Network Intrusion Detection Systems have become a popular topic in the
last few years. And while computers have gotten much cheaper, it's
still economically beneficial to be able to simulate a network of
computers for testing purposes, rather than buying and configuring a
cluster of machines.
As research in IDS and computer forensics has progressed, sacrificial
hosts or machines used as 'bait' for hackers have also become popular.
(Frequently these machines referred to as "honeypots".) For several
years now, the Honeynet Project has been using a combination of
honeypots and Intrusion Detection Systems to capture and analyze
network attacks. If you haven't visited the Honeynet Project's pages,
you'll probably find them a wealth of interesting information:
You may find the Honeynet Project's papers and presentations
interesting as well, in particular their paper on Honeynets (networks
Now, to answer your question; what you're proposing sounds very much
like a software-simulated honeynet with an additional IDS.
Essentially this is a virtual production environment. There are
several tools that can help make this possible.
First, you will probably be interested in reading Hisham Kotry's
LinuxSecurity.com article "Building a Virtual Honeynet".
Second, Michael Clark's article "Virtual Honeypots" may be helpful.
While Clark discusses the commercial product VMware, Kotry toys with
User-Mode Linux to build virtual machines on the same box.
Typically, the IDS and the Honeynet are separate; and there are plenty
of opensource IDS systems with source code available. Snort is
probably the most popular:
Prelude is another popular one, and one which ships with various
versions of Linux.
You might find additional interesting free IDS products in the
following DMOZ open directory listing:
If you actually want to SIMULATE the IDS itself, then you'll either
need to grab the source code of one of these products and modify as
needed, or consider using a lower-level tool to build the simulation.
One such tool is the network simulator NS-2:
Be forewarned that NS-2 may be cumbersome and building all the rules
you want may take a fair amount of time and work. I'd recommend
examining Marc Greis's ns-2 tutorial both for usage and to determine
if it has what you're looking for:
In searching for these resources I used Google with search terms
"network simulator", "honeypot security", and "honeynet". (It helped
that I knew of the honeynet project through past participation in
their forensic challenges.)
I hope this has answered your question satisfactorily. Should any of
the above be unclear, please don't hesitate to post a request for
clarification prior to rating.
Clarification of Answer by
29 Oct 2002 12:21 PST
You're correct in that honeypots are not simulations, they're actually
machines. A virtual honeynet is simply a way of economically
condensing a set of honeypots into one machine.
The issue here, I believe, is that a complete simulation of a host
would be unfeasible and be prohibitively costly in terms of man-hours
to create. Youre not simply looking for a computer routine that
would generate traffic of a network protocol, your question was
looking for interactive logins from users. Suddenly your simulator
has to be able to give full TCP/IP response, not to mention higher
level telnet or ssh emulation (multiple protocol simulation) along
with shell interactivity. The implementation requirements for
virtualizing these elements alone would be prohibitively expensive
and, in terms of simulation, possibly quite slow.
There ARE commercial products of this nature (network simulation, not
IDS). See Shunras products, mentioned on their website:
A lot of network simulation products are geared more towards load
balancing and traffic shaping, not so much IDS simulation. There have
been a few threads about this in Usenet too, see for example:
But you were interested in ones with source code available
If youre looking to test one particular type of attack (i.e.
developing an IDS for tracking a specific threat), then Preludes
modular structure might be a good approach; you could write a plugin
for Prelude that would detect the attack youre interested in.
I note, also, that Preludes libprelude is specifically designed to
make it easy to convert your application to a Prelude sensor.
Regarding Snort, you can install it on any box; their recommendation
is more logic than necessity. Yes, it helps if your IDS is at a
point in your network which gets the most traffic, usually at the
firewall. But that doesnt mean you cant set it up for testing on a
much smaller network (2-3 computers w/hub).
I guess its not clear to me exactly what youre trying to accomplish.
Since there are several popular opensource, extensible IDS programs
out there, a simulation of an IDS seems a bit impractical, especially
if you are aiming to analyze one particular type of attack. Why not
modify and use the real thing? And if its just a simulation, why do
you need interactive host logins? (Why not just replay captured
Various network utilities can replay traffic. See NDISbench or
(For that matter, Packetstorm's IDS files may hold something closer to
what you're seeking. You might find other worthwhile resources by
looking through their main defense page:
If you need applications to generate traffic or attack fingerprints,
perhaps SATAN or the newer Nessus utilities would be useful.
(Additional vulnerability scanners can be found here:
I hope this helps. If you can be more specific about the goal for the
simulation, platform, and preferred sourcecode language, Id be happy
to dig further.