IDS mailing list archives
New hostbased/hybrid Intrusion Detection System Project (M-ICE)
From: thetom () uin4d de
Date: Thu, 1 Jan 2004 16:41:14 +0100 (CET)
Hello. A new hostbased (also hybrid) IDS called M-ICE (Modular Intrusion Detection and Countermeasure Environment) was released a few weeks ago. Please have a look at http://m-ice.sourceforge.net . The main goal of M-ICE is to fit for every infrastructure and to be highly adaptable. M-ICE basically consists of only three daemons that can be customized by loading binary modules to fulfill all needed tasks and more. Modules can be used to: - filter log-data (client) - pseudonymize log-data (client) - put raw log-data in a more usable format (client) - decode packages sent by other M-ICE components - store log-data/alerts in a database - analyze data - manage detected alarms - execute reactions (client, or elsewhere) All parts of M-ICE can be installed on only one host or each on different hosts in a TCP/IP network. This fact gives an administrator the freedom to to handle different needs by using only one system. Researches will have the advantage to test their new methods (analysis, pseudonymisation, data-reduction etc.) just by plugging a new module into a full-featured, real-life IDS environment without the need of writing other IDS components on their own. The alert managing system of M-ICE is also able to handle other IDS sensors (like Snort) as long as they use the message exchange format IDMEF. At the moment M-ICE is not ready for use in a production environment. All modules for storing log-data, alerts, managing and executing reactions are available and working but the module for analyzing data just uses regular expressions and not a more sophisticated technique. Additionally the reaction-module is just a dummy function. (I wrote both for testing purposes only) Nevertheless I run this system since one year at my internal network and I didn't encounter any fatal malfunction and was able to browse detected alarms and raw log-data by using a graphical SQL frontend and to execute reactions. To keep this project running and to improve it every help (developing, testing, porting, tips, ...) is welcome. Have a Happy New Year! Thomas Biege <thetom () uin4d de> --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- New hostbased/hybrid Intrusion Detection System Project (M-ICE) thetom (Jan 02)