Analysis of attacks and development of filters for an Intrusion Detection System based on NFR
Trainee Erwan Lemonnier


Apelbergsgatan 66, Stockholm, Sweden
Time 15-01-2001 to 30-06-2001
Master thesis project registered at KTH-Electrum (Kista), and supervised by Mads Dam (SICS) and Olav Bandman (SICS). The supervisors at Defcom are Aigars Grins and Lovisa Haraldsson.

Project's Definition

This degree project consists of writing parts of a network Intrusion Detection System (IDS).
The aim is to develop filters for network protocols (from network layer to application layer) in order to monitor a network in real time and report any suspect activity. These filters will be written in N-Code (a language close to C and Perl) and used in Network Flight Recorder, a network monitoring framework commonly used to build IDS.

Writting of filters include the following steps:

Filters should work in cooperation with other parts of the system, and be designed to evolve easily, as well as be easily configured. The work include the search and analysis of information about the protocols. This will be done alone or in a team.

Here is a list of the protocols for which filters will be written: IP, ARP/RARP, ICMP, UDP, TCP, DHCP, DNS, SNMP, Telnet, FTP, NFS, RPC, SMB/CIFS, SMTP, POP, IMAP, HTTP, ASDF, IRC.



15th of januari 2001
30st of june 2001
22 weeks
week 1
In London: introduction to OpenBSD, NFR & N-Code
week 2
in Stockholm: configure working place
cycles of 3-4 weeks
analyse a protocol and write the corresponding filter.
last 3 weeks
Report writing, conclusions and presentation.