AutoIt Based IDS

It’s pretty amazing what some people are donig with AutoIt!

DecaffeinatID: A Very Simple IDS / Log Watching App / ARPWatch For Windows

This project started because I wanted a simple ARP Watch like application for Windows. In a short matter of time, feature creep set in. DecaffeinatID is a simple little app that acts as an Intrusion Detection System (more of a log watcher really) to notify the user whenever fellow users at their local WiFi hotspot/ LAN are up to the kind of “reindeer games” that often happen at coffee shops and hacker cons. For more information on the sort of attacks I’m talking about see my article Caffeinated Computer Crackers. It’s not meant to be a replacement for something more feature rich (but complicated) like Snort. DecaffeinatID watches the Windows logs for three main things and pops up a message in the Windows Systray when it sees any of the following:

New or changed ARP table entries
Think of this as a poor man’s ARPWatch for Windows. The IDS gives a special alert whenever it sees the MAC address of the IP gateway change.

New events in security log
This will let you know about attempted and successful logins, assuming you have set up auditing for such things in your local security settings.

New events in the firewall log
DecaffeinatID will read your Windows firewall log (if you have one) and list events.

DecaffeinatID should work in Windows XP SP2 and Vista. Notifications are logged into idslog.txt located in the present working directory. Currently settings can be changed via the decaffeinatid.ini file that is created whenever DecaffeinatID is first run. You can sort of set what is monitored via the GUI, but the single threaded nature of Autoit3 causes it to be somewhat less than responsive at time (we are working on this).You may want to just edit the setting via the INI for now.