Network Intrusion Detection
The network intrusion detection directory contains software that
monitor, log and in some cases, respond to network-based intrusion
attempts.
o AAFID
AAFID(tm) is a distributed monitoring and intrusion detection
system that employs small stand-alone programs (Agents) to perform
monitoring functions in the hosts of a network. AAFID uses a
hierarchical structure to collect the information produced by each
agent, by each host, and by each set of hosts, to be able to detect
suspicious activity.
o arpd
arpd replies to any ARP request for an IP address matching the
specified destination net with the hardware MAC address of the
specified interface, but only after determining if another host
already claims it. (Typically used in conjunction with honeyd (see
below))
o Deception Toolkit
The Deception ToolKit (DTK) is a toolkit designed to give defenders
a couple of orders of magnitude advantage over attackers. In the
case of DTK, the deception is intended to make it appear to
attackers as if the system running DTK has a large number of widely
known vulnerabilities. DTK's deception is programmable, but it is
typically limited to producing output in response to attacker input
in such a way as to simulate the behavior of a system which is
vulnerable to the attackers method.
o Hogwash
Hogwash is a packet scrubber (sometimes called a signature based
firewall) based on Snort. It is designed to live inline with the
network feed and drop malicious packets. Hogwash is built on top of
layer 2 and is designed to be invisible.
o honeyd
Honeyd is a small daemon that creates virtual hosts on a network.
The hosts can be configured to run arbitrary services, and their
personality can be adapted so that they appear to be running
certain operating systems. Honeyd enables a single host to claim
multiple addresses - up to 65536 have been tested - on a LAN for
network simulation. Honeyd improves cyber security by providing
mechanisms for threat detection and assessment. It also deters
adversaries by hiding real systems in the middle of virtual
systems. It is possible to ping the virtual machines, or to
traceroute them. Any type of service on the virtual machine can be
simulated according to a simple configuration file. Instead of
simulating a service, it is also possible to proxy it to another
machine.
o Libnids
Libnids is an implementation of an E-component of Network Intrusion
Detection System. It emulates the IP stack of Linux 2.0.x. Libnids
offers IP defragmentation, TCP stream assembly and TCP port scan
detection.
o LIDS: Linux Intrusion Detection System
LIDS is a kernel patch and admin tool to enhance the Linux kernel
security, an implementation of a reference monitor in kernel and an
implementation of Mandatory Access Controls in the kernel.
o pakemon
pakemon has been developed to share IDS components based on the
open source model. Current version of pakemon monitors all traffic
on a network, search given data patterns in the traffic and output
session logs and summary logs of matched traffic.
o prelude
Prelude is a Hybrid IDS. This means there are differents sensors
with different capabilities (network sensor, host based sensor,
etc). These sensors send events to a central manager which
processes them and is responsible for event reporting. There is
also a correlation agent working together with the manager.
o Shadow
SHADOW is the result of a project that was originally called the
Cooperative Intrusion Detection Evaluation and Response (CIDER)
project. It was an effort of NSWC Dahlgren, NFR, NSA, the SANS
community and other interested parties to locate, document, and
improve security software. The material on this page is approved
for public release, distribution is unlimited.
o Snort
Snort (R) is an open source network intrusion prevention and
detection system utilizing a rule-driven language, which combines
the benefits of signature, protocol and anomaly based inspection
methods. Snort is the most widely deployed intrusion detection and
prevention technology worldwide and has become the de facto
standard for the industry.
(Note: This list of software and information available at Wiretapped is
not exhaustive. Users are encouraged to browse and search the archive
and read any available "-README.txt" files that are available)