This software uses a Java-based client-server architecture to handle network intrusion detection data. It is designed to improve network security by detecting and analyzing potential threats.
An open API is specified, enabling different clients to connect to the IDEA server and subscribe to the event notification service. This way, clients will always be notified of new alerts received from any of the sensors. This architecture greatly enhances a security administrator's situational awareness of network events, allowing for a faster response to malicious activity. IDEA currently has an architecture in place for receiving, processing, and displaying alerts from the Snort IDS server.
The IDEA server and Java client application offer a host of features. The administrator definable buffer size can specify the number of alerts to hold, while alert forwarding allows for IDEA hierarchies. Security access controls allow for the specification of which users and hosts can connect. The Java/CORBA language enables connections from different client types. Keepalives prevent dead or hung clients from denying access to other clients. Secure authentication keeps passwords safe with MD5 challenge/response based user authentication.
The Java client application has alert filtering and sorting capabilities to show only the data that concerns the user. Alerts are displayed in real-time as they are received from sensors with colorization of alerts from user-specified IPs/networks. Automated email/pager notification of high-priority events is user-definable while a graphical/geospatial display of events in real-time enhances situational awareness. The sensor management feature stores information about each sensor in the network.
Other features of the Java client application include database connectivity, standalone capability, rapid query of related alerts, collaboration, host info lookup, email alert summaries, and a sensor ignore list. The web client (servlet) has a quick web-based summary of alerts in the IDEA-server's cache with the ability to drill down and see alert information. Additionally, it has ARIN-based web Whois lookups for IP addresses, Snort.org-based port database lookups for TCP/UDP port reference information, as well as server statistics information and links to several security-related sites.
Version 1.2: N/A