M-ICE - Modular Intrusion Detection and Countermeasure Environment

Thomas Biege <thetom@uin4d.de>

GPG Key (ID 85168DBF)

News (ChangeLog)


M-ICE, pronounced "mice" or "m ice" as you like, was part of my diploma-thesis written in 2002/2003.
The goal of my work is to create a framework for a highly modular Intrusion Detection and Countermeasure System.
The main target of M-ICE are hostbased ID Systems but it is also possible to interoperate with other IDS architectures as long as they use the open and standarized message format IDMEF.
Modular in our context means an assembly of tools with special purpose (like forwarding data from the client, buffer network data, manage detected security breaches and react). These tools can be further customized by loading different plugins (dynamic loadable module) to decode different network packages, handle different kind of databases, analyse data, filter log-data and so on.
This design makes it easy for researches to test new methods of data-reduction, pseudonymisation or attack-analysis by just plugging another module in a full-blown IDS in a real-life environment.
The advantage for administrators lies in the fact that M-ICE is designed to fit everywhere. You can install all components on one host or every component on different hosts in your network. Think about using one analysis-agent for handling a full subnet or exposed servers at once while keeping only one database for all log-data and alert-data in a secure admin-subnet etc.. The available combinations seem endless.


Here you can get the admin-guide and the developer-guide for M-ICE.
If you want to know more about IDS techniques and designs, you may want to read a paper ( part 1, part 2 ) I wrote a few years ago.
To just get an idea about LAuS (Linux Audit Subsystem) have a look at this example output.
The Secuirty-Guide used for EAL3+ includes a description of the LAuS setup.
(My Diploma-Thesis written in 2003 (german only).)


The source-code and binary-code is hosted at Sourceforge.net.

Mailing Lists

The project provides two lists. One for users/admins called m-ice-users and another one for the developers called m-ice-devel. Both mailing-list support digest-mode.

Developers (CVS)

To access the latest code snapshot developers can use CVS.
yourhost > cvs -d:pserver:anonymous@cvs.sf.net:/cvsroot/m-ice co m-ice
To browse through the current souce-code use the Web Interface provided by Sourceforge.net.

To Do

The schedule is available as small text version and as a more comprehensive HTML version (take care: very optimistic deadlines) created with TaskJuggler.
Note: This project still needs developers!

Last Update 2005-02-23 by Thomas Biege <thetom@uin4d.de>

SourceForge.net Logo