Welcome to the SURFcert IDS Development homepage. SURFcert IDS (previously SURFids) is an open source Distributed Intrusion Detection System based on passive sensors. The goal is to provide an early warning system which lets system administrators correlate known and unknown exploits to attacks directed towards their networks.
We have released sensor version 3.12 which should fix the missing keepalive problem that existed as of version 3.10. The sensors currently are not upgrading automatically anymore, so you might need to apply this update manually.
The logserver is now on version 3.11 with a minor bugfix to one of the Dionaea sql functions. It was not correctly logging downloads of binaries. As well as a minor bugfix to the top malware hosts page. It was not showing the ip address of the hosts.
SURFids 3.10 is officially released. There's a few things you need to be aware of when upgrading. First of all, remove any pins of OpenVPN on your tunnel server. The new tunnel server now supports OpenVPN 2.1 and no longer needs the old 2.0 version from the archive repo's. Upgrading the tunnel server should go smoothly, but be aware that the sensors will still be running with the old OpenVPN version until you kill the tunnels once.
Also be aware that the new version supports Kippo, so it might be interesting to install Kippo on your tunnel (or honeypot) server.
The sensor is now able to do limited APT manipulation. This means you will be able to either do an “apt-get upgrade”, and “apt-get install surfids-sensor” or an upgrade of all the dependencies of the SURFids sensor remotely. You can give these commands via the webinterface.
The Ethernet modules have been extended to also support MitM detection on IPv6 (even for networks that don't have native IPv6 this is a possible security risk).
As for the rest of the changes, here is the changelog of the key features:
Upcoming Thursday we will be putting the SURFids 3.10 packages live in the repository. This means that all the active sensors will be going to upgrade automatically to version 3.10. The 3.07 has an auto-update feature builtin that will do this. We realize that this is inconvenient as you would rather upgrade at your own leisure, so in the next release (3.10) this feature is turned off by default. For now though, be assured that 3.10 is compatible with the 3.0* log and tunnel server and the worst case scenario is that you will need to restart your sensor.
Stay tuned for the release notes on Thursday.
Since we have deployed Dionaea the amount of attacks we have been getting have grown so much that we had to rate limit it somewhat to keep our database size manageable. We had attackers trying to infect our Dionaea machine multiple times per second which is clearly not really useful information. A method of rate limiting we now have deployed (on our tunnel server) is the following:
# Rate limiting for dionaea iptables -A INPUT -p tcp -m tcp --dport 445 -m state --state NEW -m recent --set --name DEFAULT --rsource iptables -A INPUT -p tcp -m tcp --dport 135 -m state --state NEW -m recent --set --name DEFAULT --rsource iptables -A INPUT -p tcp -m tcp --dport 445 -m state --state NEW -m recent --update --seconds 30 --hitcount 5 --name DEFAULT --rsource -j DROP iptables -A INPUT -p tcp -m tcp --dport 135 -m state --state NEW -m recent --update --seconds 30 --hitcount 5 --name DEFAULT --rsource -j DROP
Basically what this does is: If in the last 30 seconds a remote source has initiated a new connection 5 times, block the next incoming connections. This is a sliding window. The nice thing about this solution is that you don't lose too much information while reducing the amount of attacks/records in the database significantly.
It's been quiet for a while so here's a preview of the upcoming changes that will be in the next stable release:
There's no official release date yet, but it's coming!
We have released new version of all 3 packages. These new releases mostly contain bugfixes and a few new features. After the sensor has installed there might be a chance that it will disconnect the tunnel. Just put the action command to “START” in the webinterface and it will start again.
Here are the changes:
Tunnel server 3.04
There are a few projects related to SURFids which are pretty interesting. I thought I should list them here for others to check out.
They have made a Snort plugin that logs all the Snort messages directly into the SURFids database. We haven't tested it ourselves yet, but I have seen the results and it looks pretty nice.
Aside from that, they are busy creating an SMTP honeypot that collects spam and scans it for malware and such. Both projects look interesting. I suggest everyone to give it a go.
Debian live seems to have a few undocumented features that are not really useful or even unsecure for our USB sensors.
If you have built your sensors with the previous scripts, we advise you to rebuild your images for security reasons. This is only applicable for the latest 3.0+ version and only for the USB sensors.
We have updated the scripts in the live-usb directory of the SVN sensor trunk. These scripts will take care of disabling a few Debian live features that are unneeded or unsecure. Take a look at the documentation of the 1b._bootable_usb for updated instructions how to build your USB images.
The key changes:
Finally, we have also updated the USB sensor documentation to add some more info about customizing your USB sensor.
There's a few bugs in the scanbinaries.pl script from SURFids 3.0 which will make it nearly impossible for the script to put any results in the database. A new version of the script can be manually downloaded here until it's incorporated in the next minor release.
If you want to fix this yourself right now, you will have to download this script and copy it over the old one in /opt/surfnetids/scripts/.
We now have a new location for our own packages. The manual has been modified to the correct URLS, but if you have already installed the package, you will need to modify your sources.list.
The new location is:
deb http://repo.ids.surfnet.nl/surfnetids/ lenny main
SURFids 3.0 is now finally released as stable. A few of the major changes in this release:
Here you can find a detailed changelog: Changelog.
You can find the installation instructions under the latest_docs segment in the menu on the left.
If you notice/find any bugs please let us know via email, IRC or the designated Trac page.
Old news can be found in the News Archive