M-ICE - Modular Intrusion Detection and
- 2005-02-23: M-ICE 0.2 alpha code was compiled into i586 RPM files which are downloadable via SF.
- 2005-01-19: Due to the lack of time and interest I put this project to freeze.
- 2004-07-10: There was a lot of CVS activity in the last month.
M-ICE is now able to read LAuS binary files as well as pseudonymize user
identifiers to not violate data privacy laws. The next stable release
might occur at the end of this year (including an AI-based analysis module).
This project still needs experienced developers! :)
- 2004-02-01: released Admin-Guide 0.4
- 2004-02-01: Linux kernels with LAuS support available at Download-Section
- 2004-01-29: added links to paper describing Intrusion Detection Systems
- 2004-01-18: released project schedule and Admin-Guide 0.3
- 2004-01-07: made ntp RPM package available at Download-Section
- 2004-01-06: made libidmef RPM package available at Download-Section
- 2004-01-01: Happy New Year 2004
- 2003-12-31: released Developer-Guide 0.1
- 2003-12-30: released Admin-Guide 0.2
- 2003-12-07: released Admin-Guide 0.1
M-ICE, pronounced "mice" or "m ice" as you like, was part of my
diploma-thesis written in 2002/2003.
The goal of my work is to create a framework for a highly
modular Intrusion Detection and Countermeasure System.
The main target of M-ICE are hostbased ID Systems but it is also
possible to interoperate with other IDS architectures as long as they
use the open and standarized message format
Modular in our context means an assembly of tools with special purpose
(like forwarding data from the client, buffer network data,
manage detected security breaches and react).
These tools can be further customized by loading different plugins
(dynamic loadable module) to decode different network packages,
handle different kind of databases, analyse data, filter log-data
and so on.
This design makes it easy for researches to test new methods
of data-reduction, pseudonymisation or attack-analysis by just
plugging another module in a full-blown IDS in a real-life environment.
The advantage for administrators lies in the fact that M-ICE is designed
to fit everywhere. You can install all components on one host or every
component on different hosts in your network. Think about using one
analysis-agent for handling a full subnet or exposed servers at once
while keeping only one database for all log-data and alert-data in a
secure admin-subnet etc..
The available combinations seem endless.
Here you can get the admin-guide and the
developer-guide for M-ICE.
If you want to know more about IDS techniques and designs, you may
want to read a paper (
) I wrote a few years ago.
To just get an idea about LAuS (Linux Audit Subsystem) have a look at this example output.
The Secuirty-Guide used for EAL3+ includes a description of the LAuS setup.
(My Diploma-Thesis written in 2003 (german only).)
The source-code and binary-code is hosted at
The project provides two lists. One for users/admins called m-ice-users and another one for the developers called m-ice-devel. Both mailing-list support digest-mode.
To access the latest code snapshot developers can use CVS.
yourhost > cvs -d:pserver:firstname.lastname@example.org:/cvsroot/m-ice co m-ice
Password: <JUST PRESS RETURN HERE>
To browse through the current souce-code use the Web Interface provided by Sourceforge.net.
The schedule is available as small text version and
as a more comprehensive
HTML version (take care: very optimistic deadlines) created with
Note: This project still needs developers!
Last Update 2005-02-23 by Thomas Biege <email@example.com>