Patron IDS project

Preface

The Patron project is an intrusion detection system (IDS) based on SpamAssassin ideology.

SpamAssassin is using a rule-based approach to spam detection. It provides a set of tests that combine different techniques of e-mail header and body analysis. Each e-mail message is processed by these tests and given point values, according to passed tests. Final status of a message (spam or non-spam) is determined by counting all its points, where the user (or system administrator) can specify a point threshold necessary to consider message a spam.

Patron is a kernel module, that provides a set of tests applicable to OS processes. Each passed test is rated by a configured score. By counting these scores, Patron tries to determine whether a particular process is harmless, or is performing a suspicious or dangerous activity. In such case, Patron will report the process to system administrator or perform a configured counteraction.

The Patron project is based on a diploma thesis covering an initial research of this method of intrusion detection. Please take a look at it.

Project status

We have a working research prototype of the IDS kernel module for the FreeBSD 5.x platform. For practical usage it needs several significant improvements, especially in the area of tests that apply to processes.

You can take a look at the current CVS sources by using this command:

    cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/patron co src
    

Project goals

Current TODO-list is as follows:

Contact

If you are interested in this project, you can contact the development team using the mailing list patron-devel@lists.sourceforge.net. You can join the list here.