{"id":20337835,"url":"https://github.com/jigsaw-code/rids","last_synced_at":"2025-05-08T02:31:40.156Z","repository":{"id":65230244,"uuid":"580224695","full_name":"Jigsaw-Code/rids","owner":"Jigsaw-Code","description":"Remote Intrusion Detection System","archived":true,"fork":false,"pushed_at":"2023-01-20T20:26:58.000Z","size":92,"stargazers_count":12,"open_issues_count":0,"forks_count":2,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-03-20T05:30:30.359Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Jigsaw-Code.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-12-20T02:50:28.000Z","updated_at":"2024-07-16T23:43:12.000Z","dependencies_parsed_at":"2023-02-12T05:01:34.709Z","dependency_job_id":null,"html_url":"https://github.com/Jigsaw-Code/rids","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Jigsaw-Code%2Frids","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Jigsaw-Code%2Frids/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Jigsaw-Code%2Frids/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Jigsaw-Code%2Frids/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Jigsaw-Code","download_url":"https://codeload.github.com/Jigsaw-Code/rids/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252986825,"owners_count":21836233,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T21:10:23.817Z","updated_at":"2025-05-08T02:31:39.855Z","avatar_url":"https://github.com/Jigsaw-Code.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# RIDS: Remote Intrusion Detection System\n\nThis tool allows you to inspect some types of unusual activity on your network in order to detect malware installed on endpoints.\n\n\n## Installing\n\nThese instructions assume a VPS running on Digital Ocean, but should\napply to other deployment environments, perhaps with slight changes.\n\nOpen an SSH connection or enter a console with sudo'er permissions and execute\nthe following:\n\n    curl https://raw.githubusercontent.com/Jigsaw-Code/rids/master/install.sh | sudo bash\n\n\n## About\n\nYou can use this tool to set up tshark on a VPS for detecting\nsuspicious activity.  In this case that means TLS handshakes that are on a\nnon-standard port and/or missing an SNI.  This definition may expand as \nfeatures are added to RIDS.\n\n`tshark` is a command-line version of wireshark that provides a useful view of network activity for a device.  Installing this tool will add entries to the system journal for later review.  This project may evolve to surface this information to server clients more conveniently, but at present it requires a root user access to the server.\n\nThis service can also be configured to look for known-compromised IP addresses, based on\npublicly-available IOC sources or a custom list of IP addresses.  See config_example.json\nfor an example config that pulls from EmergingThreats compromised IP list.  The expected\nformat is newline-separated string-encoded addresses, one on each line.\n\nTo pass different configurations you can use the --config_path flag when running RIDS (or in the\ndetect.sh script that launches it), with the path being relative to the working directory where\nthe Python script is being run.\n\n\n## Viewing logs output\n\nBecause the service is running on systemd, the script's output can be viewed using `journalctl`:\n\n    journalctl -u detection.service --follow\n\nThere are additional flags for checking the logs from a specific boot session, during a time window, and for converting timestamps into a local time zone.  See this Digital Ocean doc about journalctl for more details.\n\nBy default, tshark buffers its output so it may be up to a few minutes between an event and when it shows up in journalctl logs.  You can make tshark immediately flush to stdout after every line by passing -l (\"ell\") with its other options in the shell script where it is started, and then restart the service.  Typically, this won't be necessary, but could be useful while debugging any modifications to the tshark arguments.\n\nAt first you may not see anything other than the beginning output of tshark -- it checks for updates then prints a couple lines \"... [Main MESSAGE] -- Capture started.\" and \"File: /tmp/wireshark_eth0…pcapng\".  Any additional output will be from the TLS secure handshake going to an unusual port.  There will be a timestamp and some details about the source and host including a server name if one is provided, then the client and server fingerprints of the secure handshake.  These can be used for later analysis.\n\n\n## Caveats\n\nIn general you should not see any TLS activity, in non standard ports, with a few exceptions:\n\n   * DNS-over-TLS on port 853\n   * proxy-safebrowsing.googleapis.com:80\n   * mtalk.google.com:5228\n   * courier.push.apple.com:5223\n   * imap.gmail.com:993\n\nAlso see:\n\n   * [Apple ports](https://support.apple.com/en-us/HT202944)\n   * [GMail ports](https://support.google.com/mail/answer/7126229?hl=en#zippy=%2Cstep-change-smtp-other-settings-in-your-email-client)\n   * [Android ports](https://support.google.com/work/android/answer/10513641?hl=en)\n   * [Firebase ports](https://firebase.google.com/docs/cloud-messaging/concept-options#messaging-ports-and-your-firewall)\n   * [Google IPs](https://cloud.google.com/vpc/docs/configure-private-google-access#ip-addr-defaults)\n\nThe `sni_filter.py` script filters out these client and server hellos based on the SNI.  If you see other SNIs that you would rather ignore in the output, they can be added to the allow-list in that script.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjigsaw-code%2Frids","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjigsaw-code%2Frids","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjigsaw-code%2Frids/lists"}