Visual Network Threat Level Indicator V2

by joe in Circuits > Arduino

11692 Views, 44 Favorites, 0 Comments

Visual Network Threat Level Indicator V2

IMG_5105.JPG
IMG_5117.JPG
By popular request this is a new wireless version of the Visual Network Threat Level Indicator. This uses a Roving Networks WiFly RN-XV Module to do 802.11 WiFi along with an Arduino to display the threat level on your network.

Network monitoring is very important in todays world. The internet is a scary place. People have taken steps to raise their awareness by installing Intrusion Detection Systems(IDS) such as SNORT.

The problem with most of these systems is that upon first installing them they are vigilantly watched. After a week the allure wears off and they are no longer monitored, silently churning away in the depths of the network.

By moving the visualization outside of the computer we make it easier to notice, providing the information at a glance and to a larger audience.

The Visual Threat Level Indicator (VTLI) requires a network connection and power. It does not need to be directly attached to a computer, this way it can be placed anywhere there is network access.

A python script is run on the IDS which connects the the Arduino and updates the display.

Parts

IMG_5098.JPG
You will need:
-Arduino Uno
-WiFly RN-XV http://www.sparkfun.com/products/10822
-Sparkfun XBee Shield http://www.sparkfun.com/products/9976
-Sparkfun RGB Breakout Board http://www.sparkfun.com/products/10111
-Arduino Enclosure http://www.sparkfun.com/products/10088
-Wires, solder, other bits and bobs.

-An IDS system running snort. http://www.snort.org
-WiFlySerial libraries: http://sourceforge.net/projects/arduinowifly/

Brief Overview

VTLI-process-v2.jpg
The VTLI process runs on the IDS and the Arduino.

The Arduino listens for incoming connections to update the display.

The IDS machine has a python script running that will look at the last 24 hours of the snort log to generate the threat level. It connects over the network to the Arduino to update the display. This should run out of cron an interval appropriate to the environment, 5 minutes is a good guess.

Arduino Program

vtli-wifly.jpg
You will need to download the WiFlySerial code from arduinology.tumblr.com. Copy the WiFlySerial.cpp and WiFlySerial.h files to the Arduino library path (on a mac this is: /Applications/Arduino.app/Contents/Resources/Java/libraries/). Next open vtli-wifly.ino in the Arduino IDE. You will want to import the Credentials.h and MemoryFree.h files to your project.


Downloads

Edit Your WiFi Details

vtli-wifly-2.jpg
The WiFi credentials are stored in the file Credentials.h. Edit the passphrase and ssid variables.

Fix the XBee Shield

IMG_4988.jpg
The XBee shield from Sparkfun will not work the WiFly the way it ships. For some reason there is a diode on pin3. You will need to either remove it or bridge it. I just soldered a piece of wire to jump it, it was the easiest solution.

Wire It Up.

vtli-v2.jpg
You will hook pins 9,10,11 on the arduino to the Red Green and Blue LEDs.
You will need to provide power to VCC and GND on the RGB breakout board.

That's it really. The XBee Shield takes care of the wiring for the WiFly.

Add to Enclosure

IMG_5100.JPG
IMG_5101.JPG
I used an arduino case and drilled a hole to fit the RGB LEDS and the antenna from the WiFly module.

Process on IDS

On the IDS you will run a python script that connects to the a listener on the Arduino. Run this out of cron, say every 5 minutes for a constantly updating display.

The code is fairly resilient and will fail with helpful messages.The script is attached to this page.

Be sure to change the IP address of the Arduino in the file.

Test

vtli-test.jpg
vtli-term-screen.jpg
Manual testing can be done by running vtli.py X where X is an integer.

Power everything up and wait. It can take 30 seconds for it to connect to the wifi.

Test that the python process can connect to the Arduino. Be sure to point it to the Snort log and the Arduino.

Done

IMG_5106.JPG

Now that everything is running, you can tune the maxAlerts variable to suit your environment so you are not always in the red.
You have now moved your IDS signatures off of the screen and in to the real world, hopefully improving your situational awareness. Also you got to play with Arduinos!

Thanks for looking!

-Joe