In the first version (v0.5-alpha) we focused on creating a robust, scalable and stable system architecture, aggregating some already existent free-software. Take a look at the Architecture Diagram in the Installation guide for details. Beyond the main code, in the Scala language, we maintain the following pieces, which are available in the project’s GitHub.
- Barnyard2-hz - This is a fork of Barnyard2, which implements Deep Packet Inspection (DPI) and save the flows’ features in HBase using Thrift. DPI is provided by lib nDPI, maintained by nTop.
- Pigtail - Currently, is just a small PHP script to read the Hogzilla events in the HBase database and save them into the MySQL Snorby’s database and GrayLog. We plan to improve it to support more DBs and monitoring consoles.
Some relevant publications are referred in References. You can suggest us more by e-mail (see Mailing list).
We try to keep it useful, simple, robust and scalable. The project’s planned roadmap is below. We note that it may be changed.
In version v0.6, we focused on implementing methods based on collected sFlows. Also, we introduced network VISIBILITY as one of Hogzilla’s outputs. This version is stable and is performing well!
Hogzilla IDS v0.5.x-alpha (Download from GitHub)
- System architecture defined
- Barnyard2-hz Fork:
- DPI implemented to generate flow features
- HBase support to save flow features and Snort events
- Pigtail
- Generates events for Snorby/MySQL
- DNS protocol
- K-means clustering using IP, TCP and DNS features. The events generated by Snort are used to taint the suspicious cluster.
- HTTP protocol
- K-means clustering using IP, TCP and HTTP features. The events generated by Snort are used to taint the suspicious cluster.
Hogzilla IDS v0.6.x-beta (Download from GitHub)
- sFlow Support
- Implementation of the following new methods:
“SMTP talker identified”
“Atypical TCP port used”
“Atypical alien TCP port used”
“Atypical number of pairs in the period”
“Atypical amount of data transferred”
“Alien accessing too much hosts”
“P2P communication”
“UDP amplifier (DDoS)”
“Abused SMTP Server”
“Media streaming client”
“DNS Tunnel”
“ICMP Tunnel”
“Horizontal portscan”
“Vertical portscan”
“Server under DDoS attack” - Implementation of an approach that can automatically identify and group network servers by their services
- Generation of Operating System Inventory based on sFlows
- Implementation of the following new methods:
- SFlow2HZ - a simple binary to insert sFlows into HBase
- Pigtail
- Generates events for GrayLog
- Feeds GrayLog with information about identified server groups and inventory information
- Correction of some bugs
Hogzilla IDS v0.7-beta (TBA)
- sFlow
- Implement methods to identify: BitCoin mining, and Tor.
- Code organization and documentation
- DNS protocol
- Implementation of the SuperBag method
- HTTP/HTTPS protocol
- Implementation of the SuperBag method
- Implementation of a random-forest based methods
- Proxy support
- Generic TCP/UDP protocol
- Implementation of SuperBag method
- Implementation of a random-forest based methods
- Barnyard2-hz
- Code organization and documentation
- Some performance optimization
- Correction of known bugs
Hogzilla IDS - future features
- Risk assessment
- Intelligence sharing
- Analysis of mobile features, like network traffic, SMS, and other system device activities
- Automatic methods evaluation, ranking and weighing them dynamically
- Deal with external threats, ex. portscans, DDoS, etc.
- Analysis of features of malicious artefacts in sandboxes (ex. IO and network activities)
- Alert correlation
- Prune routines
- Analysis of users behaviour using some OS indicators
- NetFlow support
- Propose a new feature via e-mail (see Mailing list) or via Issue Tracker