NetStinky Router IDS

Get it on GitHub.

Motivation

The basic functionality of the NetStinky app is to check if your network has appeared on any published network blacklists. This typically occurs after your network has been compromised for some time and an external monitor has detected bad behaviour coming from your address. The nature of this blacklist monitoring means that problems are only detected long after a compromise has occurred.

A proactive approach to network monitoring can detect compromise events in real-time. By monitoring the WAN link of your NetStinky IDS enabled router, it is possible to detect fine-grained events before external services have noticed a problem.

How it Works

The nsids service runs inside of your router and captures traffic traversing the router. Specifically, the service captures two specific classes of traffic in order to perform deep packet inspection on them:

Example showing how nsids detects a compromised IP camera
Diagram showing packet inspection flow on the WAN link of the nsids enabled router

TCP Traffic Inspection

TCP SYN packets have their source and destination IP addresses and port numbers inspected. If a combination of IP address and port number appears in the internal IoC database, a compromise event is recorded.

DNS Traffic Inspection

DNS queries are inspected to read the domain names in their questions section. If a domain name in the query matches one of the domains listed in the internal IoC database, a compromise event is recorded.

IoC Database Updates

The NetStinky project maintains an update server that allows the nsids service to connect to our server and received updated lists of IoCs. nsids will periodically connect to the server and download the updated IoC databases. An alternative server can be provided if you would prefer to use an alternative source or maintain your own IoC blacklist.

The NetStinky update server is publically available and can be used with the following command-line arguments: --update-host netstinky-api.wand.net.nz --update-port 15000

IoC Sources

We draw our IoCs from a number of blacklist sources. You can view the database in our IoC database explorer