Intrusion detection systems typically fall into one of two categories: misuse detection and anomaly detection. In misuse detection systems, attacks are explicitly codified as signatures of some form. They are characterized by a low rate false positives but, to a greater or lesser extent, suffer from an inability to generalize from the signatures in their signature set. That is, new attacks, and even simple variations of attacks for which there are signatures, are often undetected. Anomaly detection systems detect attacks by comparing current system behavior to some representation of normal system behavior. This representation may be a software or protocol specification but more often takes the form of learning models that have been trained on some set of features that describe activity in the monitored system -- examples include fields in audit records, web requests, and system call invocations. Since anomaly detection systems do not include attack descriptions they have the advantage of being able to detect novel attacks that are distinguishable from normal system behavior in some way.

libAnomaly was created to make research on anomaly detection systems easier by providing implementations of features common to most anomaly detectors:

  • A collection of learning models that operate on common types (strings, integers)
  • Implementations of some common data types (strings, integers, doubles, lists)
  • Methods for aggregating anomaly scores from multiple models

You can get more information and download the software here.

Snort Alert Verification

Active alert verification is a technique designed to reduce the false positive rate of IDSs by actively probing for a vulnerability associated with detected attacks. If the vulnerability corresponding to a detected attack is found to exist in the host or network against which the attack was directed, the alert is generated, invoking any logging and response functions as normal. If, however, the vulnerability is determined not to exist, the alert is considered a false positive and is suppressed.

The alert verification patch enhances Snort with alert verification capabilities. In the current implementation, it is currently implemented as a set of Nessus NASL scripts mapped to Snort rules by CVE IDs. When a rule is triggered, the suspect packet and associated event data is queued for verification. If the NASL script determines that the vulnerability does exist on the target host, the alert is marked as having been verified. If the NASL script determines that the vulnerability does not exist, the alert is marked as unverified. Finally, if no NASL script corresponding to the detected attack is found, the alert is marked as unverifiable.

You can get more information and download the software here.

glibc Heap Protection

Buffer overflow exploits are the most popular class of attacks against remote hosts on today's Internet, and while stack overflows which overwrite a function return address remain the most popular and well-understood method of exploitation, heap overflows are becoming more and more popular as a means of exploiting systems. Furthermore, while there exist many methods of protecting software against stack overflows such as ProPolice or StackGuard, no comparable protection schemes have heretofore existed for heap-based overflows.

The heap protection patch protects the management information of boundary-tag-based heap managers against malicious or accidental modification. The technique has been implemented in Doug Lea's dlmalloc, which is included with glibc and is thus utilized by such OSes as Linux and the HURD.

You can get more information and download the software here.

Snort - NG

A network intrusion detection system such as Snort that processes data in real-time needs to keep up with the speed of the packets that are arriving on the network. If the system is not fast enough, it will start to drop packets (i.e. it does not analyze them). Because of the fact that many exploits can hide in a single packet, it is important to be able to monitor as many as possible, optimally every single one.

Snort-NG is a patch that replaces and improves the detection engine of Snort, one of the most well-known and deployed network intrusion detection system. Our engine makes the critical operation of Snort - the decision whether a packet matches a predefined set of rules (or signatures) - faster.

You can get more information and download the software here.