Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

focus-ids logo IDS mailing list archives

New hostbased/hybrid Intrusion Detection System Project (M-ICE)
From: thetom () uin4d de
Date: Thu, 1 Jan 2004 16:41:14 +0100 (CET)

Hello.

A new hostbased (also hybrid) IDS called M-ICE (Modular Intrusion Detection
and Countermeasure Environment) was released a few weeks ago. Please have a
look at http://m-ice.sourceforge.net .

The main goal of M-ICE is to fit for every infrastructure and to be
highly adaptable. M-ICE basically consists of only three daemons
that can be customized by loading binary modules to fulfill all
needed tasks and more. Modules can be used to:
        - filter log-data (client)
        - pseudonymize log-data (client)
        - put raw log-data in a more usable format (client)
        - decode packages sent by other M-ICE components
        - store log-data/alerts in a database
        - analyze data
        - manage detected alarms
        - execute reactions (client, or elsewhere)

All parts of M-ICE can be installed on only one host or each on
different hosts in a TCP/IP network. This fact gives an administrator
the freedom to to handle different needs by using only one system.

Researches will have the advantage to test their new methods
(analysis, pseudonymisation, data-reduction etc.) just by
plugging a new module into a full-featured, real-life IDS
environment without the need of writing other IDS components
on their own.

The alert managing system of M-ICE is also able to handle other
IDS sensors (like Snort) as long as they use the message exchange format
IDMEF.

At the moment M-ICE is not ready for use in a production environment.
All modules for storing log-data, alerts, managing and executing reactions
are available and working but the module for analyzing data just uses
regular expressions and not a more sophisticated technique. Additionally
the reaction-module is just a dummy function. (I wrote both for testing
purposes only)
Nevertheless I run this system since one year at my internal network
and I didn't encounter any fatal malfunction and was able to browse detected
alarms and raw log-data by using a graphical SQL frontend and to execute
reactions.

To keep this project running and to improve it every help (developing,
testing, porting, tips, ...) is welcome.


Have a Happy New Year!
Thomas Biege <thetom () uin4d de>



---------------------------------------------------------------------------
---------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
  • New hostbased/hybrid Intrusion Detection System Project (M-ICE) thetom (Jan 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]