|
URL: | |
|
Primary author: |
Rafal Wojtczuk |
|
Component type: |
C language library |
|
License: |
GPL |
|
Version profiled: |
1.16 |
|
Dependencies: |
libnet-1.0.x, libpcap |
Libnids provides the programmer with a portable API to simulate the Event Generator (E-box) component of a Network Intrusion Detection System (NIDS). Within the context of an NIDS, the E-box's job is to sample the environment in which it specializes and convert occurrences in the environment into standard data objects for subsequent storage and/or analysis. In libnids' case, the environment is the local network, and the occurrences consist of standard lowlevel packet capturing and evaluation events. Currently, Libnids offers the following functions:
IP defragmentation (mimics a Linux 2.0.36 kernel)
TCP stream reassembly (mimics a Linux 2.0.36 kernel)
TCP port scan detection (tunable by the applications programmer)
Libnids was designed to be robust and to stand up to many of the vulnerabilities that traditionally plague NIDS. The libnids engine correctly handles all of the issues detailed in the landmark Newsham/Ptacek NIDS evasion paper as well as all of the attacks that Dug Song's original Fragrouter tool performs.
Libnids is useful for building an NIDS. The library takes care of all the lowlevel network legwork and algorithm design, reducing the application programmer's task of construction and high-level event decoding.