![]() |
![]() |
Navigation
|
Welcome to the Realeyes network IDS project.Robust rule definitionsExtensive information for analysts Reduction of false positives Information is the currency of the modern world, and as its value increases, so does the need to protect it. This has resulted in computer and network security becoming an arms race between those who are responsible for protecting systems and data, and those who are trying to vandalize or steal them. Computer security has some analogies in the real world. Firewalls are like gates, passwords are like keys, and network Intrusion Detection Systems are like security cameras. Of course, the analogy cannot be taken too far, because the virtual world has several important differences from the real world. First, data obviously cannot be touched, or even seen, in any conventional way. Both computer systems and networks organize the data in ways that are most efficient for the platform, and for humans to make sense of it requires an application to interpret it in a meaningful way. Second, the speed and quantity of data in modern computer systems and networks is overwhelming. Again, for humans to observe it, an application is required to select relevant information. When network IDSes were first developed, they used network sniffer technology plus some filtering capabilities. This meant that each packet was analyzed as a separate entity. Returning to the security camera analogy, this was like having a few photographs. It provided a sense of the threat, but it was often necessary to examine the targetted system to determine the severity of the intrusion. Another shortcoming of those IDSes was the use of signatures to identify exploits. Unfortunately, there are many ways to avoid detection by signatures, such as varying the order of instructions and encoding commands as ASCII codes which are translated by the web server before being passed to a web application. This meant that rules had to be so broad that they reported large numbers of false positives, or they would fail to detect intrusions. Over time, newer techniques have been added to network IDSes, including protocol anomaly detection and some heuristic capability. However, the sophistication of intrusion and exploit software has also increased dramatically, and the quantity of data continues to increase. Thus, the main issues with network IDSes continue to be:
To address these issues, the Realeyes IDS project has been designed to extend the capabilities of rule definitions and to analyze the interaction between clients and servers. This enables rules to be designed that watch for behavior, and supplies sufficient information to human analysts to quickly resolve the severity of detected intrusions.
Realeyes IDS FeaturesThe complete list of features is quite extensive. Some of the system capabilities are:
For a detailed description of the Realeyes IDS, including screenshots and live demos, visit the Technology page. For up to date information on the status of the project, see the News page or read the Blog. Helpful information for users is on the Download, Documentation, and Support pages. If you are interested in participating in the project, see the Developers page. To communicate with the project team, see the Contact page. The Realeyes IDS is licensed under GPLv3. For additional information on licensing and programs used in the project development, see the Licensing page. |