IDABench
IDABench is a pluggable framework for intrusion analysis built upon the Naval Surface Warfare Center, Dahlgren Division's SHADOW versions 1.7 and 1.8.

IDABench is NOT intended to be an intrusion detection system, although it can be used as such. One of the primary design goals was to provide intrusion analysts easy access to the tools & utilities that they already are familiar with through a convenient web interface. CGI scripts are extended via simple plugins that pass packet data to (and output from) libpcap-based tools such as tcpdump, tethereal, ngrep, etc. As access to other libpcap tools is desired, lightweight plugins can be written and installed without modifying existing IDABench code. The only limitation is that the new tools must be able to read packets that were captured using tcpdump, or some other libpcap sniffer. Candidates for plugins include Snort, p0f, tcpdstat, ntop, etc. [See Related Links]

IDABench requires Perl version 5.6.1 or newer. Supported platforms -

  • sensor: Solaris, FreeBSD, Linux
  • analyzer: Linux

Downloads & Documentation

Latest versions here:
Complete (sensor and analyzer) - idabench-1.0.tar.gz  -  gpg signature
Sensor Only - sensor-1.0.tar.gz -  gpg signature
Development versions -- No guarantees they will work
Documentation:
IDABench Changelog
 IDABench Documentation
 Related Links




Contacts

George Bakos, Project Lead -
gbakos@ists.dartmouth.edu




Mailing Lists

IDABench Users List (subscribers only, unmoderated)
subscribe

IDABench Developers List (subscribers only, moderated)
subscribe


Cilck thumbnails to view screen shots
screenshot 1
IDABench main window and toolbar showing evidence of successful evil doings.
screenshot 2
Scan detector detail including two false positives. Can you spot them?
screenshot 3
Search interface with the ngrep plugin selected.
screenshot 4
Ngrep search results with limited print output to save space. Note the "Max output lines" box.
screenshot 5
Tcpdump search results with graphical output. "steps" graphing type selected to show matching packets per hour.
screenshot 6
More tcpdump graphical output showing a frag DOS using impulses to represent th enumber of matching packets per minute.
screenshot 7
Search results can be returned to the analyst as a single binary dumpfile that can be downloaded for further local analysis. No need to give the analysts shell accounts on the IDABench analyzer host.
E-Mail Webmaster