Shoki is a free, open source network intrusion detection system. The fundamental design goals are simplicity and modularity, and the focus is on traffic analysis rather than content inspection.
Here are some key features of "Shoki":
· Signature matching using libpcap-style filter expressions
· Support for searches using POSIX extended regular expressions
· Optional support for searches using Perl-compatible regular expressions
· Dynamic rule-based signature generation
· Correlation of data from multiple sources
· Sending alerts to IM clients via the Jabber protocol
· Visualisation of packet data via OpenGL
· Anomaly scoring based on questionable math
· Correlation of events to local assets (and known vulnerabilities)
· Remote OS identification via passive fingerprinting
· RFC 815-style fragment reassembly
· Configurable scan detection
· Configurable threshold-based signature detection
· Analysis of entropy in IP packet fields
Requirements:
· libpcap
· flex
· yacc
· zlib
INSTALLATION:
Create a `shoki' user (via adduser(8) or the equivalent), then:
# ./configure [ --with-pgsql ] [ --with-gtk ] [ --with-pcap=DIR ]
# make
# make test
# make install
# make chroot
...and if you're using the Postgres stuff (and you should be), add the
postgres user to the shoki group and then...
# make db
What's New in This Release:
· lexer bugfix: Added pcap_close() before exiting
· doctrine logic bugfix: fixed bug in doctrine verifier
· doctrine logic tweak: added canonicalise_pcap()
· search logic bugfix: fixed bug handling NULLs (0x00) in hex searches
· TCP option handling bugfix: fixed bug in TCP option processing on sparc64 (and other platforms where unaligned access fails)
· ac bugfix: fixed memory allocation error in ac(1)
· feature add: added preliminary IDMEF output support
· feature add: added test for dumpfile rewriting
· scripting tweak: changed semantics in some scripts in handling lists of filenames
Product's homepage
Find us on Google+
