remote intrusion detection

[dbrumley () RTFM STANFORD EDU (David Brumley)]

Hi,
I've been working a while on a remote intrusion detection tool (rid).
It's basically ngrep paired w/ the ability to form custom packets.  The
idea is that you can easily configure it to search out for common hacks,
such as a root shell on port 1524 (though TCP hasn't been implemented
yet), stacheldraht/tfn/trinoo daemons,etc.

I've released it earlier than I originally planned due to the recent DDOS
attacks.  It's new home will be
http://www.theorygroup.com/Public/DDOS/

The site itself is still under development, but the tool is available.
It's released opensource to anyone and everyone w/ the exception of those
using it for illegal purposes, or for scanning others net's without
authorization.  Though I myself cannot do anything about people using it
when they are not suppose to, maybe it will add one more month to the
jail sentence for whomever is responsible for yahoo, ebay, etc.

FYI,
to detect stacheldraht v4 just add the following lines to config.txt
begin stach4
  send icmp type=0 id=6268 data=""
  recv icmp type=0 id=669 data="sicken" nmatch=2
end stach4

Any contributions to the source/development (since it's really rough right
now) are greatly appreciated!

Cheers,
david

--
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley () Stanford EDU
Phone: +1-650-723-2445    WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121    PGP: finger dbrumley-pgp () sunset Stanford EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
c:\winnt> secure_nt.exe
  Securing NT.  Insert Linux boot disk to continue......
            "I have opinions, my employer does not."