ODIN: The SWISS IDS Project
26 Jan 2003: The project is still alife! We will soon release the console!
30 Oct 2002: Updated the sensors to snort 1.9.0 and installed snortcenter on them.
Oct 2002: Optimizing sensors. Having already 160'000 alerts!
01 Sep 2002: Added the third sensor.
16 Aug 2002: Added a little script to display the contents of /var/log/honeyd
08 Aug 2002: Network Topology Map added.
08 Aug 2002: Second sensor is running.
07 Aug 2002: honeyd scripts online.
30 Jul 2002: The pf2mysql.pl script was added.
|The Network Topology shows on a network level, how the sensors are put together. Note that not all routers or hops inbetween the networks are shown!||
For this project we developed some code:
Before you download any code, please make sure you agree to the LICENSE!
OpenBSD packetfilter (pf)
pf2mysql.pl is a perl-script which takes a packetfilter (pf) - logfile as input and puts the data in a MySQL database. Current version is 0.2a.
odin.sql is the SQL file to create the database for pf2mysql.pl
Check the INSTALL file for hints on how to use the script!
telnet.sh A script to be used with honeyd to simulate a telnet service.
honeyd.start A script to launch the honeyd along with arpd and tcpdump.
honeypot.cron A script to display the contents of /var/log/honeyd in a cronjob
iisemul8.patch This is a patch for RFPs iisemul which emulates an IIS server. I just added the logging facility. Apply the patch with:
patch -p0 < iisemul8.patch
honeyd.conf My honeyd.conf in case you want it.
In the snort.conf file I added the portscan-preprocessor to log into a file. Then in ACID you also have to add it.
Create some indexes in the MySQL database:
mysql> create index one on tcphdr.tcp_sport;
create index two on tcphdr (tcp_dport);
create index three on acid_ag_alert (ag_sid, ag_cid);
Update snort 1.8.7 to 1.9.0 you need to change the database:
snortd.start A script to launch snort.
update schema set vseq='106', ctime=now();
alter table sensor add column (last_cid INT UNSIGNED NOT NULL);
Installing snortcenter: http://www.superhac.com/snort/snort_enterprise.pdf
Snort Documentation: http://www.snort.org/docs/writing_rules/chap2.html