News Archive

[08-01-09] 2.00.04 bugfixes

There have been a few bugfixes since the latest release of 2.00.04. Check out the SVN for all the bugfixes:
Tunnel server bugfixes
Logging server bugfixes

To check them out:

svn checkout ./tunnel-bugfixes
svn checkout ./logserver-bugfixes

You can just overwrite the old files.

The version number in the logging server configuration file also hasn't been updated. You can change this to 2.00.04 manually in /etc/surfnetids/surfnetids-log.conf.

Happy new year everyone!

[18-11-08] SURFids 2.00.04 released

We've released SURFids 2.00.04 which contains a few minor bug fixes and a vulnerability fix. The only part that has changed is the logging server. To upgrade your 2.00.03 SURFids installation to 2.00.04:

tar -xvzf surfids-logserver-2.00.04.tar.gz
cd logserver
cp webinterface/menu.php /opt/surfnetids/webinterface/
cp webinterface/include/surfnetids.js /opt/surfnetids/webinterface/include/
cp scripts/ /opt/surfnetids/scripts/

Ofcourse any bugs you find with the new release can be submitted to our Trac page.

[13-10-08] Making graphs in the webinterface for 2.00.03

There's a small bug in the 2.00.03 release with creating graphs in the webinterface. To fix this you can checkout the following file and replace it in your webinterface/include/ directory.

svn co ./
cp surfnetids.js /opt/surfnetids/webinterface/include/

[27-06-08] SURFids 2.00.03 released

SURFids 2.00.03 is now stable and available from the stable tags in SVN. Features of this release are:

  • Added authorization check to whois.php
  • Added “Always send” option to mail logs
  • Added UTC time format to mail logs
  • Added Nepenthes & Cymru mail logging formats
  • Upgraded jQuery to 1.2.1
  • Added sensor version information to the sensor details page
  • Added sensor MAC address to the sensor details page
  • Major stability fix for VLAN sensors

Aside from using the installers to upgrade your SURFids to this version, you will need to add 1 perl package to the logging server. Read the UPDATE file for more information.

[16-05-08] OpenSSL vulnerability in Debian

The recent OpenSSL vulnerability in Debian has a rather high impact on the SURFids system. This basically means recreating all the certificates used by the SURFids system. A document explaining how to do this for a live SURFids environment can be found here.

[18-03-08] #surfnetids @

I wanted to mention the IRC channel once more. We are usually hanging out there while working and currently there are also a few helpful other SURFids users hanging about. So if you have any comments, need any help or have any suggestions, please be welcome in our IRC channel.

[05-03-08] SURFids 2.00.02 stable released

SURFids 2.00.02 stable has been released. This release contains several bugfixes to the webinterface as well as some bugfixes to a few tunnel scripts. For a more detailed list of bugfixes: Trac

[10-01-08] Bug in surfnetids-dhclient

A bug in surfnetids-dhclient will result in sensors not being to connect to the server properly when using dhcp. More info found in Trac: here

[13-12-07] SURFids 2.00.01 stable released

This stable release includes 3 critical bug fixes:

  • Fixed an XSS & SQL injection vulnerability.
  • Fixed a bug in the redirect argos script.
  • Fixed a bug with sensor certificate generation.

If you have already installed the 2.00 stable release, you can update to the 2.00.01 version by replacing the following files:


You can do this by checking out the 2.00.01 stable version and just copy the files over the old ones.
Finally, you will have to replace 2 lines in /opt/surfnetids/genkeys/vars.conf:




And replace

export D=/opt/surfnetids/2.0/tunnel/trunk


export D=/opt/surfnetids

[29-11-07] SURFids 2.00 stable released

The day is finally here, SURFids 2.00 has been released as a stable version. Visit our Subversion page for information on how to get the SURFids 2.00 stable release.
In the (unlikely) event that you find a bug, please report this in our Trac environment located here.

[09-11-07] SURFids 2.0rc3

This is the 3rd release candidate. This release has been made due to some bugs found in the webinterface quickly after the release of the second release candidate.

[07-11-07] SURFids 2.0rc2

The second release candidate of the SURFids version 2.0 has been released today. Check out the SVN for the 2.0-rc2 tag.

[02-11-07] SURFids VMware demo

We have released a demo VMware image which is basically a debian vmware image with the SURFids 2.0-rc2 installed and configured on it. This will enable you to take a look at a working SURFids system within a few minutes of work. This image can become a sensor as well as the server, meaning it can detect just like a sensor would with just it's local network interface.
Requirements are VMware workstation 4.0+ or VMware player and some time to download and configure the image. In it's default state, configuring takes about 5-10 minutes.

Check out the instruction page here: Downloadable Demo.

[28-09-07] SURFids 2.0rc1

As of now SURFids version 2.0rc1 is available in the branches as a Release Candidate. This version is intended for testing purposes. This release candidate still has some issues with browsers other than Firefox. This will be fixed in the upcoming stable release.
A demo version of the SURFids 2.0 can be found here.
New features of this release are:

  • Layer 2 detection
    • ARP poisoning attack detection
    • Rogue DHCP server detection
  • Argos integration
  • Redesigned webinterface
  • IP exclusions
  • RSS reports
  • Improved email reporting
  • CWSandbox support

To get this RC1:

svn checkout /tmp/logserver-rc1-2.00
svn checkout /tmp/tunnel-rc1-2.00

[14-09-07] SURFids SVN

We have restructured our SVN repository to get a better representation of the code in the different versions. Each version now has it's own trunk, branches and tags directory. Furthermore, we've added the version 2.00 tree, including a new subtree containing the Argos scripts. These scripts are used by a server hosting an Argos honeypot.

[24-07-07] SURFids SVN and Trac

We've now moved over from SourceForge to our own SVN and Trac server. The SVN repository is now located at:

The Trac environment for the SURF IDS is located here

[13-07-07] Public IDS service down

From 16-07 to 19-07 the Public IDS service will be down while power maintenance is being done.

[05-07-07] Detected attacks Google map of June 2007

This is a map of the detected attacks by our IDS system of the month June this year.
Detected attacks of June
Not surprisingly most the attacks originate in Europe.

[23-04-07] Stable Version 1.04 Out Now !!!

Where proud to present our new stable version. With lots of new features.

  • VLAN support
  • Googlemaps
  • Advanced plotting
  • Geolocation support
  • Enhanced antivirus scanner support
  • Improved index page
  • Improved sensor scripts (perl)
  • Knoppix 5.0.1 sensor image
  • Server rrd stats

If you want to take a look at it. Check out our demo

You can download it at sourceforge as Source tar.gz or checkout via svn with:

svn checkout /opt/surfnetids

[17-04-07] Interesting statistics

Now we've been running our own SURF IDS system for more than a year now. Here's some statistics based on all our data with +/- 30 sensors spread throughout the Netherlands and a few other places in Europe.

Exploits (based on 92218 total exploits detected)

#  Exploit
1. DCOM 	57%
2. IIS          12%
3. Symantec AV 	10%
4. NetDDE 	7%
5. ASN1 	7%
6. LSASS 	4%
7. Sasser 	1%
8. WINS 	1%
9. MyDoom 	1%
10.Dameware 	1%

Ports (based on 584963 connections)

#   Port        
1.  445         36%
2.  139         20%
3.  135         19%
4.  80 	        13%
5.  2967        5%
6.  8555        1%
7.  21 	        1%
8.  10000 	1%
9.  1025 	1%
10. 5000 	1%

Malware filenames (based on 18456 filenames)

#   Filename
1.  myhost.exe 	        24%
2.  BSDMPldrvr642.exe 	13%
3.  rp5.exe             11%
4.  cmd.gif             10%
5.  svcvhost.exe 	10%
6.  jswTss.exe          9%
7.  waucult.exe 	7%
8.  h3110.411           6%
9.  update.exe          6%
10. msssmsngr6417.exe 	5%

Protocols used to download the malware (based on 144220 hits)

#  Protocol
1. ftp                  37%
2. link                 34%
3. tftp                 20%
4. http                 7%
5. creceive             2%

Operating Systems (based on 576921 IP's)

#  OS
1. Windows 	552341  96%
2. Linux 	14384   2%
3. NMAP 	8299    1%
4. FreeBSD 	1743    0%
5. OpenBSD 	154     0%

[05-04-07] Public IDS service offline for the weekend

Due to maintenance on the power supplies in the building we will be shutting down the Public IDS system for the weekend.

[07-03-07] Added 1.04rc2 to SVN

The version 1.04rc2 is now available in the SVN repository at SourceForge. This version is release candidate 2 which fixes several issues from the 1.04beta version.

  • Installer now sets up an SVN root for the sensor updates.
  • Plotter now correctly handles null values and has support for port ranges and exclusions.
  • The location of phplot.php library is now a config value.
  • Tunnel installer now reads default certificate generation values from existing certificates if possible.
  • The index page now contains a few generic graphs and overviews.

[12-02-07] v1.04beta notes

Some additional notes about the beta release.

  • The svnupdate script on the sensor is working in theory, but is considered very beta. A howto on how to setup your repository will be added later (and maybe added to the installer script).
  • Due to the large changes on the sensor side, upgrading sensors from 1.03 to 1.04 is tricky.
  • Keep checking the 1.04beta branch in SVN for updates.

[09-02-07] v1.04beta(rc1) available in SVN

v1.04 is available as a BETA release in SVN. This is the version with the googlemap, multiple virus scanners, Norman sandbox support, phplot and perl sensor scripts. Both the logging server and the tunnel server come with an installation script. This version is considered beta. We welcome everyone to download and test this release. If you want to take a look at it check our SURF IDS Demo

Installation is easy, just check out the v1.04 beta branch and start the installer script.

[30-01-07] Migration to DokuWiki

We've migrated the webpage to dokuwiki. This is to ease the level of administration required and to make sure the page is readable with most browsers.

[12-01-07] Progress

We thought that it would be a good idea to keep you up to date on what we have been doing.


  • Advanced plotting of graphs using phplot.
  • Mapping of attacks using googlemap.
  • Extra virusscanners.
  • Norman analyses.
  • Input validation.

Screenshots 1.04


  • Knoppix 5.0.1
  • VLAN 802.1q support
  • Perl based scripts


  • Integration of ARGOS and possibility to add more honeypots/ids systems.
  • And some more things.
news_archive.txt · Last modified: 2012/07/12 11:27 (external edit)
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki