PLEASE NOTE: NeFiAS is discontinued due to the limitations of bash environments in terms of stack space and in favor of the WoDiCoF+ project that will be made public in the coming years. See here for information about the WoDiCoF project and here for some information about WoDiCoF+ (in German).
NeFiAS is a simple and portable tool for network anomaly detection/network forensics, mostly tailored for the domain of network covert channels (network steganography). It was (initially) written by Steffen Wendzel. With NeFiAS we aim to provide the scientific community with the most accessible, easy-to-use testbed feasible. NeFiAS is a tool that you can use to test your own covert channel detection algorithms. Also, feel invited to publish your own detection algorithms in this repository to allow experimental replications of your own research work (just contact Steffen for this purpose).
- Portability
- Code-base as tiny as possible
- Low barrier to work with the tool; enable students to easily extend the tool when they write a thesis
- Support good performance, but prioritize usability if the system can be made more accessible for students and other researchers
- Modularity for detection modules; make it possible to write detection modules with as few lines of code as feasible
- Very tiny framework: core system contains less than 1,000 lines of code
- Portable (core system entirely written in
bashandawk(see the story in the documentation) - Provides improved performance (if used by multiple accounts on the same host or if set up as a Beowulf cluster, i.e. can be easily spread among many nodes), but is not tailored for any big-data scenarios!
- Requires only standard Linux, no special libraries or tools required (see requirements below)
Read the Documentation
Check the available NeFiAS Detection Scripts
NeFiAS requires only standard Linux tools:
bc(console calculator)dialog(optional)bashssh/scpgawk,sed,tr,splitetc.gziptshark(optional, but pretty useful)