Firestorm Network Intrusion Detection System (NIDS)

Last updated: Sat, 18 Jun 2005

Firestorm is a network intrusion detection system (NIDS) written by Gianni Tedesco. It’s faster, cleaner, stabler and more secure than most other offerings, and it’s GPL. I have been informally tinkering with Firestorm’s innards for some time now, finding bugs and adding protocols or features (and learning much from Gianni). I’ve:

  • Helped out with documentation
  • Protocol decoding testing
  • Added IPX decoding and matching support (the world first Snort IPX rules!)
  • Wrote ELOG support for Ethereal
  • been working on a arpwatcher-type preprocessor
  • improved arp decoding

Ethereal as an IDS Interface

I’ve written support for the protocol analyser Ethereal to read and dissect the Firestorm ELOG format. You can find the Ethereal patch and a screenshot within my downloads directory. I may put a couple of example elog files on there to play with too.

This is now quite out of date. I plan on rewriting this support in the hope it will be accepted officially into Ethereal so I don’t have to keep porting patches on each new release (which is a real slow pain). I won’t be providing any new packages but these old ones should work (though contain various Ethereal bugs).

I also provide i386 and powerpc Debian packages built on the latest Debian unstable. No apt repository here yet, but it should be able availble via the official Firestorm repository.

There are a couple of issues with this. Firstly, my patches uses the elog code direct from Firestorm. This code uses mmap to access the elog files, which is not portable (in the Ethereal sense, which is apparently primarily used on Windows!). I’ve only tested this on Linux, with the 2.4 kernel series. I’d like to port the elog code to use portable file routings at some point with a view to getting this into the official Ethereal code.

The other issue is one of decoding consistency. Firestorm and Ethereal share no protocol decoding code. Variances between the two may provide a different view of a packet or alert (I’ve used this to find a couple of bugs with Firestorm actually).

Also, Ethereal really isn’t designed to be useful to an IDS admin. With a large alert file things will quickly start to bog down, especially with compex queries. The Firestorm gnome interface is designed from the ground up for use as an IDS GUI and will outperform Ethereal multiple times over, but it is still young.

ARP spoof detection

I’ve written a Firestorm preprocessor called macwatch to detect ARP spoofing and other Ettercap style shenanigans. Currently it keeps track of protocol and hardware address tuples and alerts on any changes. This might not be ideal in a super-dynamic DHCP environment, but can be enlightening in other scenarios. It’s similar to arpwatch but should be superior due to macwatch’s performance and flexibility.

macwatch is available in the current version (0.5.5) of Firestorm

Current features

  • Processing of arp request and reply packets
  • Hash lookups for high performance
  • Variable sized addresses (currently up to 128bit to accomodate ipv6)
  • Different arp protocols (Ethernet, Appletalk etc.)
  • Gratuitous arp detection

TODO

  • DoS protection (hi/lo watermarks with LFU lists?)
  • Alert on replies with no requests
  • IP packet checker