Honours Project Blog, Part 3, Week 5.

Last week,Some literature was found to support the project aims. This week it is necessary to decide on and evaluate the practical approach to the project.

The practical for this project could have several routes, as the scope of the project is broad. Due to this, several features of the project must be considered. IDS/IPS will generate a large number of events which all most be centralised to be visualized effeciently, this will most likely need a server level of processing power to demonstrate the project fully. After the logical setup of the system including the logging server and endpoints with IDS are implemented, the software for the system can be implemented.

Installation of the IDS/IPS will then occur on endpoints and configured to forward event logs (possibly syslogs) to the centralised server. The IDS chosen will likely be Snort or Suricata. The centralised server, likely Ubuntu due to previous experience, will then have an ‘ELK stack’ installed to catalogue and display events. A Graylog Server may also be setup to compare it against a typical ‘ELK stack’.

An ‘ELK stack’, A combination of open-source tools (elasticsearch, logstash + kibana) for seamless logging and visualization.

The third phase of the practical will be to develop some of my own software to attempt to find the best way to display intrusion detection events in a manner to improve response times to security concerns within large organizational structures.

At every stage of the project testing will be thorough and every stage documented. once a system has been implemented (Central Server & IDS endpoints), Plenty of IDS events of different forms (e.i. SSH brutefore, ping sweeps etc.) will have to be triggered which will also take significant time in terms of system testing.

Next time, some practical steps will be looked into and the project proposal document shall be started.