Friday, August 18, 2017

Announcement: IPS code

So after 20 years, IBM is killing off my BlackICE code created in April 1998. So it's time that I rewrite it.

BlackICE was the first "inline" intrusion-detection system, aka. an "intrusion prevention system" or IPS. ISS purchased my company in 2001 and replaced their RealSecure engine with it, and later renamed it Proventia. Then IBM purchased ISS in 2006. Now, they are formally canceling the project and moving customers onto Cisco's products, which are based on Snort.

So now is a good time to write a replacement. The reason is that BlackICE worked fundamentally differently than Snort, using protocol analysis rather than pattern-matching. In this way, it worked more like Bro than Snort. The biggest benefit of protocol-analysis is speed, making it many times faster than Snort. The second benefit is better detection ability, as I describe in this post on Heartbleed.

So my plan is to create a new project. I'll be checking in the starter bits into GitHub starting a couple weeks from now. I need to figure out a new name for the project, so I don't have to rip off a name from William Gibson like I did last time :).

Some notes:

  • Yes, it'll be GNU open source. I'm a capitalist, so I'll earn money like snort/nmap dual-licensing it, charging companies who don't want to open-source their addons. All capitalists GNU license their code.
  • C, not Rust. Sorry, I'm going for extreme scalability. We'll re-visit this decision later when looking at building protocol parsers.
  • It'll be 95% compatible with Snort signatures. Their language definition leaves so much ambiguous it'll be hard to be 100% compatible.
  • It'll support Snort output as well, though really, Snort's events suck.
  • Protocol parsers in Lua, so you can use it as a replacement for Bro, writing parsers to extract data you are interested in.
  • Protocol state machine parsers in C, like you see in my Masscan project for X.509.
  • First version IDS only. These days, "inline" means also being able to MitM the SSL stack, so I'm gong to have to think harder on that.
  • Mutli-core worker threads off PF_RING/DPDK/netmap receive queues. Should handle 10gbps, tracking 10 million concurrent connections, with quad-core CPU.
So if you want to contribute to the project, here's what I need:
  • Requirements from people who work daily with IDS/IPS today. I need you to write up what your products do well that you really like. I need to you write up what they suck at that needs to be fixed. These need to be in some detail.
  • Testing environment to play with. This means having a small server plugged into a real-world link running at a minimum of several gigabits-per-second available for the next year. I'll sign NDAs related to the data I might see on the network.
  • Coders. I'll be doing the basic architecture, but protocol parsers, output plugins, etc. will need work. Code will be in C and Lua for the near term. Unfortunately, since I'm going to dual-license, I'll need waivers before accepting pull requests.
Anyway, follow me on Twitter @erratarob if you want to contribute.





7 comments:

  1. Compatible with Snort rules but not pattern matching? Or will there be a fallback to pattern matching?

    ReplyDelete
  2. BlackICE brings back many many good memories. I was one of the luck people who was able to convince the organisation I worked for at that time to buy heavily into that. must have been multiple 10k of clients we had running providing an unpresendented view of what was going on in that network. Together with (at that time in closed beta available) Billy Goat, we managed to clean out that network in no time.
    Of course the servers where off limits for anything that was not production. So they where hit hard with slammer and since there where no outbound rules on the firewalls and had plenty bandwidth, we (guestimated) infected half the world.
    A month later, every single windows machine on the network had BI installed :)
    Looking forward to your new implementation. Since there currently is hardly anything useful on the market, I will happily keep taps on the progress.

    ReplyDelete
  3. Really want to contribute to the project!

    ReplyDelete
  4. Which GPL? Because BSD or LGPL might get me contributing, but GPL 2 or 3 wouldn't get past my employer's work on it in the office filters.

    ReplyDelete
  5. Have you considered the name TRONS? ---- LOL

    ReplyDelete
  6. Come back and play in the ICS/SCADA world with me like we did nearly 20 yrs ago - Something new and done right would go huge in the process/automation/controls "iiot" world .. :)

    ReplyDelete
  7. Will you be posting the github link to the project on your blog when you create the repo? I don't meet the time or hardware requirements to contribute, but I'd like to follow the progress and I have a keen eye for spotting mem leaks.

    ReplyDelete

Note: Only a member of this blog may post a comment.