Network Intrusion Detection


        The network intrusion detection directory contains software that
        monitor, log and in some cases, respond to network-based intrusion
        attempts.

          o AAFID
            AAFID(tm) is a distributed monitoring and intrusion detection
            system that employs small stand-alone programs (Agents) to perform
            monitoring functions in the hosts of a network. AAFID uses a
            hierarchical structure to collect the information produced by each
            agent, by each host, and by each set of hosts, to be able to detect
            suspicious activity.
            

          o arpd
            arpd replies to any ARP request for an IP address matching the
            specified destination net with the hardware MAC address of the
            specified interface, but only after determining if another host
            already claims it. (Typically used in conjunction with honeyd (see
            below))
            

          o Deception Toolkit
            The Deception ToolKit (DTK) is a toolkit designed to give defenders
            a couple of orders of magnitude advantage over attackers. In the
            case of DTK, the deception is intended to make it appear to
            attackers as if the system running DTK has a large number of widely
            known vulnerabilities. DTK's deception is programmable, but it is
            typically limited to producing output in response to attacker input
            in such a way as to simulate the behavior of a system which is
            vulnerable to the attackers method.
            

          o Hogwash
            Hogwash is a packet scrubber (sometimes called a signature based
            firewall) based on Snort. It is designed to live inline with the
            network feed and drop malicious packets. Hogwash is built on top of
            layer 2 and is designed to be invisible.
            

          o honeyd
            Honeyd is a small daemon that creates virtual hosts on a network.
            The hosts can be configured to run arbitrary services, and their
            personality can be adapted so that they appear to be running
            certain operating systems. Honeyd enables a single host to claim
            multiple addresses - up to 65536 have been tested - on a LAN for
            network simulation. Honeyd improves cyber security by providing
            mechanisms for threat detection and assessment. It also deters
            adversaries by hiding real systems in the middle of virtual
            systems. It is possible to ping the virtual machines, or to
            traceroute them. Any type of service on the virtual machine can be
            simulated according to a simple configuration file. Instead of
            simulating a service, it is also possible to proxy it to another
            machine.
            

          o Libnids
            Libnids is an implementation of an E-component of Network Intrusion
            Detection System. It emulates the IP stack of Linux 2.0.x. Libnids
            offers IP defragmentation, TCP stream assembly and TCP port scan
            detection.
            

          o LIDS: Linux Intrusion Detection System
            LIDS is a kernel patch and admin tool to enhance the Linux kernel
            security, an implementation of a reference monitor in kernel and an
            implementation of Mandatory Access Controls in the kernel.
            

          o pakemon
            pakemon has been developed to share IDS components based on the
            open source model. Current version of pakemon monitors all traffic
            on a network, search given data patterns in the traffic and output
            session logs and summary logs of matched traffic.
            

          o prelude
            Prelude is a Hybrid IDS. This means there are differents sensors
            with different capabilities (network sensor, host based sensor,
            etc). These sensors send events to a central manager which
            processes them and is responsible for event reporting. There is
            also a correlation agent working together with the manager.
            

          o Shadow
            SHADOW is the result of a project that was originally called the
            Cooperative Intrusion Detection Evaluation and Response (CIDER)
            project. It was an effort of NSWC Dahlgren, NFR, NSA, the SANS
            community and other interested parties to locate, document, and
            improve security software. The material on this page is approved
            for public release, distribution is unlimited.
            

          o Snort
            Snort (R) is an open source network intrusion prevention and
            detection system utilizing a rule-driven language, which combines
            the benefits of signature, protocol and anomaly based inspection
            methods. Snort is the most widely deployed intrusion detection and
            prevention technology worldwide and has become the de facto
            standard for the industry.
            

        

        (Note: This list of software and information available at Wiretapped is
        not exhaustive. Users are encouraged to browse and search the archive
        and read any available "-README.txt" files that are available)