====================================================================
Firestorm v0.2.2 - A Network Intrusion Detection System
Copyright (c) 2001 Gianni Tedesco <gianni@ecsc.co.uk>
This software is released under the GNU GPL version 2 or later
====================================================================

INTRODUCTION
============
 Firestorm will be a fully featured, totally libre,  network intrusion
 detection system. It aims to support lots of open standards. At the
 moment it is just a sensor, but plans are to include central correlation
 databases and an analyst console.

 At the moment firestorm is still in early development, but a lot of the
 features you would expect of a sensor are already there.


WHY FIRESTORM ?
===============
 Firestorm aims to be THE network intrusion detection system. The goal is
 to take a no-comprimises approach to the design. Firestorm will be
 flexible enough to meet anyones needs, from the kid hacker to the paranoid
 government agency. Firestorm will be network, hardware, software and 
 technology agnostic, noone should be discriminated against for using IPX
 instead of TCP/IP.

 Firestorms modular architecture helps keep it agnostic, as network protocols,
 file formats, logging facilities etc.. don't need to be part of the core code.
 Making these things plugins not only permits us, but FORCES us to use clean
 well defined interfaces, and keeps voodoo magic out of the code. This means
 that no protocols are favoured or discriminated against.

 Firestorm unlike most other NIDS allows you to capture from multiple sources
 using different methods simultaneously. For example, under Linux, you can
 capture from inside and outside your firewall at once. Just use libpcap capture
 to see the packets that have got through the firewall, and then use the firewall
 netlink socket to see the packets your firewall is dropping.

 Firestorm will allow you to push intrusion data to a central server, from
 multiple sensors. The central server will then perform correlation and
 intelligently analyze the data. The data will then be displayed to the
 analyst via the firestorm console, from where she can control any part
 of the firestorm cluster.

 Firestorm aims to be very efficient, however network intrusion detection
 systems tend to add a lot of load to a system simply due to the fact that
 they perform large amounts of processing on every packet the system sees -
 usually much more than the OS kernel's protocol stacks. For this reason
 firestorm tries to pre-process as much information as is possible, shifting
 the computation to startup time, rather than increasing the per-packet
 overhead. Having said this, firestorm has not undergone any kind of real
 performance testing/tuning. The philosophy at the moment is to get it
 working, get it functional and then we'll have all the time in the world
 to make it go faster.


DOCUMENTATION
=============
 You can find HTML documentation in the doc directory. Also there is a 
 formatted text file called ./doc/firestorm.txt which you can view with the
 'less' command.


HACKING / BUGS
==============
 Please report bugs to Gianni Tedesco <gianni@ecsc.co.uk>. Please include
 a detailed description of the bug, a stack backtrace, and any config, ruleset
 and/or capture files, where appropriate.

 Firestorm is released under the GPL, and as such you can modify the source
 code at will. You don't have to make your changes available to anyone. That
 said it would be great if what changes you do make you could share with us.
 Just email those patches to <gianni@ecsc.co.uk>. Thank you.
 
 See HACKING file for technical details of what needs to be done, you don't
 have to follow it, its just a guidline, any new ideas or innovations will be
 much appreciated. For help on getting started with new plugins see the docs
 in the ./doc/ directory. (help in this area is not yet available)


INSTALLATION
============
 Read INSTALL for full details. To install from source:
  ./configure && make all && su -c "make install"


PACKAGE LOCATIONS
=================
 Source code:
	http://www.scaramanga.co.uk/firestorm/v0.2.2/firestorm-0.2.2.tar.gz

 RPM packages:
	http://www.scaramanga.co.uk/firestorm/v0.2.2/firestorm-0.2.2-1.i386.rpm

 SRPM package:
	http://www.scaramanga.co.uk/firestorm/v0.2.2/firestorm-0.2.2-1.src.rpm

 Binary tarball:
	http://www.scaramanga.co.uk/firestorm/v0.2.2/firestorm-0.2.2.Linux-i686.tar.gz

 DEB packages:
	can someone volunteer to do these please?


CONFIGURATION
=============
 Firestorm has one configuration file which is specified on the command line.
 the format is very simple, see the comments in the included sample config for
 details.

 The stormwall daemon is very simple it takes two parameters both of which are
 optional:

	stormwall [-b ipaddr] [-p port]

 This is so you can specify what IP address and port you want the daemon to bind
 to. The defaults are 127.0.0.1:13244


CURRENT FEATURES
================
 Fully pluggable.
 Capture from libpcap files, live network, or linux kernel firewall netlink
 Snort rule support.
 As many matchers as snort.
 Support for IP, ethernet and other common protocols.
 Output to tcpdump log files
 Push output to server (currently only in the clear)

PLANNED FEATURES
================
 IP defragmentation
 TCP stream reassembly
 Wider protocol support
 XML ruleset support
 Correlation and anomaly detection on central server
 Central management of ALL features from analyst console
