Ethernet related content in a limited fashion. Since we don't simulate anything below IP and use discrete time steps in the simulation, this available information only ensures that PCAP files created by NeSSi2 can be displayed with Wireshark. It is possible that this itself will trigger snort rules.
Regarding 2:
The NeSSi2 manual contains a section on how to create NeSSi2 application and use them in NeSSi2. Since you need to develop only NeSSi2 applications for your task, that section should be sufficient. A good example to base you work on is the firewall NeSSi2 app, the source code is available in the Maven repository for NeSSi2.
Regarding 3:
I am not sure if I understand that part. Everything that happens in NeSSi2 must be part of NeSSi2 application and need to be deployed to a node in the network.
We have a lecture that uses NeSSi2, but the material for that is in German. Since the content for that is based on the NeSSi2 manual it also contains no additional information. Besides the tutorial example, we ship a few additional example applications with NeSSi2. As mentioned before the source code form the is available in the NeSSi2 maven repository.
Hope this helped a little.
Best regards,
Karsten
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am really Thankful to your detailed reply, which is absolutely helpful,
I believe, from my recent review on clouds simulators, that NeSSi2 is the best to test security scenarios, hope this assumption is true and lead me to complete my task.
Just want to make sure about few points:
1- From point 1, I understood that I can extend the Firewall application to add my rules, but I am facing problems getting access to the firewall source code (couldn't find it) and in understanding some APIs (since the available description is not always sufficient)
2- Regarding snort, If i want to parse the packets (PCAP files) to compare it to my rules. is there certain NeSSi2 APIs to do this?
3- In general, can I attach any NeSSi2 profile or application in the UI to any NeSSi2 device? (e.g. attach firewall application to a router or a client machine)
Thanks again for your support,
Regards,
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Note: Instead of extending the Firewall application, you should extend the same class the firewall class is extending and use it only as a comparison for your own implementation.
2 - For parsing PCAP files NeSSi2 does not provide an API, but there are other APIs available for that, e.g. jpcap available here on Sourceforge
3 - Yes.
Best regards,
Karsten
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
Seeing the features of Nessi2 in the manual,I am inerested in detection units.Could you tell me where the detection unit is?
Hi,
there is no single detection unit. In NeSSi2 we have several Maven artifacts the help to integrate a detection approach into NeSSi2.
The parent artifact for this is located here (javadocs are also available there): http://repositories.dai-labor.de/extern/content/repositories/dai-open/de/dailab/nessi2/security/
We also developed an example that implements a very simple artificial immune system, this example is located here:
http://repositories.dai-labor.de/extern/content/repositories/dai-open/de/dailab/nessi2/contributions/nessi2-ais/2.0.0-beta.5.1/
Hope this helps,
Karsten
Hi,
I am Interested also in detection units. My project is about cooperative IDS in cloud and planning to expand NeSSi2 with special detection units,
I have some questions regarding this and thanks previously for your kind response,
1- I would like to implement a signature-based IDS based on comparison with Snort library, so is the attack simulated in NeSSi2 has special signature can be compared to standard ones?
2- Regarding the previous examples posted, I wasn't sure how to integrate them in my NeSSi2 backend and how to use them after that, and couldn't also find any help in the manual. So, could you kindly guide me to the steps as a Nessi2 beginner?
3- I am Interested also in prevention techniques and wondering how Nessi2 could manage to simulate such methods as part from the detection units (not from the firewall)
finally I will really appreciate if you have any addition tutorials, documents, lecture or even artifacts that can help me in my work.
Thanks allot for your help,
Regards,
Last edit: Zahraa.ad 2014-02-14
Hi,
the concept of detection units is only for backward compatibility in NeSSi2, since it is used by some of our internal research projects. We decided to retire detection units, since they did not provide any real benefit to the more general concept of NeSSi2 applications.
What you need for your planned work:
Regarding 1:
Implement a NeSSi2 application that is based on a super class for promiscuous application, the firewall example application in NeSSi2 is a good example. This NeSSi2 application would receive all packets and could check your rules.
For comparing with Snort rules, you either can implement a second NeSSi2 application that uses Snort or you could use the sniffer example application to write PCAP files to file system and use that as an input for Snort. Note: There a two possible problems, the network packets only contain time information and Ethernet related content in a limited fashion. Since we don't simulate anything below IP and use discrete time steps in the simulation, this available information only ensures that PCAP files created by NeSSi2 can be displayed with Wireshark. It is possible that this itself will trigger snort rules.
Regarding 2:
The NeSSi2 manual contains a section on how to create NeSSi2 application and use them in NeSSi2. Since you need to develop only NeSSi2 applications for your task, that section should be sufficient. A good example to base you work on is the firewall NeSSi2 app, the source code is available in the Maven repository for NeSSi2.
Regarding 3:
I am not sure if I understand that part. Everything that happens in NeSSi2 must be part of NeSSi2 application and need to be deployed to a node in the network.
We have a lecture that uses NeSSi2, but the material for that is in German. Since the content for that is based on the NeSSi2 manual it also contains no additional information. Besides the tutorial example, we ship a few additional example applications with NeSSi2. As mentioned before the source code form the is available in the NeSSi2 maven repository.
Hope this helped a little.
Best regards,
Karsten
Sir,
I am really Thankful to your detailed reply, which is absolutely helpful,
I believe, from my recent review on clouds simulators, that NeSSi2 is the best to test security scenarios, hope this assumption is true and lead me to complete my task.
Just want to make sure about few points:
1- From point 1, I understood that I can extend the Firewall application to add my rules, but I am facing problems getting access to the firewall source code (couldn't find it) and in understanding some APIs (since the available description is not always sufficient)
2- Regarding snort, If i want to parse the packets (PCAP files) to compare it to my rules. is there certain NeSSi2 APIs to do this?
3- In general, can I attach any NeSSi2 profile or application in the UI to any NeSSi2 device? (e.g. attach firewall application to a router or a client machine)
Thanks again for your support,
Regards,
Hi,
1 - The source code is available here: http://repositories.dai-labor.de/extern/content/repositories/dai-open/de/dailab/nessi/nessi.ip.applications/2.1.3/nessi.ip.applications-2.1.3-sources.jar.
Note: Instead of extending the Firewall application, you should extend the same class the firewall class is extending and use it only as a comparison for your own implementation.
2 - For parsing PCAP files NeSSi2 does not provide an API, but there are other APIs available for that, e.g. jpcap available here on Sourceforge
3 - Yes.
Best regards,
Karsten