I would like to know information about any simulators that can simulate an
intrusion detection system. The simulator will most likely simulate:
1. a network of hosts, each host having some services through which other hosts
can connect,
2. users who can log on to hosts and connect to other hosts
3. a network intrusion detection system that identify the network activity.

Even if the simulator cannot simulate a network IDS, it should be possible for
me to get enough information to simulate one myself. It is most preferable
if I can get access to the source code of the simulator.

Hi Sharath,

Network Intrusion Detection Systems have become a popular topic in the
last few years.  And while computers have gotten much cheaper, it's
still economically beneficial to be able to simulate a network of
computers for testing purposes, rather than buying and configuring a
cluster of machines.

As research in IDS and computer forensics has progressed, sacrificial
hosts or machines used as 'bait' for hackers have also become popular.
 (Frequently these machines referred to as "honeypots".)  For several
years now, the Honeynet Project has been using a combination of
honeypots and Intrusion Detection Systems to capture and analyze
network attacks.  If you haven't visited the Honeynet Project's pages,
you'll probably find them a wealth of interesting information:
http://project.honeynet.org/

You may find the Honeynet Project's papers and presentations
interesting as well, in particular their paper on Honeynets (networks
of honeypots):
http://project.honeynet.org/papers/honeynet/

Now, to answer your question; what you're proposing sounds very much
like a software-simulated honeynet with an additional IDS. 
Essentially this is a virtual production environment.  There are
several tools that can help make this possible.

First, you will probably be interested in reading Hisham Kotry's
LinuxSecurity.com article "Building a Virtual Honeynet".
http://www.linuxsecurity.com/feature_stories/feature_story-100.html

Second, Michael Clark's article "Virtual Honeypots" may be helpful.
http://online.securityfocus.com/infocus/1506

While Clark discusses the commercial product VMware, Kotry toys with
User-Mode Linux to build virtual machines on the same box.

Typically, the IDS and the Honeynet are separate; and there are plenty
of opensource IDS systems with source code available.  Snort is
probably the most popular:
http://www.snort.org/

Prelude is another popular one, and one which ships with various
versions of Linux.
http://www.prelude-ids.org/

You might find additional interesting free IDS products in the
following DMOZ open directory listing:
http://dmoz.org/Computers/Security/Intrusion_Detection_Systems/Free/

If you actually want to SIMULATE the IDS itself, then you'll either
need to grab the source code of one of these products and modify as
needed, or consider using a lower-level tool to build the simulation. 
One such tool is the network simulator NS-2:
http://www.isi.edu/nsnam/ns/index.html

Be forewarned that NS-2 may be cumbersome and building all the rules
you want may take a fair amount of time and work.  I'd recommend
examining Marc Greis's ns-2 tutorial both for usage and to determine
if it has what you're looking for:
http://www.isi.edu/nsnam/ns/tutorial/

Search Strategy
In searching for these resources I used Google with search terms
"network simulator", "honeypot security", and "honeynet".  (It helped
that I knew of the honeynet project through past participation in
their forensic challenges.)


I hope this has answered your question satisfactorily.  Should any of
the above be unclear, please don't hesitate to post a request for
clarification prior to rating.

Regards,
duncan2-ga

---

Request for Answer Clarification by sharath78-ga on 29 Oct 2002 01:35 PST

The thing about honeypots are that they are not simulators.
They are machines that are monitored very closely and are
meant to lure the intruders into the honeypot host.
The honeypot is made to look like it contains a lot of crucial
information although it does not.
Honeypots are therefore not network IDS nor do they serve as
simulators.

I did explore the link about NS-2. But this network simulation
system is deviced for simulation dealing with network congestion
control and determination of network parameters to suit a certain
traffic. This will not serve the purpose .. as a network IDS requires
the actual packets that travel on the network. The NS-2 does not do this.

Snort is an opensource IDS. But it requires that I install Snort on
a computer that can catch a lot of network traffic, say something like
a firewall in order to perform effectively as a network IDS. But I
unfortunately dont have access to such computers and hence my decision
to go in for a simulator.

Sorry to say, but I could not find information about a "network intrusion
detection simulator". Please get back in case you can get more specific
information.

regards.

---

Clarification of Answer by duncan2-ga on 29 Oct 2002 12:21 PST

Hi Sharath,
You're correct in that honeypots are not simulations, they're actually
machines.  A virtual honeynet is simply a way of economically
condensing a set of honeypots into one machine.

The issue here, I believe, is that a complete simulation of a host
would be unfeasible and be prohibitively costly in terms of man-hours
to create.  You’re not simply looking for a computer routine that
would generate traffic of a network protocol, your question was
looking for interactive logins from users.  Suddenly your simulator
has to be able to give full TCP/IP response, not to mention higher
level telnet or ssh emulation (multiple protocol simulation) along
with shell interactivity.  The implementation requirements for
virtualizing these elements alone would be prohibitively expensive
and, in terms of simulation, possibly quite slow.

There ARE commercial products of this nature (network simulation, not
IDS).  See Shunra’s products, mentioned on their website:
http://www.shunra.com/

A lot of network simulation products are geared more towards load
balancing and traffic shaping, not so much IDS simulation.  There have
been a few threads about this in Usenet too, see for example:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=1a014600.9cf69f24%40usw-ex0106-048.remarq.com&rnum=3&prev=/groups%3Fq%3Dshunra%2Bnetwork%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8

But you were interested in ones with source code available…

If you’re looking to test one particular type of attack (i.e.
developing an IDS for tracking a specific threat), then Prelude’s
modular structure might be a good approach; you could write a plugin
for Prelude that would detect the attack you’re interested in.

I note, also, that Prelude’s libprelude is specifically designed to
“make it easy to convert your application to a Prelude sensor”.
http://www.prelude-ids.org/index.php?page=14

Regarding Snort, you can install it on any box; their recommendation
is more logic than necessity.   Yes, it helps if your IDS is at a
point in your network which gets the most traffic, usually at the
firewall.  But that doesn’t mean you can’t set it up for testing on a
much smaller network (2-3 computers w/hub).

I guess it’s not clear to me exactly what you’re trying to accomplish.
 Since there are several popular opensource, extensible IDS programs
out there, a simulation of an IDS seems a bit impractical, especially
if you are aiming to analyze one particular type of attack.  Why not
modify and use the real thing?  And if it’s just a simulation, why do
you need interactive host logins? (Why not just replay captured
traffic?)

Various network utilities can replay traffic.  See NDISbench or
tcpReplay here:
http://packetstorm.linuxsecurity.com/UNIX/IDS/
(For that matter, Packetstorm's IDS files may hold something closer to
what you're seeking.  You might find other worthwhile resources by
looking through their main defense page:
http://packetstorm.linuxsecurity.com/defense.html)

If you need applications to generate traffic or attack fingerprints,
perhaps SATAN or the newer Nessus utilities would be useful.
http://www.nessus.org
http://www.fish.com/~zen/satan/satan.html
(Additional vulnerability scanners can be found here:
http://www.cotse.com/tools/vuln.htm )

I hope this helps.  If you can be more specific about the goal for the
simulation, platform, and preferred sourcecode language, I’d be happy
to dig further.

Thanks,
duncan2-ga

The second answer was very good. Although my question was not completely
answered, it had some good links for me to investigate on.

Cheers !!
sharath.