SURFids

Welcome to the SURFids Development homepage. SURFids is an open source Distributed Intrusion Detection System based on passive sensors. The goal is to provide an early warning system which lets system administrators correlate known and unknown exploits to attacks directed towards their networks.

There are a few projects related to SURFids which are pretty interesting. I thought I should list them here for others to check out.

CSN

They have made a Snort plugin that logs all the Snort messages directly into the SURFids database. We haven't tested it ourselves yet, but I have seen the results and it looks pretty nice.

Aside from that, they are busy creating an SMTP honeypot that collects spam and scans it for malware and such. Both projects look interesting. I suggest everyone to give it a go.

Debian live seems to have a few undocumented features that are not really useful or even unsecure for our USB sensors.

If you have built your sensors with the previous scripts, we advise you to rebuild your images for security reasons. This is only applicable for the latest 3.0+ version and only for the USB sensors.

We have updated the scripts in the live-usb directory of the SVN sensor trunk. These scripts will take care of disabling a few Debian live features that are unneeded or unsecure. Take a look at the documentation of the 1b. Bootable USB for updated instructions how to build your USB images.

The key changes:

• Debian live creates a default user “user” with a default password. This is very unsafe, so we have added a script that will let you add your own user with a custom password.
• Debian live automatically logs the user in on boot. We have changed this to just give the regular login prompt instead.
• Debian live configures root without password. We have added a script that lets you set the root password.
• We have also added a script that lets you setup an authorized_keys2 file for your sensor for added SSH security.

Finally, we have also updated the USB sensor documentation to add some more info about customizing your USB sensor.

There's a few bugs in the scanbinaries.pl script from SURFids 3.0 which will make it nearly impossible for the script to put any results in the database. A new version of the script can be manually downloaded here until it's incorporated in the next minor release.
If you want to fix this yourself right now, you will have to download this script and copy it over the old one in /opt/surfnetids/scripts/.

We now have a new location for our own packages. The manual has been modified to the correct URLS, but if you have already installed the package, you will need to modify your sources.list.

The new location is:

deb http://repo.ids.surfnet.nl/surfnetids/ lenny main

SURFids 3.0 is now finally released as stable. A few of the major changes in this release:

• New sensors based on Python.
• No more Knoppix remastering.
• Debian packages for the sensor, logserver and tunnel server.

Here you can find a detailed changelog: Changelog.
You can find the installation instructions under the latest_docs segment in the menu on the left.

If you notice/find any bugs please let us know via email, IRC or the designated Trac page.

Enjoy!

There have been a few bugfixes since the latest release of 2.00.04. Check out the SVN for all the bugfixes:
Tunnel server bugfixes
Logging server bugfixes

To check them out:

svn checkout http://svn.ids.surfnet.nl/surfids/tunnel/branch/bugfixes-2.00.04/ ./tunnel-bugfixes
svn checkout http://svn.ids.surfnet.nl/surfids/logserver/branch/bugfixes-2.00.04/ ./logserver-bugfixes

You can just overwrite the old files.

The version number in the logging server configuration file also hasn't been updated. You can change this to 2.00.04 manually in /etc/surfnetids/surfnetids-log.conf.

Happy new year everyone!

We've released SURFids 2.00.04 which contains a few minor bug fixes and a vulnerability fix. The only part that has changed is the logging server. To upgrade your 2.00.03 SURFids installation to 2.00.04:

tar -xvzf surfids-logserver-2.00.04.tar.gz
cd logserver
cp webinterface/menu.php /opt/surfnetids/webinterface/
cp webinterface/include/surfnetids.js /opt/surfnetids/webinterface/include/
cp scripts/mailreporter.pl /opt/surfnetids/scripts/

Ofcourse any bugs you find with the new release can be submitted to our Trac page.

There's a small bug in the 2.00.03 release with creating graphs in the webinterface. To fix this you can checkout the following file and replace it in your webinterface/include/ directory.

svn co http://svn.ids.surfnet.nl/trac/browser/2.0/logserver/trunk/webinterface/include/surfnetids.js ./
cp surfnetids.js /opt/surfnetids/webinterface/include/

SURFids 2.00.03 is now stable and available from the stable tags in SVN. Features of this release are:

• Added authorization check to whois.php
• Added “Always send” option to mail logs
• Added UTC time format to mail logs
• Added Nepenthes & Cymru mail logging formats
• Upgraded jQuery to 1.2.1
• Added sensor version information to the sensor details page
• Added sensor MAC address to the sensor details page
• Major stability fix for VLAN sensors

Aside from using the installers to upgrade your SURFids to this version, you will need to add 1 perl package to the logging server. Read the UPDATE file for more information.

The recent OpenSSL vulnerability in Debian has a rather high impact on the SURFids system. This basically means recreating all the certificates used by the SURFids system. A document explaining how to do this for a live SURFids environment can be found here.

I wanted to mention the IRC channel once more. We are usually hanging out there while working and currently there are also a few helpful other SURFids users hanging about. So if you have any comments, need any help or have any suggestions, please be welcome in our IRC channel.

irc.freenode.net
#surfnetids

SURFids 2.00.02 stable has been released. This release contains several bugfixes to the webinterface as well as some bugfixes to a few tunnel scripts. For a more detailed list of bugfixes: Trac

A bug in surfnetids-dhclient will result in sensors not being to connect to the server properly when using dhcp. More info found in Trac: here

This stable release includes 3 critical bug fixes:

• Fixed an XSS & SQL injection vulnerability.
• Fixed a bug in the redirect argos script.
• Fixed a bug with sensor certificate generation.

If you have already installed the 2.00 stable release, you can update to the 2.00.01 version by replacing the following files:

/opt/surfnetids/scripts/redirect_argos.pl
/opt/surfnetids/webinterface/template_add.php
/opt/surfnetids/genkeys/generate_certificate.sh
/opt/surfnetids/genkeys/sign_certificate.sh
/opt/surfnetids/genkeys/scriptvars
/opt/surfnetids/genkeys/servervars

You can do this by checking out the 2.00.01 stable version and just copy the files over the old ones.
Finally, you will have to replace 2 lines in /opt/surfnetids/genkeys/vars.conf:
Replace

D=/opt/surfnetids/2.0/tunnel/trunk

With

D=/opt/surfnetids

And replace

export D=/opt/surfnetids/2.0/tunnel/trunk

With

export D=/opt/surfnetids

The day is finally here, SURFids 2.00 has been released as a stable version. Visit our Subversion page for information on how to get the SURFids 2.00 stable release.
In the (unlikely) event that you find a bug, please report this in our Trac environment located here.

This is the 3rd release candidate. This release has been made due to some bugs found in the webinterface quickly after the release of the second release candidate.

The second release candidate of the SURFids version 2.0 has been released today. Check out the SVN for the 2.0-rc2 tag.

We have released a demo VMware image which is basically a debian vmware image with the SURFids 2.0-rc2 installed and configured on it. This will enable you to take a look at a working SURFids system within a few minutes of work. This image can become a sensor as well as the server, meaning it can detect just like a sensor would with just it's local network interface.
Requirements are VMware workstation 4.0+ or VMware player and some time to download and configure the image. In it's default state, configuring takes about 5-10 minutes.

Check out the instruction page here: Downloadable Demo.

As of now SURFids version 2.0rc1 is available in the branches as a Release Candidate. This version is intended for testing purposes. This release candidate still has some issues with browsers other than Firefox. This will be fixed in the upcoming stable release.
A demo version of the SURFids 2.0 can be found here.
New features of this release are:

• Layer 2 detection
  • ARP poisoning attack detection
  • Rogue DHCP server detection
• Argos integration
• Redesigned webinterface
• IP exclusions
• RSS reports
• Improved email reporting
• CWSandbox support

To get this RC1:

svn checkout http://svn.ids.surfnet.nl/surfids/2.0/logserver/tags/rc1-2.00 /tmp/logserver-rc1-2.00
svn checkout http://svn.ids.surfnet.nl/surfids/2.0/tunnel/tags/rc1-2.00 /tmp/tunnel-rc1-2.00

We have restructured our SVN repository to get a better representation of the code in the different versions. Each version now has it's own trunk, branches and tags directory. Furthermore, we've added the version 2.00 tree, including a new subtree containing the Argos scripts. These scripts are used by a server hosting an Argos honeypot.

We've now moved over from SourceForge to our own SVN and Trac server. The SVN repository is now located at:

http://svn.ids.surfnet.nl/surfids

The Trac environment for the SURF IDS is located here

Old news can be found in the News Archive