Logo of the European Computer Security Incident Response Team Network (eCSIRT.net)

WP4 Clearinghouse

eCSIRT.net > Service > Documents > WP4 Type 3 Userguide  

WP4 Type 3 Statistics: IDS Sensor Userguide




System description

POPPIX is a collection of security-related tools with a curses-based gui. It comes on a bootable Linux CD-ROM and is based upon a recent Knoppix distribution. Within eCSIRT.net it is used to deploy a number of intrusion detection sensors in order to monitor internet background noise (attacks, worms etc.). The monitored events are logged to a central server (using authenticated SSL connections) and are evaluated for generation of statistics. For this purpose the following services are provided:

POPPIX is released under the GPL. Contributions are more than welcome.



The POPPIX IDS sensor requires all of the following:



There exists an ISO-image for the bootable CD. You may receive the image upon request. An initial image for a 1.44 MB floppy disk is mailed to the participating members.
Please keep this image as it contains all the keys and certificates necessary for the POPPIX IDS sensor to work.



The following steps are necessary to get a working POPPIX installation:





If everything works well, you should be able to the following tests:



If you have trouble to log in as user "root", keep in mind that POPPIX uses an american keyboard layout. If anything else goes wrong, you can have a look at:



Public statistics

On the basis of the collected data of all sensors some generic statistics are generated. These show results on the accumulated data of all sensors. The number of alerts of some main classes are displayed as well as some more complex statistics on the number of attacks per attacker and the number of sensors that were attacked by the same host.

The public statistics of the sensors can be found here.

Internal statistics

In contrast to the generalized public statistcs the charts of internal statistics retain the relation of the alerts to the single sensors. So each participating team is able to see the number of alerts logged by its own sensor.


Related Documents


Revision History


eCSIRT.net > Service > Documents > WP4 Userguide  
eCSIRT.net eCSIRT.net
The European Computer Security Incident Response Team Network
News | Sitemap | Imprint | Privacy Statement | Contact | Top
Last changed: December 30, 2003 / JS
Copyright © 2002-2003 by PRESECURE Consulting GmbH, Germany
Signed with PGP!This page is digitally signed with PGP! eCSIRT.net