Firestorm NIDS
home ::
news ::
download ::
developers ::
documentation
Firestorm NIDS
Firestorm is an extremely high performance network intrusion detection
system (NIDS). At the moment it just a sensor but plans are to include
real support for analysis, reporting, remote console and on-the-fly
sensor configuration. It is fully pluggable and hence extremely flexible.
Firestorm performs a lot better than all other systems I have tested
(such as snort and prelude) by as much as a factor of 2 (and thats under
favourable conditions, it way outstrips the competition under a targeted
DoS attack).
A Network Intrusion Detection System is a system which can
identify suspicious patterns in network traffic. If a firewall
is a doorman, a NIDS is an undercover KGB agent. He silently
gathers intelligence and can spot an enemy even if the door
security has already let them in (maybe the enemy can make
fake identification documents).
Tested Platforms
- Linux 2.x
- FreeBSD 4.x
- OpenBSD
- Solaris
- Should compile and run on any mainstream UNIX really...
Current Features
- Protocol anomaly detection
- Full application layer decodes
- Fully pluggable
- High performance OS Specific capture module for Linux
- Capture from libpcap files (normal AND redhat extended)
- Packet decode engine fully supports encapsulation
- Decode plugins included for many protocols (see below)
- Comprehensive snort rule support
- Wu-Manber setwise string matching
- Easy to configure; just one config file
- Can run chroot and with lowered privs (when started as root)
- Can run as a realtime process (when started as root)
- Preprocessors to allow supplementary modes of detection (eg: anomaly)
- Full IP defragmentation (passes fragroute evasion tests)
- TCP stateful inspection with window tracking
- Intelligent TCP stream reassembly
- HTTP URL normalization
- EXTREMELY fast and scalable signature engine
- Configurable token-bucket rate-limiting of any alerts
- GNOME2 based analyst console user interface
- Enhanced logging format for ease of analysis
- ELOG indexing for lightning fast sorting and filtering of alerts
Supported Protocols
- TCP/IP Suite (IPv4,TCP,UDP,ICMP,IGMP)
- 802.1q (vlan)
- Can differentiate EthernetII and 802.3 and novell IPX frames
- Can decode LLC and SNAP in 802.3
- IPX, SAP
- Linux cooked sockets (SLL) in two different formats
- GRE (generic routing encapsulation)
- IrDA (infra-red)
- ARP/Appletalk ARP
Planned Features
- Anomaly detection
- Some performance enhancements
- Proper remote alerting to central firestorm server
- Analyst consoles to read data from central server
- Central management of all configuration from analyst console
@(#) $Id: index.html 318 2004-02-08 17:12:11Z scara $
This page is public domain. No trademarks, no patents, no copywrongs.