What is OrchIDS ?
OrchIDS is a new generation Intrusion
Detection System (IDS) based on real-time event
All the documentation about orchids is available in the Wiki : Wiki
Main Wiki links :
|orchids-1.0-1.i686.rpm||Orchids Intrusion Detection System RPMs (How to install)|
|orchids-1.0.tar.gz||Orchids sources (How to compile)|
|orchids-1.1-beta.tar.gz||Orchids 1.1 beta : syntaxe enhancement, new modules (IDMEF, IODEF, prolog_history)|
The Orchids Project
The Orchids project
started in December 2002, under the direction of Jean
GOUBAULT-LARRECQ in the framework of the RNTL
project DICO (Réseau National des Technologies Logicielles - Détection
d'Intrusions Coopérative) started in December 2001, and the ACI
Crypto PSI-Robuste project.
It has been developed by Julien OLIVAIN from 2003 to 2005, and is now updated since 2010 by Baptiste GOURDIN, both members of the SECSI Team, at the LSV. The SECSI Project is a research project on security of information systems.
It is a common project of the INRIA research unit, and of the LSV.
Orchids is available to use under the CECILL license.
The Orchids platform is composed of three main parts :
- a set of rule definitions (in a dedicated specification language)
- a set of input plugins which decodes data incoming from external sources.
- a correlation engine based on a internal state machine
Host : Orchids can be run on any Unix Posix compliant
Sources : Orchids comes with a set of modules to receive
events from different sources :
- Prelude: Correlate events stored in a Prelude database.
- auditd: Parse log generated by Auditd
- Syslog: Parse log generated using the Syslog standard
- Netfilter: Parse log generated by Netfilter
- Snare: Read text log produced by Snare.
- SNMP : Periodically checks SNMP OIDs.
- Your format is not in the list ? Write your own orchids input plugin : Writing input plugin for Orchids
- rfc4765 IDMEF (input / output) : Since Orchids is able to work in a prelude system, it can work with the Intrusion Detection Message Exchange Format (IDMEF) . it is able to read and process IDMEF alert and also to write alerts in this format.
- rfc5070 IODEF (output) : Generate alert reports using The Incident Object Description Exchange Format
- More information available in the wiki page Orchids Standards.
Orchids consortium is an informal group of people
entrusted in the development of Orchids tools.
OrchIDS Consortium current membership:
- INRIA: Institut National de Recherche en Informatique et Automatique INRIA
- CNRS: Centre National de la Recherche Scientifique CNRS
- ENS-Cachan: Ecole Normale Superieure de Cachan ENS-Cachan
- DGA-MI: Ministere de la Defense Nationale DGA-MI
- EADS: European Aeronautics, Defence and Space Company EADS
- THALES : French Aeronautics, Defence & Space Compagny THALES