ODIN: The SWISS IDS Project



SENSORS

DATA CENTER

NEWS

26 Jan 2003: The project is still alife! We will soon release the console!
30 Oct 2002: Updated the sensors to snort 1.9.0 and installed snortcenter on them.
   Oct 2002: Optimizing sensors. Having already 160'000 alerts!
01 Sep 2002: Added the third sensor.
16 Aug 2002: Added a little script to display the contents of /var/log/honeyd
08 Aug 2002: Network Topology Map added.
08 Aug 2002: Second sensor is running.
07 Aug 2002: honeyd scripts online.
30 Jul 2002: The pf2mysql.pl script was added.

Network Topology

The Network Topology shows on a network level, how the sensors are put together. Note that not all routers or hops inbetween the networks are shown!

DEVELOPMENT

For this project we developed some code:

Before you download any code, please make sure you agree to the LICENSE!

OpenBSD packetfilter (pf)

  • pf2mysql.pl is a perl-script which takes a packetfilter (pf) - logfile as input and puts the data in a MySQL database. Current version is 0.2a.
  • odin.sql is the SQL file to create the database for pf2mysql.pl
  • Check the INSTALL file for hints on how to use the script!

    HoneyD

  • telnet.sh A script to be used with honeyd to simulate a telnet service.
  • honeyd.start A script to launch the honeyd along with arpd and tcpdump.
  • honeypot.cron A script to display the contents of /var/log/honeyd in a cronjob
  • iisemul8.patch This is a patch for RFPs iisemul which emulates an IIS server. I just added the logging facility. Apply the patch with: 
    patch -p0 < iisemul8.patch
  • honeyd.conf My honeyd.conf in case you want it.


    SNORT Tweaking

  • In the snort.conf file I added the portscan-preprocessor to log into a file. Then in ACID you also have to add it.
  • Create some indexes in the MySQL database: 
    mysql> create index one on tcphdr.tcp_sport;
create index two on tcphdr (tcp_dport);
create index three on acid_ag_alert (ag_sid, ag_cid);

  • Update snort 1.8.7 to 1.9.0 you need to change the database: 
      update schema set vseq='106', ctime=now();
alter table sensor add column (last_cid INT UNSIGNED NOT NULL);
  • snortd.start A script to launch snort.

  • Signature Tuning

    References

  • SnortCenter: http://users.pandora.be/larc/download/
  • Installing snortcenter: http://www.superhac.com/snort/snort_enterprise.pdf
  • Snort Documentation: http://www.snort.org/docs/writing_rules/chap2.html

    RELATED PROJECTS

  • www.dshield.org Difference:
  • www.netscan.org
  • www.mynetwatchman.com/



    http://www.pantheon.org/areas/mythology/europe/norse/articles.html
    http://www.pitt.edu/~dash/thor.html
    http://www.deliriumsrealm.com/delirium/mythology/loki.asp
    PIC: http://www.leatherworks.com/Alchemy-Gothic/