SID - Shell/PTY based Host Intrusion Detection System

Shell/PTY Intrusion Detection: Aims at detecting unwanted PTY action on UNIX systems. SID-IDS is a Host Intrusion Detection System.
Consists of a kernel part and a user part. The kernel part plugs into terminal processing subsystem and logs hashed terminal lines. The user part reads log entries (hashes) and takes appropriate action upon finding unexpected log entries.

SID now supports Solaris SPARC, i386, Linux 2.4 and x86 Linux 2.6.
Please note: the kernel part both for Solaris and Linux 2.4 have not changed since release 0.3.7.
Contains Debian Linux packages for i386 and a build script to create your own binary Debian packages.
Contains Solaris 8 i386 and SPARC packages and a build script to create your own Solaris binary packages.

News

July 2005: Release 0.4.2 adds privilege separation for the user part, fixes issue with multicharacter input for the Linux 2.6 kernel part.

April 2005: A Debian binary kernel package for Linux 2.6.10-1-386 has been added.

March 2005:
- Binary SID Solaris 8 packages (see below for downloads) work fine with Solaris 10 - at least on SPARCs, with the FCS (Final Customer Shipping) as recently released by Sun.
I suspect that Solaris 10 x86 will work, too, as well as Solaris 9 on both architectures (untested).
- Further docs: Solaris STREAMS setup and the Linux function hijacking setup.

February 2005: Release 0.4.1 is availbable, now providing packaging support for Debian with 2.6 kernels on x86.

January 2005: Release 0.4.0 is availbable, providing first-time kernel-part support for Linux 2.6 on x86.

Documentation

Further notes on the theory of operation. Pictures showing the Solaris STREAMS setup and the Linux function hijacking setup.
User's guide: users_guide.txt
Sourceforge Project Admin Page: Summary page automagically generated based on available project information.
Installation instructions: INSTALL
CVS: CVS Web Gateway

Downloads

Source:

release 0.4.2 source code MD5 sum: 970cdce20fc74a60d5923f6f39fcc519

The following release 0.4.2 binary packages for Solaris 8 are available:

Solaris 8 i386 kernel part. MD5 sum: 433bcb21735bfa37bd1fe20331bf5480
Solaris 8 i386 user part. MD5 sum: b72a85e97e0d7fbd9752b64ceb535d6c
Solaris 8 sparc kernel part. MD5 sum: 35d82dc4c35439d76608ed1bde01f950
Solaris 8 sparc user part. MD5 sum: 66447cb81ba159c23dd943a022f31442

The following release 0.4.2 binary packages for Debian Linux i386 are available:

Debian Linux i386 user part. MD5 sum: 64e479448dad40dcc20f9cbc156d13f5
Debian Linux 2.4 i386 kernel part. MD5 sum: 0d8c19c59d0775d5e3b09483efa3d9a2
Note: this will only work on kernel version 2.4.18-bf2.4!
Debian Linux 2.6.8 i386 kernel part. MD5 sum: ad60c9cc9dd621c1dcf64872f5ba8522
Note: this will only work on kernel version 2.6.8-1-386!
Debian Linux 2.6.10 i386 kernel part. MD5 sum: 3e28ae9c54a7a962ac00c4f1a4ffd5c8
Note: this will only work on kernel version 2.6.10-1-386!

Build your own Debian package if you run a different kernel (instructions see INSTALL).