Hello. A new hostbased (also hybrid) IDS called M-ICE (Modular Intrusion Detection and Countermeasure Environment) was released a few weeks ago. Please have a look at http://m-ice.sourceforge.net . The main goal of M-ICE is to fit for every infrastructure and to be highly adaptable. M-ICE basically consists of only three daemons that can be customized by loading binary modules to fulfill all needed tasks and more. Modules can be used to: - filter log-data (client) - pseudonymize log-data (client) - put raw log-data in a more usable format (client) - decode packages sent by other M-ICE components - store log-data/alerts in a database - analyze data - manage detected alarms - execute reactions (client, or elsewhere) All parts of M-ICE can be installed on only one host or each on different hosts in a TCP/IP network. This fact gives an administrator the freedom to to handle different needs by using only one system. Researches will have the advantage to test their new methods (analysis, pseudonymisation, data-reduction etc.) just by plugging a new module into a full-featured, real-life IDS environment without the need of writing other IDS components on their own. The alert managing system of M-ICE is also able to handle other IDS sensors (like Snort) as long as they use the message exchange format IDMEF. At the moment M-ICE is not ready for use in a production environment. All modules for storing log-data, alerts, managing and executing reactions are available and working but the module for analyzing data just uses regular expressions and not a more sophisticated technique. Additionally the reaction-module is just a dummy function. (I wrote both for testing purposes only) Nevertheless I run this system since one year at my internal network and I didn't encounter any fatal malfunction and was able to browse detected alarms and raw log-data by using a graphical SQL frontend and to execute reactions. To keep this project running and to improve it every help (developing, testing, porting, tips, ...) is welcome. Have a Happy New Year! Thomas Biege <thetom@private> _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Jan 01 2004 - 11:52:15 PST