Links: Logo
What is it?

IDEA is an architecture for implementing a distributed intrusion detection system on a computer network. It provides a way to incorporate many different IDS sensors into an architecture, and have them report to a central IDS server. This server collects, aggregates, and correlates data from the sensors, providing a unified view of network activity. By specifying an open API, many different clients can connect to the IDEA server and "subscribe" to the event notification service so that the client will be notified any time a new alert is received from any of the sensors. This type of architecture can greatly enhance a security administrator's situational awareness of network events, allowing faster response to malicious activity. Currently, IDEA has implemented an architecture for receiving/processing/displaying alerts from the Snort IDS server. Other IDS systems (both host- and network-based) are planned for inclusion into the IDEA architecture.
Project Goals:

IDEA is more than just a software application for moving around IDS alerts. It is a concept for implementation of Distributed Intrusion Detection. Currently, many networks have only one IDS or type of IDS in use. IDEA's main goal is to provide a way to interpret data from all of these systems (as well as several disparate systems all at the same time) and provide a unified view into network activity. The software that has thus far been developed is by no means the ultimate solution to the realization of these goals -- it is simply my best try (considering I have had no formal computer programming education) at an implementation of these concepts. It is my hope that the open-source community can apply their insight and expertise to help further the idea of Distributed IDS and help to make it a reality.

IDEA is a Java-based client-server architecture for receiving Snort alerts via XML over TCP. There are currently two parts to this architecture: the client and the server. There is currently one functional server and two functional clients -- a web based client and a Java client application (the IDEA console). The IDEA server receives alerts from Snort sensors on TCP port 1051 and converts them to Java objects, and buffers them for retrieval/processing by IDEA clients.

Current features of the IDEA server include:
  • Administrator definable alert buffer size (specify the number of alerts to hold)
  • Alert forwarding (allows creation of IDEA hierarchies)
  • Administrator definable max users
  • Security access controls (specify which users and hosts can connect)
  • Java/CORBA based (allows connections from many different types of clients)
  • Keepalives (prevents dead or hung clients from denying access to other clients)
  • Secure authentication - MD5 challenge/response based user authentication ensures that no passwords go by in the clear
Current features of the Java client application are:
  • Alerts displayed in real-time as they are received from sensors
  • Filtering / sorting capability shows you only the data you're concerned with
  • Colorization of alerts from user-specified IPs/networks improves awareness
  • Automated e-mail/pager notification of high-priority events (user definable)
  • Graphical/geospatial display of events in real-time
  • Sensor management -- store information about each sensor in your network
  • Database connectivity (currently MySQL, others planned) -- ability to query for the following:
    • Alerts within a specified time range
    • Alerts matching user-defined patterns
    • Graphical display of: Top 10 source & destination addresses & ports, most active sensors, Number of alerts, and top 10 alert signatures
  • Standalone capability - can receive alerts directly from sensors rather than from IDEA server
  • Rapid query of related alerts -- instantly see if he's hit your network before
  • Collaboration -- IDEA server provides the capability to "chat" with other security admins who are connected to the same IDEA server -- pool your efforts and put your brains together.
  • Host info lookup -- one click whois and NSLookup returns information on suspicious traffic
  • Email alert summaries -- rapidly send a summary of an alert to a collaborator.
  • Sensor ignore list -- allows division of labor so analysts only receive alerts from "their" sensors
Current features of the web client (servlet) are:
  • Quick, web-based summary of alerts in the IDEA-server's cache
  • Ability to drill down and see alert information: network and transport layer information, sensor information, and quick summary information
  • ARIN-based web Whois lookups for IP addresses
  • port database lookups for TCP/UDP port reference information
  • Server statistics information
  • Links to several security-related sites
Several features are planned for the IDEA client & server. For more information, please see the IDEA feature request page at there is a feature or capability that you'd like to see implemented, please submit a request.