Free ids software for linux

IDS::Algorithm::MM is a Perl module created to learn or test using a first-order Markov Model (MM).

SYNOPSIS

A usage synopsis would go here. Since it is not here, read on.
In section 4.2 in Kruegel and Vignas paper, they ignored the probability information that the MM provided, and produced a binary result. In effect, they were using the constructed MM as a {N,D}FA.

Someday more will be here.

Ideally, we would be using the algorithm from stolcke94bestfirst. Constructing a DFA rather than a NFA in effect has performed most of the state merging that stolcke93hidden do.

Consider also a java or C/C++ implementaion: http://www.ghmm.org/ http://www.run.montefiore.ulg.ac.be/~francois/software/jahmm/

Useful information: http://www.cs.brown.edu/research/ai/dynamics/tutorial/Documents/HiddenMarkovModels.html http://www.comp.leeds.ac.uk/roger/HiddenMarkovModels/html_dev/main.html L R Rabiner and B H Juang, `An introduction to HMMs, IEEE ASSP Magazine, 3, 4-16.

printvcg

printvcg(filehandle)

Print in a form usable by VCG for printing the DFA.

If the filehandle is specified, print there; otherwise, print to STDOUT.
This code was stolen from DFA, and does not know about the probabilities.
load(filehandle)

Load a MM from a file; this is the inverse of "print", and the format we expect is that used in $self->print.

test(tokensref, string, instance)

Test the string of tokens and calculate the probability of the string being seen. At each stage, we get a p in [0,1]. The result is the product of these probabilities.
Note that if a transition cannot be made, we return a 0 probability.

add(tokensref, string, instance)

The collection of tokens (in the list referenced by tokensref) is a complete example of a list that should be accepted by the DFA.

string and instance are IDS::Test framework arguments that we ignore because we do not need them.

WE add the transition from the last token to the (ACCEPT) state.

add_transition(from, token)

Add a transition from one state to another when the specified token is received. It is not an error to try to add an existing transition. In that event, this function quietly returns. If no such transition exists, we look for a transition on the token; if so, we add an edge to the destination node for the existing edge. Finally, if there is no other choice, we create a new state and add the edge.

generalize()

Reduce the number of states in the model.

Our building a DFA rather than a NFA has in effect performed most of the state merging that would have occurred.

XXX We should still be doing some checks for additional merge possibilities.
XXX A proof that the DFA is effectively the NFA with merged states would be useful.

Pads (Passive Asset Detection System) is a signature-based detection engine used to passively detect network assets.

Asset management is an important factor in information security. A good security administrator should keep track of all devices attached to the network. Even though active scanners such as nmap and Nessus are valuable tools, sometimes it necessary to identify network devices in a passive manner. Pads was developed to sit along side the promiscuous interface of an IDS device. It will listen to network traffic and will identify the applications running on the network.

Noid is a Perl module that contains routines to mint and manage nice opaque identifiers.

SYNOPSIS

use Noid; # import routines into a Perl script

$dbreport = Noid::dbcreate( # create minter database & printable
$dbdir, $contact, # report on its properties; $contact
$template, $term, # is string identifying the operator
$naan, $naa, # (authentication information); the
$subnaa ); # report is printable

$noid = Noid::dbopen( $dbname, $flags ); # open a minter, optionally
$flags = 0 | DB_RDONLY; # in read only mode

Noid::mint( $noid, $contact, $pepper ); # generate an identifier

Noid::dbclose( $noid ); # close minter when done

Noid::checkchar( $id ); # if id ends in +, replace with new check
# char and return full id, else return id
# if current check char valid, else return
# undef

Noid::validate( $noid, # check that ids conform to template ("-"
$template, # means use minters template); returns
@ids ); # array of corresponding strings, errors
# beginning with "iderr:"

$n = Noid::bind( $noid, $contact, # bind data to identifier; set
$validate, $how, # $validate to 0 if id. doesnt
$id, $elem, $value ); # need to conform to a template

Noid::note( $noid, $contact, $key, $value ); # add an internal note

Noid::fetch( $noid, $verbose, # fetch bound data; set $verbose
$id, @elems ); # to 1 to return labels

print Noid::dbinfo( $noid, # get minter information; level
$level ); # brief (default), full, or dump
Noid::getnoid( $noid, $varname ); # get arbitrary named internal
# variable

Noid::hold( $noid, $contact, # place or release hold; return
$on_off, @ids ); # 1 on success, 0 on error
Noid::hold_set( $noid, $id );
Noid::hold_release( $noid, $id );

Noid::parse_template( $template, # read template for errors, returning
$prefix, $mask, # namespace size (NOLIMIT=unbounded)
$gen_type, # or 0 on error; $message, $gen_type,
$message ); # $prefix, & $mask are output params

Noid::queue( $noid, $contact, # return strings for queue attempts
$when, @ids ); # (failures start "error:")

Noid::n2xdig( $num, $mask ); # show identifier matching ord. $num

Noid::sample( $noid, $num ); # show random ident. less than $num

Noid::scope( $noid ); # show range of ids inside the minter

print Noid::errmsg( $noid, $reset ); # print message from failed call
$reset = undef | 1; # use 1 to clear error message buffer

Noid::addmsg( $noid, $message ); # add message to error message buffer

Noid::logmsg( $noid, $message ); # write message to minter log

IAMDOH is a tool designed to increase the reliability of an IDS by reducing the number of false positives. It uses existing reliable tools like Nmap, Nessus, and Amap to validate IDS alerts.

In early 2003, nobody had volunteered to collaborate (although some chaps from London 2600 did share some info) so in-between versions of WIDZ and whilst I was resting ( consultant speak for having a huge falling out with several dumb-ass Scottish accountant types, then running away to find a new job with a big bag over one shoulder with swag written on it ), I wrote I-am-doh as a proof of concept (i.e. I dont programme worth a damn) to demonstrate how the above techniques can be used.

It leverages nessus and the nessus database for vulnerability identification. It leverages Nmap for port and OS identification - and now service identification. It used to (and may do again) use AMAP and VMAP for Service and version identification. It uses bug tracking to find out online vulnerability info.

The concept of product re-useably is continued, all guis are based on existing products like gnome-terminal, which provides the ability to scroll and to open browser windows on to bug track or nessus.org. These features would have taken ages to code !!!.

I wasnt going to release the code ever because youd all been so bloody unco-operative but in view of the comments from the G**TNER last week about IDS being dead I thought Id better release early

BOTTOM-LINE - I-AM-DOH filters greater than 75% of the false-positives.

Give it ago, the code is as flaky as hell but it proves a point.

Panoptis plans to create a network security tool (N-IDS) to detect and block DoS and DDoS attacks. The programming language is C++, and the input is being provided by routers.
First, you need a router that exports NetFlow(TM) data. Versions 1, 5 and 8 are supported, although version 8 has not been tested AT ALL. You also need a server for accepting data and processing it.
In order to compile the software you need a C++ compiler (tested only with g++ for the time being) and the CommonC++ library, found at http://www.gnu.org/software/commonc++/CommonC++.html At the moment the software has been linked against and tested with commoncpp2-1.0.9
YOU WILL ALSO NEED g++ VERSION 3.x!!! This is very important! Compiling with g++ 2.95.x or earlier versions causes segmantation faults in some cases. This has to do with CommonC++, not Panoptis.
Before you can use the software, you must also have read SNMP access to your router. That is only needed by the speeds.py script that collects some initial information (the .py extention should already make you think youll need the Python programming language installed -- thats true.
Enhancements:
- Update so that Panoptis compiles and runs on newer systems (GCC 3.3.5, CommonC++2 1.5.3).
- No new features, unfortunately.

mod_fortress is an application level firewall and intrusion detection system. mod_fortress is designed to intercept certain CGI/HTTP attacks by acting as a non-transparent proxy between an Apache server and an HTTP client.
Main features:
- Detects and Logs common known cgi/http security requests and scans
- SSL support
- Detects all known(and hopefully unknown) Anti-IDS Evasive Scaning methods (Whisker, twwwscan, VoidEye...etc)
- "Fortress In the Middle": Ability to act as a non-transparent proxy to modify HTTP return error codes.
- Custom logging option via a changeable format string.
- Supports Apache 1.3/2.0 (2.0 port by Anton Soudouvstev).

libstrophe is a library for XMPP client and component communication. Our goal is to build a library that is portable, usable quickly, reliable, well documented and that implements the XMPP specification.
Main features:
- XMPP compliant
- Platform agnostic
- TLS support (coming soon)
- SASL DIGEST-MD5 and SASL PLAIN authentication
- Legacy jabber authentication
- Resource binding
- Low-level miniDOM access for manipulating stanzas
- Event handers for timed events, stanza names and/or namespaces, stanza ids
- Threadsafe (coming soon)
- High-level stanza object manipulation and handling (coming soon)
- Full documentation (coming soon)
- Customizable logging and allocation facilities
- C++ binding (coming soon)
Enhancements:
- fix a bug in the fallback to jabber auth that prevented login to jabberd 1.4 servers
- Simplify access to the default loggers, and merge the basic_logging and basic examples
- draft C++ api