Monday, July 18, 2011

DecaffeinatID: A Very Simple IDS / Log Watching App / ARPWatch For Windows


This project started because I wanted a simple ARP Watch like application for Windows. In a short matter of time, feature creep set in. DecaffeinatID is a simple little app that acts as an Intrusion Detection System (more of a log watcher really) to notify the user whenever fellow users at their local WiFi hotspot/ LAN are up to the kind of "reindeer games" that often happen at coffee shops and hacker cons. For more information on the sort of attacks I'm talking about see my article Caffeinated Computer Crackers.  It's not meant to be a replacement for something more feature rich (but complicated) like Snort. DecaffeinatID watches the Windows logs for three main things and pops up a message in the Windows Systray when it sees any of the following:



New or changed ARP table entries 
Think of this as a poor man's ARPWatch for Windows. The IDS gives a special alert whenever it sees the MAC address of the IP gateway change.

New events in security log
This will let you know about attempted and successful logins, assuming you have set up auditing for such things in your local security settings.
New events in the firewall log
DecaffeinatID will read your Windows firewall log (if you have one) and list events.
        DecaffeinatID should work in Windows XP SP2 and Vista. Notifications are logged into idslog.txt located in the present working directory. Currently settings can be changed via the decaffeinatid.ini file that is created whenever DecaffeinatID is first run. You can sort of set what is monitored via the GUI, but the single threaded nature of Autoit3 causes it to be somewhat less than responsive at time (we are working on this).You may want to just edit the setting via the INI for now. The INI file should look something like the following:




[config]
sleep=1000
firewalllog=C:\WINDOWS\pfirewall.log
[networks]
ignorenetworksrc=x
[events]
ignoreeventids=576
monitorarpcache=1
monitorgateways=1
monitorfirewall=1
monitorsecevent=1
reversedns=1
sleep is the amount of time you want DecaffeinatID to wait between each monitor function (ARP cache, Firewall and Event Log) in milliseconds. For example, with the default of "sleep=1000", DecaffeinatID waits about one second between each monitor function, so to go through one cycle takes about three second (I've taken it down to "sleep=100" without major problems).
firewalllog is the path to the Windows firewall (assuming you have logging enabled). C:\WINDOWS\pfirewall.log should be the default location in XP, but Vista may have it at C:\Windows\System32\LogFiles\Firewall\pfirewall.log .
ignorenetworksrc lists the first part of source IP addresses that should be ignored. For example, "ignorenetworksrc=192.168" would cause the IDS to not notify you if a source IP is in the range 192.168.*.*.
ignoreeventids is a space separated list of Windows Security Event Log Event IDs to ignore.
monitorarpcache, monitorgateways, monitorfirewall and monitorsecevent allow you to set what you want to monitor. The monitorgateways section is still a work in progress and is here as a place holder. The reversedns option tells DecaffeinatID to try and find the host name.

It's a pretty ghetto excuse for an IDS as of right now, but it's something I wanted to create for personal use so I figure I might as well share it. For more information on its development see DecaffeinatID's BinRev Thread. The source and binary can be found here:
Older versions:
Download DecaffeinatID 0.08 Beta
Download DecaffeinatID 0.07 Beta
Download DecaffeinatID 0.06 Beta
Download DecaffeinatID 0.05 Beta
Download DecaffeinatID 0.04 Beta
Download DecaffeinatID 0.02 Beta
Please test it and let me know about problems! All code contributors will have their handle and site linked to from this page.
DecaffeinatID Change Log:
01/22/2009: v0.09 I fixed reverse DNS name resolution so it actually works, compiled with the newest stable version of AutoIT3 and straightened up some inconsistent coding concerning the ini file.
09/20/2008: v0.08 I changed how DecaffeinatID checks for file changes in the firewall log. It seems the under Vista Autoit does not return the correct information about when the log file has changed its size or its time stamp, so I look for line count changes instead. This really is not the best way to do things, but it's a workaround for the moment. DecaffeinatID now also tries to detect if you are running Vista, and if so set's the default path to the firewall log in the ini to "<WindowsDir>\System32\LogFiles\Firewall\pfirewall.log" instead of "<WindowsDir>\pfirewall.log".
06/26/2008: v0.07 Jabzor did some minor code cleanup and fixed two bugs.
- concatenation and incrementors are now used
- non-global variables are now local to their function/loop
- redundant lines and function calls were removed, increasing overall speed
- systray icon is once again set in both script and compiled format (broke the script icon in 0.03)
- gateway info now reloads every time the ARP monitor is called

06/24/2008: v0.06 Jabzor made minor improvements to the GUI.
- double-clicking the systray icon now opens the log file, right clicking still brings up the menu
- menu style now emulates windows 2003 classic, which fixes a display issue and looks nicer
- menu ini icon changed

06/22/2008: v0.05 Irongeek made major improvements to the program speed and a bug fix.
- monitoring functions are now set off via timers (FAR more responsive, less resource intensive)
- ini 'sleep' parameter is now milliseconds between timer events, Sleep=1000 is 1 second
- ARP cache parsing improved and fixed a bug if the word 'invalid' appeared

06/20/2008: v0.04 Jabzor did major rewriting, Irongeek improved the ARP monitor.
- code cleanup, organization and easier maintainability
- improved ini layout and invalid ini parsing
- improved GUI (added systray hover text, menu icons and title, check boxes, edit ini, view log, update, about)
The ModernMenu UDF by Holger Kotsch is now used for the menu system.
- ARP monitor is now more efficient

06/19/2008: v0.03 Internal, non-public release.

06/19/2008: v0.02 First public release. Thanks go out to Mirrorshades for helping name this project.

http://www.irongeek.com/i.php?page=security/decaffeinatid-simple-ids-arpwatch-for-windows