Blare is an experimental host-based, policy-based intrusion detector for Linux.
What is policy-based intrusion detection?
It is an approach whose purpose is to detect clear violations of a well-defined security policy. This is different from other intrusion detection approaches that aim either at detecting known attack scenarios or that consider any unusual or unexpected behavior as suspect.
Why do you think it is great?
Ideally, a policy-based IDS (PBIDS) needs only a formal definition of the security policy to enforce. It does not require knowledge of attack scenarios nor system vulnerabilities. Also, since no empirical data are used, there is no learning process. A PBIDS will theoretically detect all violations of the policy (including those that exploit novel or unknown scenarios and vulnerabilities) and requires maintenance only when the security policy needs to be changed.
What are the limits and drawbacks?
The most obvious limit of a PBIDS is the expressive power of its policy definition formalism. In the case of Blare, implementable policies are confidentiality and integrity policies such as access control schemes, Chinese walls, Bell-Lapadula or Biba schemes etc. Policies that involve external parameters such as time (for example, "this file should be writable only on Mondays"), workflow policies, availability requirements or specific operation procedures cannot be implemented using the current model. Another
By the way: why is it called Blare?
Because, as everybody knows, elephants are smarter than pigs ;)
System related questions
What systems does KBlare run on?
KBlare requires Linux kernel version 2.6 and a filesystem that supports POSIX extended attributes. There are no further dependencies, so it should run on any Linux distributions that meets these two criteria.
Is it or will it be ported to (***your prefered OS here***)?
For now, only a Linux version is available. Nevertheless, we would like to support other OSes as well. If you can offer some help implementing Blare on other platforms, please contact us.
Usage & Licensing
What is the license of Blare?
Blare is licensed under the terms of the GNU GPL.
Can I use Blare for free?
Yes, please help yourself to download and use it. However contributions are welcome! If you wish, you can either offer a donation directly to us, or to some organization of your choice that supports the free and open-source software movements (FSF, Debian etc.)
Can I use Blare in a commercial product?
Yes, provided that at least the component of your commercial product that contains Blare code is GPLed. Please see the GNU GPL for details.
I am not confortable with the GPL, can I obtain another license?
No, you can't. It is not our policy to offer non-GPL licenses for Blare. Moreover, Blare contains derivative work of the Linux kernel and as such it must be licensed under the GNU GPL.