1

As libnids seems to be two years old and there are no current updates, do some one know any alternative solution for libnids or better library than it, as it seems to drop packets in higher speeds more than 1G/per sec

And more over it has no support for 64 bit ip addresses.

nanofarad
  • 40,330
  • 4
  • 86
  • 117
forum.test17
  • 2,119
  • 6
  • 30
  • 62

1 Answers1

3

An alternative to libnids is Bro. It comes with a robust TCP reassembler which has been thoroughly tested and used by the network security monitoring community over the years. It ships with a bunch of protocol analyzers for common protocols, such as HTTP, DNS, FTP, SMTP, and SSL.

Bro is "the Python of network processing:" it has its own domain-specific scripting language with first-class types and functions for IP addresses (both v4 and v6), subnets, ports. The programming style has an asynchronous event-based flavor: users write callback functions for events that reflect network activity. The analysis operates at connection granularity. Here is an example:

event connection_established(c: connection)
{
    if ( c$id$orig_h == 1.2.3.4 && c$id$resp_p == 31337/udp )
        // IP 1.2.3.4 successfully connected to remote host at port 31337.
}

Moreover, Bro supports a cluster mode that allows for line-rate monitoring of 10 Gbps links. Because most analyses do not require sharing of inter-connection state, Bro scales very well across cores (using PF_RING) as well as multiple nodes. There exist Bro installations with >= 140 nodes. A typical deployment looks as follows:

NIDS cluster
(source: bro.org)

Due to the high scalability, there is typically no more need to grapple with low-level details and fine-tune C implementations. Or put differently, with Bro you spend your time working on the analysis and not the implementation.

Glorfindel
  • 21,988
  • 13
  • 81
  • 109
mavam
  • 12,242
  • 10
  • 53
  • 87
  • thanks for such an detailed reply, i will wait for some other replies before accepting your answer – forum.test17 Oct 02 '12 at 13:02
  • i donot find any tutorials to start with , more or less i donot think it would be useful to develop a similar tool like http://www.wiley.com/legacy/compbooks/schiffman/ (libnids chapter 4 Lilt is a bare-bones TCP watching tool. It offers the user the capability to monitor the network for TCP connections and TCP port scans. ) – forum.test17 Oct 02 '12 at 14:22
  • Unfortunately Bro does not have a user manual yet. However, I recommend checking out the [2011 workshop materials](http://www.bro-ids.org/bro-workshop-2011/) which have a similar structure and come with video recordings. – mavam Oct 02 '12 at 19:35
  • But i donot think i can (wiley.com/legacy/compbooks/schiffman libnids chapter 4 Lilt is a bare-bones TCP watching tool. It offers the user the capability to monitor the network for TCP connections and TCP port scans. ) do something like this in bro. – forum.test17 Oct 03 '12 at 08:49
  • I still dont get why would some one would learn a special scripting language for bro which has no documentation, do you have any alternative solutions Mattias – forum.test17 Oct 03 '12 at 09:44
  • The documentation is [quite](http://www.bro-ids.org/documentation/index.html) [detailed](http://www.bro-ids.org/documentation/scripts/base/event.bif.html), except for the lack of a user manual. I understand what libnids offers. However, its TCP reassembler is not thoroughly tested (e.g., do you know if it works in corner cases?) and TCP port scan detection can be done in [numerous](http://www.icir.org/vern/papers/portscan-oak04.pdf) [ways](http://www.isoc.org/isoc/conferences/ndss/09/pdf/09.pdf), there is no one-size-fits-all. Hence the higher level of abstraction. – mavam Oct 03 '12 at 15:51
  • libnids tcp reassembler is not working in high load situations, as i am much interested to find an alternative for tcp packet assembly, may be i have to look in Snort or some kinds of NIDS – forum.test17 Oct 04 '12 at 10:52
  • In my case i dont think bro will fulfill my needs :( – forum.test17 Oct 04 '12 at 10:53
  • Snort and Surricata indeed have a TCP reassembler as well, I do not know its quality, but it has been in use for a while. The Bro community uses a cluster approach to facing the high loads: it is easy to monitor (and reassemble packets) on 10Gbps links at line rate *plus* doing sophisticated analysis on the application-layer payload. Good luck on your search, I'm happy to answer any Bro-related questions. – mavam Oct 05 '12 at 15:37
  • hey Mattias is tcp reassembler in bro is tested ?, if so then can i combine c and bro scripts – forum.test17 Oct 08 '12 at 09:26
  • Yes, it is tested thoroughly through unit tests and extensive use by the community. Calling C functions from Bro scripts is well-supported via the BIF interface. Please send me an email for specific questions, we can then go into more details. – mavam Oct 08 '12 at 21:06
  • i will try to to do the basics of the bro IDS and for further queries i will mail you , thanks for your answers :) – forum.test17 Oct 09 '12 at 08:06
  • Can anyone tell me whether i still could use it and where to start? – Radwa Ahmed May 12 '23 at 16:11
  • Zeek is still the go-to tool for this. So "yes", it's still relevant today. – mavam May 21 '23 at 03:42