You have come to Realeyes

Real eyes Real eyes











Welcome to the Realeyes network IDS project.

Robust rule definitions
Extensive information for analysts
Reduction of false positives

Information is the currency of the modern world, and as its value increases, so does the need to protect it. This has resulted in computer and network security becoming an arms race between those who are responsible for protecting systems and data, and those who are trying to vandalize or steal them.

Computer security has some analogies in the real world. Firewalls are like gates, passwords are like keys, and network Intrusion Detection Systems are like security cameras. Of course, the analogy cannot be taken too far, because the virtual world has several important differences from the real world.

First, data obviously cannot be touched, or even seen, in any conventional way. Both computer systems and networks organize the data in ways that are most efficient for the platform, and for humans to make sense of it requires an application to interpret it in a meaningful way. Second, the speed and quantity of data in modern computer systems and networks is overwhelming. Again, for humans to observe it, an application is required to select relevant information.

When network IDSes were first developed, they used network sniffer technology plus some filtering capabilities. This meant that each packet was analyzed as a separate entity. Returning to the security camera analogy, this was like having a few photographs. It provided a sense of the threat, but it was often necessary to examine the targetted system to determine the severity of the intrusion.

Another shortcoming of those IDSes was the use of signatures to identify exploits. Unfortunately, there are many ways to avoid detection by signatures, such as varying the order of instructions and encoding commands as ASCII codes which are translated by the web server before being passed to a web application. This meant that rules had to be so broad that they reported large numbers of false positives, or they would fail to detect intrusions.

Over time, newer techniques have been added to network IDSes, including protocol anomaly detection and some heuristic capability. However, the sophistication of intrusion and exploit software has also increased dramatically, and the quantity of data continues to increase. Thus, the main issues with network IDSes continue to be:

  • False positives
  • Rule evasion
  • The need to examine the target system

To address these issues, the Realeyes IDS project has been designed to extend the capabilities of rule definitions and to analyze the interaction between clients and servers. This enables rules to be designed that watch for behavior, and supplies sufficient information to human analysts to quickly resolve the severity of detected intrusions.

  • Data stream reassembly and analysis of TCP/UDP sessions: The analysis of complete sessions provides a broader view of activity, which allows for more complex rules to be designed. It also allows for the behavior of servers, which is generally consistent, to be used as an indicator of an attack. When a rule is detected, some or all of both the client and server data is included in the report sent to the Realeyes IDS database. This allows analysts to see immediately if the target of the exploit responded normally or not.

  • Expanded rule definition capabilities: The Realeyes IDS rules are defined in three levels. The first two levels produce rules that are similar to signatures. This is done by defining strings to be matched, and the conditions under which they will be reported. The third level allows for those definitions to be combined into more sophisticated rules. Expanded capabilities for these definitions include:
    • Match strings may be detected in any order
    • Distance from the start of a session or between match strings may be used to identify their relevance
    • Match strings may be required to be found in the same line, where examples of end of line strings are 'Carriage Return/Line Feed' or HTML end tags
    • Match strings may be defined to exclude valid traffic from being reported
    • The timestamp of the session may be used in definitions
    • Second level definitions may be found in opposite halves of a session and combined into a single rule
    • Second level definitions may be required to be Request/Reply pairs
    • Second level definitions may be used to exclude valid traffic from being reported
    • Rules may be defined that automatically report all sessions which one or both of the hosts establishes for a defined time period after the original rule is detected

Realeyes IDS Features

The complete list of features is quite extensive. Some of the system capabilities are:

  • Scalable: The Realeyes IDS may include multiple sensors, distributed over a wide geographical area, reporting to a central database, which may be accessed by analysts who are also geographically separated. However, it may also be installed on a single laptop for temporary, focused monitoring.
  • Standalone applications: The Realeyes IDS is not a web application and therefore does not require a web server. It does use the PostgreSQL database for storing definitions and intrusion data. All configuration, initialization, and management for the database is provided by the application. The IDS sensor and user interface are standalone applications that use SSL encryption to communicate with the database.
  • Enterprise support: When used in an enterprise environment, the Realeyes IDS provides the following levels of access to data:
    • Administration
    • Regular analyst
    • Analyst with rule definition priveleges
    • Analyst with read only access
    Also, each sensor is defined with site and point of contact information, which may be easily displayed from the user interface.
  • Trends analysis: The Realeyes IDS provides the capability of saving actual intrusions to be analyzed for trends.
  • Statistics collection: The Realeyes IDS sensors accumulate statistics of session data. It is possible to designate specific hosts or ports for detailed statistics collection.
  • Reports: The Realeyes IDS provides built-in reports on all collected data, including:
    • Open incidents
    • Closed incidents
    • Statistics
    • Site and point of contact information

For a detailed description of the Realeyes IDS, including screenshots and live demos, visit the Technology page. For up to date information on the status of the project, see the News page or read the Blog.

Helpful information for users is on the Download, Documentation, and Support pages. If you are interested in participating in the project, see the Developers page. To communicate with the project team, see the Contact page.

The Realeyes IDS is licensed under GPLv3. For additional information on licensing and programs used in the project development, see the Licensing page.

Software should help people work smarter,
not make them work harder. Logo