1. Introduction


I am very happy and very proud to present you today LogIDS 1.0, a tool I could not even think I could imagine not so long ago. But here it is! LogIDS is a new intrusion detection system that is built around the unified analysis of all your other security application. That is, at detecting intrusions, it will only be as good as your overall security architecture, which means that the more and more varied the security tools you deploy around your network, the better will be LogIDS to detect illicit activities. I sometimes like to think of it as a mega-IDS, as it does not try do to what other tools already do better, but tries to benefit from the upsides of each of these existing tools. For example, Snort is a very good network-based intrusion detection system, and Tripwire or integcheck (a companion tool for LogAgent 4.0) are very good host-based intrusion detection systems, but LogIDS will actually benefits from the logs of both to offer you a single view of what's going on on your network.

Of course, LogIDS is not limited to Snort or integcheck logs, but from just about any ASCII log file you can provide it with. I took great care to make it as flexible and vendor-independant as possible, even if I also took great care to make it work hand-in-hand with LogAgent 4.0 and its companion tools ADSScan (an alternate data stream scanner) and IntegCheck (a MD5-SHA1 hashes-based file integrity checking system), but their use is not mandatory, although strongly recommended. You can add to the mix your antivirus logs, personal firewalls logs, ComLog logs, Event Viewer logs, download agents logs, Apache logs, and just about any ascii log file you could think of (with the notable exception of IIS, which could very much benefit from LogIDS coverage, because of the grasp it maintains on its logfiles).

LogIDS is built around four configuration files, map.txt, netdef.txt, filter.txt and rules.txt. I tried to make LogIDS as easy to configure and customize via these files as possible. filter.txt is the file where you define each of your monitored log files, its associated application, and each of it fields definition. In the file rules.txt, you define the rules that will apply according to conditions set of the fields you have defined in filter.txt. It is the combination of these two files that gives LogIDS its great flexibility over the kind of log files it can handle and the level of analysis it can perform. Unlike other log-based analysis software, I do not try to cover all the commercial tool logs that exists out there, in place I choose to give you complete control on how these files are defined. The file netdef.txt contains the definition of the network items you want to monitor. These can be hosts, servers, subnetworks, firewalls, etc... The file map.txt lets you define a network map of your environment to display the items listed in netdef.txt. The result, when the application loads, gives an interface like the one presented in Figure 1. By analysing the data contained in your logfiles as they arrive, they get the appropriate rules applied and eventually get displayed (if the rule says so) in the appropriate network item's text desplay field. Visual and sound warnings are also supported, as we will see later.


Figure 1.



2. The theory behind LogIDS

Table of contents