NetStinky Router IDS
Get it on GitHub.
Motivation
The basic functionality of the NetStinky app is to check if your network
has appeared on any published network blacklists. This typically occurs
A proactive approach to network monitoring can detect compromise events in real-time. By monitoring the WAN link of your NetStinky IDS enabled router, it is possible to detect fine-grained events before external services have noticed a problem.
How it Works
The nsids service runs inside of your router and captures traffic traversing the router. Specifically, the service captures two specific classes of traffic in order to perform deep packet inspection on them:
- TCP SYN packets
- UDP DNS query packets
TCP Traffic Inspection
TCP SYN packets have their source and destination IP addresses and port numbers inspected. If a combination of IP address and port number appears in the internal IoC database, a compromise event is recorded.
DNS Traffic Inspection
DNS queries are inspected to read the domain names in their questions section. If a domain name in the query matches one of the domains listed in the internal IoC database, a compromise event is recorded.
IoC Database Updates
The NetStinky project maintains an update server that allows the nsids service to connect to our server and received updated lists of IoCs. nsids will periodically connect to the server and download the updated IoC databases. An alternative server can be provided if you would prefer to use an alternative source or maintain your own IoC blacklist.
The NetStinky update server is publically available and can be used with
the following command-line arguments:
--update-host netstinky-api.wand.net.nz --update-port 15000
IoC Sources
We draw our IoCs from a number of blacklist sources. You can view the database in our IoC database explorer