Firestorm NIDS

home :: news :: download :: developers :: documentation

Firestorm NIDS
Firestorm is an extremely high performance network intrusion detection system (NIDS). At the moment it just a sensor but plans are to include real support for analysis, reporting, remote console and on-the-fly sensor configuration. It is fully pluggable and hence extremely flexible. Firestorm performs a lot better than all other systems I have tested (such as snort and prelude) by as much as a factor of 2 (and thats under favourable conditions, it way outstrips the competition under a targeted DoS attack).

A Network Intrusion Detection System is a system which can identify suspicious patterns in network traffic. If a firewall is a doorman, a NIDS is an undercover KGB agent. He silently gathers intelligence and can spot an enemy even if the door security has already let them in (maybe the enemy can make fake identification documents).

The firestorm project has been dormant since 2004. However a new version is in development. This "next-generation" intrusion detection system was initiated to solve a lot of the problems encountered in the development of the previous firestorm releases. The code-base is much smaller and simpler. There is the possibility for full IPv6 support as-well as a sophisticated application layer decoding suite.

All of these enhacements are designed to facilitate a rule language which makes it as simple as possible to write very accurate signatures which are vulnerability rather than exploit oriented without compromising on performance. Plans are to complete the network sensor and implement an attack-graph based correlation component, a prototype of which I have completed but not yet released due to IP issues ;) The correlator ought to be able to combine signature and anomaly alerts in to an intelligable and accurate output.

Once this work is completed and packaged as a point release, the ultimate goal would then be to implement a host-based sensor (eg. syslog monitoring) and an active network sensor (eg. snmp probes). For now, you can track development via the git repository by issuing the following command:

  $ git clone git://

Tested Platforms

Current Features

Supported Protocols

Planned Features

This page is public domain. No trademarks, no patents, no copywrongs.