DESCRIPTION BENIDS is a simple Network Intrusion Detection System (NIDS). http://www.marlboro.edu/~ttoomey/benids Currently, BENIDS operates at the IP layer and above. There are no processors above the transport layer, although some may be added in the future (i.e. rpc channel processor). This software is under development. It is not stable, well-documented, optimized, or portable. It may not even run. I am developing it to teach myself about intrusion detection and network protocols. It is intended as a learning tool and ongoing experiment. I make no claims about functionality or stability. This program is strictly use-at-your-own-risk. The current feature set is: -xml rule language -arbitrary, complex boolean conditions for rules -matching arbitrary header values in IP/TCP/UDP/ICMP packets (IP/TCP options not yet implemented) -matching arbitrary data in packet payload -capture level (detail) can be set on a rule-by-rule basis -drop, log, activate-rule, and deactivate-rule actions -output IDMEF v0.7 messages (using libidmef) -logging to file and/or remote host -fragment reassembly -tcp stream reassembly (experimental) REQUIRED LIBS libxml2 available from http://xmlsoft.org/ libpcap available from http://www.tcpdump.org/ libidmef available from http://www.silicondefense.com/idwg/libidmef/ INSTALLING See the INSTALL file for generic installation instructions. At the moment, this should run on Linux 2.2/2.4 on i386 using 10/100 bt Ethernet. Porting to other media should be fairly trivial. General code portability has not yet been addressed. To install: 1) Compile and install libpcap, libxml2, and libidmef. (Or binary packages/rpms) 3) Follow the instructions in the INSTALL file in this distribution. For the impatient: ./configure make make install (make install may require privileges) USAGE SUMMERY: Usage: benids [OPTION] --help display this help --daemon run as a daemon (default no) --device use device (default all) (incompatible with --capture_file) --alert-log write alerts to alert-log-file --error-log write errors to error-log-file --rule-file read the rules from rule-file --idmef-dtd-file read IDMEF DTD file from dtd-file --idmef-host log IDMEF alerts to host (requires --idmef-port ) --idmef-port log IDMEF alerts to port (requires --idmef-host ) --idmef-id-file read and write IDMEF ID from file from id-file --idmef-indent indent IDMEF alerts --user run as user user-name or uid after initialization --group run as group group-name or gid after initialization --capture_file read from capture_file instead of network (incompatible with --device NOTES Obviously, root privileges are required to set the NIC into promiscuous mode. If I were you, I would drop privileges after that using: --user and --group BENIDS will appear as aprox five separate processes in the process table. This is because Linux implements threads as separate processes. There are not actually five instances of the program running. Because the program is threaded, there may be a very small gain in speed on a SMP host. However most of the threads perform maintenance operations with only one thread actually performing resource intensive operations. Any speed gains should be minimal (I have not tested this though). Please see README.rules for further information on the rule file format. BUGS On multihomed hosts, not specifying an interface via "--dev" will cause packets on both interfaces to be processed. If the host is forwarding or routing through the interfaces, the same packet will be processed twice and may generate identical alerts. Sanity checking for the rule file input is not complete (garbage in = garbage out). If a sequence of fragments has overlap, multiple assemblies of the fragments will be produced. However the assemblies may all be the same or similar and may match the same rule, producing multiple identical alerts for the same packet. The tcp-stream assembler is incomplete. Stream-type rules will be fairly unreliable, particularly on fast links. The program does not handle SIGHUP. The signal is ignored. Sometimes, when the moon is full, threads don't die on program termination. Its hard to reproduce this problem so until I figure it out use kill -9 to end their unnaturally prolonged lives. Many, many, many more... see the TODO file. SOURCE FILE SUMMARY alert-handler.c handles alert formating, creates IDMEF messages benids-parser.c pretty-print the idmef alert messages. checksum.c from snort 1.8.1, performs tcp/udp checksums frag-assembler.c assembles fragments log-facility.c routines for error log main.c the main function, signal handling, initialization and tear-down routines mstring.c from snort 1.8.1, performs Boyer-Moore pattern matching (altered) packet-capture.c handles pcap, determines link layer packet-handler.c central routine for a packet arrival packet-processor.c basic packet preprocessing and sanity checking, getter routines for some header values rule-engine.c the packet matching engine, various init/dest routines for data structures rule-file-parser.c parse the xml rule files and create the rule objects tcp-stream.c tcp stream assembly, this is still under heavy development util.c some generic data structure routines ubi_BinTree.c from ubx data structures by Christopher Hertel, used by the tcp-stream and fragment assemblers ubi_SplayTree.c from ubx data structures by Christopher Hertel, used by the tcp-stream and fragment assemblers lifeonmars@ziplip.com