The SIDTk is a collection of command-line tools aimed at improving host-based intrusion detection conditions on Windows desktops and servers. Some of these tools have originally been shipped with LogAgent 4.0, some others are natural evolutions of pieces of code introduced with LogAgent 4.0 and LogIDS 1.0 Pro, while the others are based on a variation of the same principle. It is easy to create new modules based on the same model, and the code is completely Open Source.
The SIDTk 1.0 contains:
- ADSScan 1.0 : An Alternate Data Streams scanner
- IntegCheck 1.1 : A filesystem integrity checker (i.e. a Tripwire clone)
- LogUser 1.0 : A module to detect invalid user accounts
- LogShares 1.0 : A module to detect non-allowed shares on the machine
- LogServices 1.0 : A module to detect non-allowed services
- LogStartup 1.0 : A module to detect suspicious items inserted for automatic startup
- LogProc 1.0 : A module to detect rogue processes running in memory
When launched regularly, these modules can help at finding various facets of an intrusion, and help you to write out false positives and negatives when combined with other intrusion detection utilities, like Snort and LogAgent 5.0.
