1. Overview

Cheesewire is a modular intrusion detection system for Unix and Unix-like operating systems. It was originally developed on and for Solaris 7 boxes, and originally called SIDS. Cheesewire is easily extendable --- simply add another module.

The system is written in Perl; the CPAN modules Digest::MD5, Proc::ProcessTable and Algorithm::Diff are required. Some system utilities are required by some of the modules --- netstat and lsof at the time of writing. netstat is a standard utility to be found on all(?) Unix-like operating systems; lsof can be found at freshmeat.net.

Cheesewire is, as far as possible, when installed and configured correctly, a self-contained system: ideally statically-linked, private copies of required binaries — perl, netstat and lsof system utilities are used; private copies of any shared-objects (libraries) should be used, with dynamic-linking paths (e.g., LD_LIBRARY_PATH) set appropriately. In a perfect world the installation is run from read-only media.

Cheesewire is started by calling the sids shell script. This sets the LD_LIBRARY_PATH environment variable to ensure that private copies of OS libraries are used, rather than those in /lib, /usr/lib, etc., in case dynamically-linked binaries are in use, and then calls the main Perl script, sids.pl. sids.pl loads chosen modules and initialises each; on initialisation each module loads its own configuration information. sids.pl then enters the main loop:

    while (1) {
        foreach module (module_list) {
            if (module->time_to_run) {
                module->run_intrusion_checks;
              }
          }
        sleep a while;
      }
Thus some module's intrusion checks are run more frequently than others. The overall load on the system is low since most of the time Cheesewire is sleeping; network connections, processes, etc., are polled only periodically — this is the chief weakness in the system.

Configuration of the installation is contained within SID_Config.pm; configuration of individual modules is contained within Modules_Config.om and the corresponding signatures within <sids_root>/etc. In common with many intrusion detection systems, configuration is non-trivial --- though not difficult.

Output from each module can be found within <sids_root>/var/log/<module_name>.log. The main script, sids.pl sends its output to stdout, hence if not debugging one might start Cheeswire via

    cd <cheesewire_directory>/src
    ./sids >& ../var/log/sids.log &

(Cheesewire is the name for the system; there is also a module which takes the name, IDM_cheesewire, which offers Tripwire-like functionality. This should lead to a certain amount of confusion.)



...cont'snext...



About this document:

Produced from the SGML: /home/isd/public_html/_cheesewire/_reml_grp/index.reml
On: 4/9/2006 at 17:35:44
Options: reml2 -i noindex -l long -o html -p multiple