New hostbased/hybrid Intrusion Detection System Project (M-ICE)

thetom_at_uin4d.de
Date: 01/01/04

  • Next message: Nigel Houghton: "Re: IDS testing methodologies" 
    To: focus-ids@securityfocus.com
Date: Thu,  1 Jan 2004 16:41:14 +0100 (CET)

    Hello.

    A new hostbased (also hybrid) IDS called M-ICE (Modular Intrusion Detection
    and Countermeasure Environment) was released a few weeks ago. Please have a
    look at http://m-ice.sourceforge.net .

    The main goal of M-ICE is to fit for every infrastructure and to be
    highly adaptable. M-ICE basically consists of only three daemons
    that can be customized by loading binary modules to fulfill all
    needed tasks and more. Modules can be used to:
            - filter log-data (client)
            - pseudonymize log-data (client)
            - put raw log-data in a more usable format (client)
            - decode packages sent by other M-ICE components
            - store log-data/alerts in a database
            - analyze data
            - manage detected alarms
            - execute reactions (client, or elsewhere)

    All parts of M-ICE can be installed on only one host or each on
    different hosts in a TCP/IP network. This fact gives an administrator
    the freedom to to handle different needs by using only one system.

    Researches will have the advantage to test their new methods
    (analysis, pseudonymisation, data-reduction etc.) just by
    plugging a new module into a full-featured, real-life IDS
    environment without the need of writing other IDS components
    on their own.

    The alert managing system of M-ICE is also able to handle other
    IDS sensors (like Snort) as long as they use the message exchange format
    IDMEF.

    At the moment M-ICE is not ready for use in a production environment.
    All modules for storing log-data, alerts, managing and executing reactions
    are available and working but the module for analyzing data just uses
    regular expressions and not a more sophisticated technique. Additionally
    the reaction-module is just a dummy function. (I wrote both for testing
    purposes only)
    Nevertheless I run this system since one year at my internal network
    and I didn't encounter any fatal malfunction and was able to browse detected
    alarms and raw log-data by using a graphical SQL frontend and to execute
    reactions.

    To keep this project running and to improve it every help (developing,
    testing, porting, tips, ...) is welcome.

    Have a Happy New Year!
    Thomas Biege <thetom@uin4d.de>

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Nigel Houghton: "Re: IDS testing methodologies"
    • Quantcast