RID - Remote Intrusion Detection (http://www.theorygroup.com/Software/RID)
--------------------------------
* Please see LICENSE for licensing information *

Purpose: To use intrusion fingerprints to track down compromised hosts.
Scope:   TCP/UDP/ICMP (No fragmentation reassembly)
Specs:	 Program can create somewhat arbitrary UDP/ICMP/TCP packets/streams
	 and send them to a range of hosts.  It also listens promiscuously
	 for predefined intrusion "fingerprints".

Language: It's been a while since I've done BNF, so here's a not so 
	  scientific rendition of the config file language:
          begin <ID>
             send <PROTOCOL> <OPTIONS>
             recv <PROTOCOL> <OPTIONS> nmatch = <num>
          end <ID>
	
	  PROTOCOL=: TCP | UDP | ICMP
	  OPTION =: ICMP_OPTIONS | UDP_OPTIONS | TCP_OPTIONS
	  ICMP_OPTIONS =: seq=<sequence> | id=<id> | type=<ICMP type>
			  | code=<ICMP CODE> | data="<string>"
	  UDP_OPTIONS =: sport=<port> | dport =<port> | data="<string>"
			  | code=<ICMP CODE> | data="string"
	  TCP_OPTIONS=: NOT IMPLEMENTED YET
	  Note: nmatch is the number of matches in "recv" that need
		to occur to generate a positive that a host is
		infected.

OS:	Currently only tested on Solaris 2.7.  Should work on all modern
	Solaris.  Linux interoperability is built in, but may need some
	tweaking (esp finding libpcap if you install it in a non-standard
	location.)

Abstract:
Hackers (I use the term for ease of reference, not because it's necessarily
accurate) who compromise multiple machines are forced to deal with the
same issues that administrators of distributed networks encounter.  They
must remember the passwords set on various facilities, they must remember
which hosts are compromised, they must remember which ports their backdoors
are on, etc.  After a compromise, this information can often be turned into
a "fingerprint" of the intrusion.  This tool is designed to be capable
of accurately specifying this "fingerprint" with little knowledge of 
network programming.

This tool *does* require some understanding of TCP/IP.  

To Install:
Type 
  ./configure
  make
  ./rid <ip>/<CIDR format>

You may have to locate libpcap manually and edit the Makefile.

Current shortcomings:
   SEE BUGS!

Similar Works:
This tool is an extension of ngrep (network grep) and netcat.  It combined
their functionality with a common configuration language.

Thanks to:
	- EVERYONE IN THE CREDITS FILE!

Code and Concept Copyright 
Jan 10, 2000 David Brumley <dbrumley@stanford.edu>


IF YOU HAVE COMMENTS/SUGGESTIONS/BUGS, FEEL FREE TO EMAIL 
David Brumley <dbrumley@theorygroup.com>
