Navigation
Technology
News
Blog
Download
Documentation
Support
Developers
Contact
License
|
Welcome to the Realeyes network IDS project.
Robust rule definitions
Extensive information for analysts
Reduction of false positives
Information is the currency of the modern world, and as its
value increases, so does the need to protect it. This has resulted
in computer and network security becoming an arms race between
those who are responsible for protecting systems and data, and
those who are trying to vandalize or steal them.
Computer security has some analogies in the real world. Firewalls
are like gates, passwords are like keys, and network Intrusion Detection
Systems are like security cameras. Of course, the analogy cannot be
taken too far, because the virtual world has several important
differences from the real world.
First, data obviously cannot be touched, or even seen, in any
conventional way. Both computer systems and networks organize the
data in ways that are most efficient for the platform, and for
humans to make sense of it requires an application to interpret
it in a meaningful way. Second, the speed and quantity of data in
modern computer systems and networks is overwhelming. Again, for
humans to observe it, an application is required to select relevant
information.
When network IDSes were first developed, they used network sniffer
technology plus some filtering capabilities. This meant that each
packet was analyzed as a separate entity. Returning to the security
camera analogy, this was like having a few photographs. It provided
a sense of the threat, but it was often necessary to examine the
targetted system to determine the severity of the intrusion.
Another shortcoming of those IDSes was the use of signatures to
identify exploits. Unfortunately, there are many ways to avoid
detection by signatures, such as varying the order of instructions
and encoding commands as ASCII codes which are translated by the
web server before being passed to a web application. This meant
that rules had to be so broad that they reported large numbers of
false positives, or they would fail to detect intrusions.
Over time, newer techniques have been added to network IDSes, including
protocol anomaly detection and some heuristic capability. However,
the sophistication of intrusion and exploit software has also
increased dramatically, and the quantity of data continues to
increase. Thus, the main issues with network IDSes continue to be:
- False positives
- Rule evasion
- The need to examine the target system
To address these issues, the Realeyes IDS project has been designed
to extend the capabilities of rule definitions and to analyze the
interaction between clients and servers. This enables rules to be
designed that watch for behavior, and supplies sufficient information
to human analysts to quickly resolve the severity of detected
intrusions.
- Data stream reassembly and analysis of TCP/UDP sessions:
The analysis of complete sessions provides a broader view of activity,
which allows for more complex rules to be designed. It also allows
for the behavior of servers, which is generally consistent, to be
used as an indicator of an attack. When a rule is detected, some or
all of both the client and server data is included in the report sent
to the Realeyes IDS database. This allows analysts to see immediately
if the target of the exploit responded normally or not.
- Expanded rule definition capabilities: The Realeyes
IDS rules are defined in three levels. The first two levels produce
rules that are similar to signatures. This is done by defining
strings to be matched, and the conditions under which they will be
reported. The third level allows for those definitions to be
combined into more sophisticated rules. Expanded capabilities
for these definitions include:
- Match strings may be detected in any order
- Distance from the start of a session or between match strings
may be used to identify their relevance
- Match strings may be required to be found in the same line,
where examples of end of line strings are 'Carriage Return/Line Feed'
or HTML end tags
- Match strings may be defined to exclude valid traffic from
being reported
- The timestamp of the session may be used in definitions
- Second level definitions may be found in opposite halves of a
session and combined into a single rule
- Second level definitions may be required to be Request/Reply
pairs
- Second level definitions may be used to exclude valid traffic
from being reported
- Rules may be defined that automatically report all sessions
which one or both of the hosts establishes for a defined time
period after the original rule is detected
Realeyes IDS Features
The complete list of features is quite
extensive. Some of the system capabilities are:
-
Scalable: The Realeyes IDS may include multiple sensors,
distributed over a wide geographical area, reporting to a central
database, which may be accessed by analysts who are also
geographically separated. However, it may also be installed on a
single laptop for temporary, focused monitoring.
-
Standalone applications: The Realeyes IDS is not a web
application and therefore does not require a web server. It does
use the PostgreSQL database for storing definitions and intrusion
data. All configuration, initialization, and management for the
database is provided by the application. The IDS sensor and user
interface are standalone applications that use SSL encryption to
communicate with the database.
-
Enterprise support: When used in an enterprise environment,
the Realeyes IDS provides the following levels of access to data:
- Administration
- Regular analyst
- Analyst with rule definition priveleges
- Analyst with read only access
Also, each sensor is defined with site and point of contact
information, which may be easily displayed from the user interface.
-
Trends analysis: The Realeyes IDS provides the capability
of saving actual intrusions to be analyzed for trends.
-
Statistics collection: The Realeyes IDS sensors accumulate
statistics of session data. It is possible to designate specific
hosts or ports for detailed statistics collection.
-
Reports: The Realeyes IDS provides built-in reports on all
collected data, including:
- Open incidents
- Closed incidents
- Statistics
- Site and point of contact information
For a detailed description of the Realeyes IDS, including screenshots
and live demos, visit the Technology page. For up to date information
on the status of the project, see the News page or read the Blog.
Helpful information for users is on the Download, Documentation, and
Support pages. If you are interested in participating in the project,
see the Developers page. To communicate with the project team, see
the Contact page.
The Realeyes IDS is licensed under GPLv3. For additional information
on licensing and programs used in the project development, see the
Licensing page.
|