Firestorm NIDS

home :: news :: download :: developers :: documentation

Firestorm NIDS
Firestorm is an extremely high performance network intrusion detection system (NIDS). At the moment it just a sensor but plans are to include real support for analysis, reporting, remote console and on-the-fly sensor configuration. It is fully pluggable and hence extremely flexible. Firestorm performs a lot better than all other systems I have tested (such as snort and prelude) by as much as a factor of 2 (and thats under favourable conditions, it way outstrips the competition under a targeted DoS attack).

A Network Intrusion Detection System is a system which can identify suspicious patterns in network traffic. If a firewall is a doorman, a NIDS is an undercover KGB agent. He silently gathers intelligence and can spot an enemy even if the door security has already let them in (maybe the enemy can make fake identification documents).

The firestorm project has been dormant since 2004. However a new version is in development. This "next-generation" intrusion detection system was initiated to solve a lot of the problems encountered in the development of the previous firestorm releases. The code-base is much smaller and simpler. There is the possibility for full IPv6 support as-well as a sophisticated application layer decoding suite.

All of these enhacements are designed to facilitate a rule language which makes it as simple as possible to write very accurate signatures which are vulnerability rather than exploit oriented without compromising on performance. Plans are to complete the network sensor and implement an attack-graph based correlation component, a prototype of which I have completed but not yet released due to IP issues ;) The correlator ought to be able to combine signature and anomaly alerts in to an intelligable and accurate output.

Once this work is completed and packaged as a point release, the ultimate goal would then be to implement a host-based sensor (eg. syslog monitoring) and an active network sensor (eg. snmp probes). For now, you can track development via the git repository by issuing the following command:

  $ git clone git://github.com/giannitedesco/firestorm.git

Tested Platforms

• Linux 2.x
• FreeBSD 4.x
• OpenBSD
• Solaris
• Should compile and run on any mainstream UNIX really...

Current Features

• Protocol anomaly detection
• Full application layer decodes
• Fully pluggable
• High performance OS Specific capture module for Linux
• Capture from libpcap files (normal AND redhat extended)
• Packet decode engine fully supports encapsulation
• Decode plugins included for many protocols (see below)
• Comprehensive snort rule support
• Wu-Manber setwise string matching
• Easy to configure; just one config file
• Can run chroot and with lowered privs (when started as root)
• Can run as a realtime process (when started as root)
• Preprocessors to allow supplementary modes of detection (eg: anomaly)
• Full IP defragmentation (passes fragroute evasion tests)
• TCP stateful inspection with window tracking
• Intelligent TCP stream reassembly
• HTTP URL normalization
• EXTREMELY fast and scalable signature engine
• Configurable token-bucket rate-limiting of any alerts
• GNOME2 based analyst console user interface
• Enhanced logging format for ease of analysis
• ELOG indexing for lightning fast sorting and filtering of alerts

Supported Protocols

• TCP/IP Suite (IPv4,TCP,UDP,ICMP,IGMP)
• 802.1q (vlan)
• Can differentiate EthernetII and 802.3 and novell IPX frames
• Can decode LLC and SNAP in 802.3
• IPX, SAP
• Linux cooked sockets (SLL) in two different formats
• GRE (generic routing encapsulation)
• IrDA (infra-red)
• ARP/Appletalk ARP

Planned Features

• Anomaly detection
• Some performance enhancements
• Proper remote alerting to central firestorm server
• Analyst consoles to read data from central server
• Central management of all configuration from analyst console

This page is public domain. No trademarks, no patents, no copywrongs.