Sunday, August 31, 2003

Shoki, the Alternative Open Source IDS

We all know how popular Snort is as an open source intrusion detection event generation engine. Have you ever heard of Shoki? I've known about it for a while, but will researching I found it seems to be progressing nicely. The latest release dates from May 2003. I'm probably most interested in the project's packet visualization tool, Hustler, from which the screenshot at left is taken. It looks like it doesn't just accept libpcap data, but must work with Shoki. It looks like Shoki is near the same phase as Sguil -- still rough, with some operator knowledge needed to get the system running.


Another open source IDS vying for its place in the sun is Tamandua. Version 2.0 was released in June 2003. It may be a good tool (I haven't used either Shoki or Tamandua), but I'm reluctant to try Tamandua. Most of the presentations are in Portuguese, and the project seems to be the offshoot of a commercial company.


At some point I'd like to have the skills necessary to turn projects I like into FreeBSD ports. That way, I can install, manage, and run them easily on my favorite operating system.