IAMDOH is a tool designed to increase the reliability of an IDS by reducing the number of false positives. It uses existing reliable tools like Nmap, Nessus, and Amap to validate IDS alerts.
In early 2003, nobody had volunteered to collaborate (although some chaps from London 2600 did share some info) so in-between versions of WIDZ and whilst I was resting ( consultant speak for having a huge falling out with several dumb-ass Scottish accountant types, then running away to find a new job with a big bag over one shoulder with swag written on it ), I wrote I-am-doh as a proof of concept (i.e. I don't programme worth a damn) to demonstrate how the above techniques can be used.
It leverages nessus and the nessus database for vulnerability identification. It leverages Nmap for port and OS identification - and now service identification. It used to (and may do again) use AMAP and VMAP for Service and version identification. It uses bug tracking to find out online vulnerability info.
The concept of product re-useably is continued, all gui's are based on existing products like gnome-terminal, which provides the ability to scroll and to open browser windows on to bug track or nessus.org. These features would have taken ages to code !!!.
I wasn't going to release the code ever because you'd all been so bloody unco-operative but in view of the comments from the G**TNER last week about IDS being dead I thought I'd better release early
BOTTOM-LINE - I-AM-DOH filters greater than 75% of the false-positives.
Give it ago, the code is as flaky as hell but it proves a point.