Cheesewire is a modular intrusion detection system for Unix and Unix-like operating systems. It was originally developed on and for Solaris 7 boxes, and originally called SIDS. Cheesewire is easily extendable --- simply add another module.
The system is written in Perl; the CPAN modules Digest::MD5, Proc::ProcessTable and Algorithm::Diff are required. Some system utilities are required by some of the modules --- netstat and lsof at the time of writing. netstat is a standard utility to be found on all(?) Unix-like operating systems; lsof can be found at freshmeat.net.
Cheesewire is, as far as possible, when installed and configured correctly, a self-contained system: ideally statically-linked, private copies of required binaries — perl, netstat and lsof system utilities are used; private copies of any shared-objects (libraries) should be used, with dynamic-linking paths (e.g., LD_LIBRARY_PATH) set appropriately. In a perfect world the installation is run from read-only media.
Cheesewire is started by calling the sids shell script. This sets the LD_LIBRARY_PATH environment variable to ensure that private copies of OS libraries are used, rather than those in /lib, /usr/lib, etc., in case dynamically-linked binaries are in use, and then calls the main Perl script, sids.pl. sids.pl loads chosen modules and initialises each; on initialisation each module loads its own configuration information. sids.pl then enters the main loop:
while (1) {
foreach module (module_list) {
if (module->time_to_run) {
module->run_intrusion_checks;
}
}
sleep a while;
}
Thus some module's intrusion checks are run more frequently than others.
The overall load on the system is low since most of the time Cheesewire is
sleeping; network connections, processes, etc., are polled only
periodically — this is the chief weakness in the system.
Configuration of the installation is contained within SID_Config.pm; configuration of individual modules is contained within Modules_Config.om and the corresponding signatures within <sids_root>/etc. In common with many intrusion detection systems, configuration is non-trivial --- though not difficult.
Output from each module can be found within <sids_root>/var/log/<module_name>.log. The main script, sids.pl sends its output to stdout, hence if not debugging one might start Cheeswire via
cd <cheesewire_directory>/src
./sids >& ../var/log/sids.log &
(Cheesewire is the name for the system; there is also a module which takes the name, IDM_cheesewire, which offers Tripwire-like functionality. This should lead to a certain amount of confusion.)
| ...cont's | next... |