Libnids is an implementation of an E-component of Network Intrusion Detection System. It emulates the IP stack of Linux 2.0.x. Libnids offers IP defragmentation, TCP stream assembly and TCP port scan detection.

Libnids Homepage: http://libnids.sf.net

For the uninitiated, each TCP session is identified by calculating a hash on
i) Source IP address
ii) Source Port
iii) Destination IP address
iv) Destination Port

So for an user space TCP stream reassembly, a hash table needs to be maintained and on capture of every TCP packet, the hash is to be calculated and the packed should be classified into an appropriate stream.

Libnids mimics Linux 2.0.x TCP stack implementation on user space.

Such wonderful power of monitoring and uniquely identifying each TCP session if available in Ruby would make it more powerful, with this idea in mind I did the Ruby wrapper for libnids library last week.

The project page is located at: http://ruby-libnids.rubyforge.org
I upload testing codes at: http://ruby-libnids.rubyforge.org/testing/

An example script may look like this.

require 'libnids' 

$l = 0 

def callback(opts = nil, ss = nil) 
   return unless opts 

   case opts["nids_state"] 
      when NIDS::STATE_JUST_EST 
         str = String.new
         str += "[NEW CONNECTION] #{opts['saddress']}:#{opts['sport']} --> "
         str += "#{opts[ 'daddress']}:#{opts['dport']}" 

      when NIDS::STATE_DATA 
         str = String.new
         str += "[DATA] #{opts['saddress']}:#{opts['sport']} --> "
         str += "#{opts['daddress' ]}:#{opts['dport']} " 
         str += "[SEND: #{opts['server_data_len']}] [RECV:
#{opts['client_data_len']}]" 

         puts str

      when NIDS::STATE_CLOSE, NIDS::STATE_RESET 
         str = String.new
         str += "[CLOSE] #{opts['saddress']}:#{opts['sport']} --> "
         str += "#{opts['daddress ']}:#{opts['dport']}" 

   end 
end
$l = NIDS::Sniffer.new 
$l.register_tcp(self, :callback) 
$l.run 

This thing is pretty new at the moment and tested only on a network of around 10 systems. I dont think it will be much efficient on high speed networks with large number of parallel TCP connections.

and oh, last but not the least, special thanks to Sumit Datta for making the webpage for http://ruby-libnids.rubyforge.org

posted at: 11:24 | path: / | permanent link to this entry

Finally seems like my blog is not junking up Planet India and I hope sankarshan and G0SUB wont be mad at me anymore regarding this, although its a seperate issue that they have many more things to be mad at me.

As usual the credit undoubtably goes to t3rmin4t0r for pointing me out the actual problem and also providing an appropriate fix.

The two things which I used for the fix are:
(a) t3min4t0r's hacked copy of pyfilemtime.py plugin for pyblosxom
(b) added lacking "<pubDate>$date $ti:00 $timezone</pubDate>" in my story.rss pointed out by t3min4t0r

posted at: 10:55 | path: / | permanent link to this entry