AdNix

An implemented concept of a flexible Intrusion Detection and Prevention System (IDPS) with forensic advantages. Developed with flexibility and ease of use in mind. Simple interface and ready for work in 3 main steps as seen in the below cropped snippets of the app.

Load

Click Proceed to login

Login

Implementing Login is optional

Select Events to Handle

Configure & leave AdNix to handle the rest

Developed using a combination of PHP, Linux bash scripting, HTML5, CSS, and JavaScript. Note that there are bash scripts triggered from the PHP code so ensure you are familiar with bash scripting , PHP and the Linux OS before running this on your machine. Download AdNix

This is an implementation of a concept. Feel free to use, expand or customise as you please. To use AdNix on Windows, the enclosed Linux bash scripts can be converted to the equivalent batch file versions. You would need to modify script names and extension in the backend so it can trigger the scripts on the new OS.

Recommendation: Test run on a virtual machine to understand AdNix’s operations.

"Background - Why AdNix?"

Networks and systems can come under attack from any source and for whatever reason. The best security practice is to adopt preventive measures while also being prepared for the worst, should preventive measures fail. There are some preventive security solutions (hardware/software) that could help achieve a reasonable level of security; however, no system is fully secure. Examples of such solutions are firewalls, anti-viruses, IDS/IPS etc. AdNix falls in the category of IDPSs (Intrusion detection and prevention systems).

An extensive research was carried out and this work acknowledges there are existing systems and related works on self-handling systems and the use of logs to detect intrusion or anomalies. A common shortcoming amongst them however, is that they don't provide a good level of flexibility for the user or Admin. Moreover, considering system resources like performance, storage etc., they are not really flexible as most logs (relevant and irrelevant) are being used and processed, though not all are needed or useful in every situation. Not all events apply in all situations or cases but most of these systems keep monitoring for all and give the Admin no avenue to make the choice of only event(s) that apply to their scenario, business setting or server purpose.
Damola_o_cyberphorm_cybersecurity_expert
Author: Damola O. L.
Digital forensics & cybersecurity expert
Download

High-level System Design

adnix_system_design_open_source_concept_of_IDS_IPS_IDPS
Request full documentation

AdNix Benefits

  • Easy-to-use GUI
  • Setup time of 3 mins
  • No need for technical knowledge
  • Less intrusive than many IDS/IPSs
  • Web-based interface
  • Admin gets notified from anywhere
  • Sends log hash with notification
  • Does not capture unnecessary data
  • Helps achieve a more efficient triage

Features

  • Admin gets notification in real-time
  • Detection feature (IDS)
  • Self-handling IPS capabilities
  • Generates logfile & notification hash
  • No need for interaction with CLI
  • Requires HTML5 supported browser
  • Recommended web server: Apache2
  • Recommended MTA: Postfix

Major Components

  • Index.php - Home page
  • Login.php - Login page
  • Conf.php - Select events to monitor
  • Handle.php
  • Stop.php - Stop Adnix
  • Event-related Bash scripts

Summary

When compared to some existing systems similar or close in design to Adnix, like Snort and Bro which are powerful IDS tools, deployment time of Adnix is quite minute. It is a web based system and the program could simply be copied and run directly without need for any special installation processes. However, AdNix needs to be given necessary permission on the new system (to execute the bash scripts). The interface is also very simple and straightforward. In other words, as long as the user can read, he/she can easily understand and use Adnix unlike the Bro IDS which requires some time to understand and deploy (as pointed out by Sommer). Unnecessary data or information was not added to the generated logs like in Snort which reads and logs all network traffic in the disk, consuming some amount of unnecessary disk space and it displays all network traffic on the screen in a continuous stream. Adnix generates a reasonable amount of well formatted eventrelated information and attaches the file as an evidence along with the notifications sent to Admins. The system is also really cost-effective.