HonIDS 1.0: Geographically distributed hybrid IDS for intrusion detection, malware gathering and focused alert

State of the art

Several tools exist addressing particular security issues. A complete modern network infrastructures typically comprise several Host Intrusion Detection Systems (HIDS), Network Intrusion Detection Systems (NIDS) and Honeypots. The correct configuration of all those elements represent a burden on the network administrator, who is also in charge for analyzing the multitude of alerts produced by such a complex distributed infrastructure.

HonIDS 1.0

HonIDS 1.0 allows network administrator to easily deploy a complete and secure distributed architecture based on Open Source software. The central HonIDS server is able to automatically create a self-installing USB key containing a custom Linux distribution specifically tailored to be used as HonIDS sensor. The installation process require only a few minutes and minimal site-specific information (such as network configuration). Each sensor is:

• a Network Intrusion Detection System (Snort)
• a Host Intrusion Detection System (Samhain)
• a low interaction Honeypot (Nepenthes)

All these software components are ready to use and preconfigured to forwards alerts and security-related events to its central HonIDS server. Communications between sensors and the central server are tunneled (to be able to go through most of the firewalls) and encrypted.

The HonIDS server contains a complete alert management platform, realized through Prelude. Alerts are received, stored, correlated and made available through a secure and easy-to-use web interface.