• Motivation
• Objectives of the project
• Testing the system
  • Prerequisites
  • Installation
  • Testbed Setup
  • Test datasets
  • Running OpenLids
  • Running the server
  • Source Code

1 Motivation

The motivation to this project is to investigate a mechanism for deploying an anomaly based Intrusion Detection System in a NAT (Network Address Translation) enabled wireless mesh network, such as the one in Wray. The two critical questions are how to dynamically set the detection thresholds based on the network’s normal behaviour, and how to detect and mitigate the effects brought about by NAT devices in the application of detection thresholds.

In this project, we present an architecture for collecting and sharing run-time traffic statistics and dynamically selecting thresholds for a wireless mesh network.  We implement a mechanism for network devices to share network statistics among themselves, and also with a central server, and for the server to dynamically adapt the thresholds. The project is based on OpenLIDS, a lightweight intrusion detection system used in the Wray wireless mesh network.

2 Objectives of the project

• To determine the data elements that should be shared among mesh routers for intrusion detection
• To implement an efficient means of sharing network audits among nodes
• To implement a mechanism for dynamically configuring detection thresholds

3 Testing the system

3.1 Prerequisites

• Netgear WG302 routers running OpenWRT and Madwifi wireless drivers
• UNIX Terminal
• TCPReplay

3.2 Installation

Follow installation guide for building OpenWRT on Netgear WG302
http://wray-dev.comp.lancs.ac.uk/dokuwiki/
Download OpenLIDS, IPTables script, and threshold-server module. Source code for the project can be downloaded here.

Follow instruction below to install OpenLIDS on WG302 routers

• Connect to the mesh router on wireless interface(SSID: WrayWIFI--XXXX)
  where X is the router board
• Copy the Lids package and IPTables script(run_new) into the router(password mirdin):
• $ scp ./package_name root@172.16.15.1:/
• SSH into 172.16.15.1 - Username: root Password: mirdin
• To install OpenLids:  
• $ cd /
• $ opkg install PACKAGENAME

3.3 Testbed Setup

• Setup a network with two routers and one unix box, as shown in the Figure below. Ensure that the two mesh boxes are positioned in range of each other.

3.4 Test datasets

For testing, we replay traffic traces obtained from Wray network. Download traffic trace pcap file here.
We use Tcpreplay to  prepare, edit, and re-play the traffic:

• Prepare the traffic for a client/server communication using the tcpprep command:
  $ tcpprep --auto=client --pcap=input.pcap --cachefile=input.cache
• Use Tcprrewrite to edit the traffic’s header files to match the test network, i.e. source and destination addresses (MAC and IP addresses)
  $ tcprewrite --enet-dmac=[Destination host MAC address],[Destination Router MAC Address] --enet-smac= Source host MAC address],[Source Router MAC Address] --cachefile=input.cache --infile=input.pcap --outfile=output.pcap
  $ tcprewrite --endpoints=192.16.15.142:192.168.254.1 --cachefile=input.cache --infile=input.pcap --outfile=output.pcap --skipbroadcast
  
• Replay the traffic using tcpreplay command:
  # tcpreplay --loop=0 --intf1=eth0 sample.pcap

3.5 Running OpenLids

• Log into each of the routers (ssh root@172.16.15.1)
• Add a static route to the Unix host IP ($ route add –host 192.168.2.142 gw 192.168.254.1)
• Run the commands to run openlids
  $  cd /
  $ sh ./run_new
  $ lids -c /etc/lids-conf

3.6 Running the server

From the package location run:  $  ./server

3.7 Traffic Audits

To observe statistics in real time, use real-time graph plotter(LiveGraph)(Requires Java Runtime Environment).