Projects tagged ‘detection’ and ‘ids’

Snort® is an open source network intrusion prevention and detection system using a flexible rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection ... [More] methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry. [Less]

Prelude is an Hybrid IDS framework, that is, it is a product that enable all available security application, be it opensource or proprietary, to report to a centralized system. In order to achieve ... [More] this task, Prelude relies on the IDMEF (Intrusion Detection Message Exchange Format) IETF standard, that enables different kinds of sensors to generate events using an unified language. Prelude benefits from its ability to find traces of malicious activity from different sensors (Snort, honeyd, Nessus Vulnerability Scanner, Samhain, over 30 types of systems logs, and many others) in order to better verify an attack and in the end to perform automatic correlation between the various events. Prelude is commited to providing an Hybrid IDS that offers the ability to unify currently available tools. [Less]

scanlogd is a TCP port scan detection tool, originally designed to illustrate various attacks an IDS developer has to deal with, for a Phrack Magazine article. Thus, unlike some of the other port ... [More] scan detection tools out there, scanlogd is designed to be totally safe to use. scanlogd supports several packet capture interfaces: the raw socket interface on Linux (which does not require any libraries), libnids, and libpcap. [Less]

This is basically an computer intrusion detection system(IDS). We use compression method, say LZ78, to build the user profile of the valid user whom we want to protect from those crackers who broke ... [More] (or try to break) into the system and masqueraded (or try to masquerade) the valid user. The main point is, we maintain a dictionary which contain the valid user's frequent patterns. When some user, who we don't know whether is the valid user himself or some hacker under cover, login into the system, we compare their patterns against the dictionary. The dictionary is maintained by the compression method online and is dynamically updated. The compression method not only can create some log file costing little disk space, but can restore the log file back to origin user system log any time we need. [Less]

PerlIDS (CGI::IDS) is a Perl website intrusion detection system based on PHPIDS http://php-ids.org/. It parses any hashref for possible attacks, so it does not depend on CGI.pm. The intrusion ... [More] detection is based on a set of converters that convert the request according to common techniques that are used to hide attacks. These converted strings are checked for attacks by running a filter set of currently 68 regular expressions. For easily keeping the filter set up-to-date, PerlIDS is compatible to the original XML filter set of PHPIDS, which is frequently updated. [Less]

repache replays previously recorded Apache webserver logfiles. The big advantage of repache is it's realistic treatment of source IP addresses. It spoofs the IP addresses of the logfile in order to ... [More] have a very realistic simulation. The purpose of this is to test webserver with country/IP specific behavior and intrusion detection/prevention systems under realistic conditions. In order to spoof TCP connections, repache's TCP stack needs to listen on the network interface for reply packets - that's why all packets must be routed to the host running repache. This usually means, that a dedicated test environment has to be used. A demo video of repache in action can be found here. [Less]

Valhala Honeypot é um detector de intrusos baseado no conceito de honeypot. Possui os servidores: web, ftp, finger, telnet, smtp, pop3, echo, daytime, tftp e port forwarding. Envia os logs remotamente. Fácil de configurar. Em portugues.

libemu is a small library written in c offering basic x86 emulation and shellcode detection using GetPC heuristics. Intended use is within network intrusion/prevention detections and honeypots.

Intelligent Secure Systems IDS in JavaAuthors: Jason Laver, Nicholas Pike, Jeffery Prokop What is it?An IDS (Intrusion Detection System) is a System designed to detect security intrusions on a given ... [More] system. An intrusion detection system detects many types of malicious network traffic and computer usage that can't be detected by a conventional firewall. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms). IDS' can come in two distinct flavors, Anomaly and Misuse Based IDS. AnomalyAnomaly based detection relies upon an easily identifiable pattern of normal use. Anything that does not fall within the boundaries of this normal use is flagged as a possible intrusion. The advantage of this is that as new attacks are generated, the IDS does not necessarily need to be modified in order to counter this. Any use that is out of the ordinary is immediately flagged. Conversely, if a system does not have a regular pattern of normal use, then many false positives (good use flagged as bad) can occur. MisuseMisuse based detection relies upon identifiable patterns and signatures of 'bad' use. Here, signatures and patterns of known bad use is used to check system use against. If use matches something known by the IDS, it is bad. Otherwise, all traffic not recognized is considered good. In a system where normal traffic cannot be easily characterized by a pattern, Misuse IDS becomes more effective since less false positives are found. However, false negatives (bad use flagged as good) can occur as new attacks not known to the system have no problem gaining access. How does it work?Quite simply, both IDS systems function the same way. Both rely on proper pattern recognition in order to analyze and correctly flag traffic. In order to do this, we used statistical analysis in order to create a general model for our IDS to check against. Step 1: Get the DataFirst, we have to get the data that we build our data set out of. In the case of Anomaly Based IDS, we have to get a large set so examples of normal usage. For Misuse Based IDS, we have to get examples of known bad traffic and misuse. For our project, these were provided to us in the form of 41 comma delineated factors for each packet. These 41 factors are defined in the assignment document. Step 2: Create a SignatureNow that we have a large collection of data, it's time for some descriptive statistics. We will then find the Q1(first quartile) and Q3(third quartile) values for each of the factors that we are checking for. This is a way to normalize our data and remove any outliers from our data population. Step 3: Compare Traffic to SignatureFinally, all that's left is to compare an instance of traffic to our signature. This is done by simply seeing if a factor in the traffic falls within the quartile values in the factor of our signature. If this is true, our traffic has one more thing in common with our signature. Key :: Factor=y and Traffic=X and Signature=S Common Count = 0 FOR ALL Factors IF S(Q1)y < Xy < S(Q2)y THEN Common Count+=1 So, how do we measure then how many commonalities dictate a flagged match to our signature? Well, we created an integer variable called a Security Level(SECURITY_LEVEL) for just this purpose. The security level defines a number that which if the commonality count is greater than or equal to the Security Level, then we flag the traffic as matching the signature. In order to set the Security Level, we used a set of test traffic where misuse and normal usage counts were known (2200 packets, 2000 normal, 200 misuse) and ran our IDS against it until the Security Level gave us comparable results to what we knew to be good and bad in our test data. Developement ProcessThe workload for the development of this software is as follows: Nicholas Pike : Gathering statistics - Reading in of signatures for processing Identifying thresholds by generating quartiles from pertinent data colums Parsing of data (BSReader.java) - Read in a prepare data files in a useable format Jason Laver : Parsing of data (ISSBDataParser.java) - Read in a prepare data files in a useable format AnomalyIDS.java - Reading in, analyzing, and outputing of attack results based on thresholds Jeff Prokop : MisuseIDS.java - Reading in, analyzing, and outputting of attack results based on known breaches The team met on several occassions to coordinate work efforts and overall design. The majority of time was spent on the implementation of the Anomaly and Misuse classes from conception to execution. Estimated man hours = 18 - 20 hours [Less]