NetRanger was a
Network Intrusion Detection System designed by
Wheelgroup. Rather than
sniffing Ethernet, the NetRanger would receive
UDP packets from a
Borderguard 2000 or
BorderGuard 1000. Later versions of the NetRanger software would work as a sniffer, or accept packets from a
Cisco router.
The component software modules of a NetRanger:
- sensord/packetd
- The component which accepts packets from the network. sensord reads UDP packets with embedded packets, and packetd reads direct from the wire. sensord listens on two ports: one is for packets that are copied directly to the NetRanger, the other is for alert packets - packets containing information about alarms triggered on the BorderGuard. sensord.conf contains both built in binary context signatures, and user-configurable content signatures.
Use of sensord allowed the NetRanger to operate at higher wirespeeds than other NIDS. Rather than attempting to capture all packets, and then discard irrelevant ones, a packet filter selects the packets the NetRanger cares about, and feeds it only those.
- managed
- Controls the attached BorderGuard or Cisco, allowing the NetRanger to automatically apply filters, and to let the operators remotely execute commands on the router.
- postofficed
- Controls communication between NetRanger components. It can also communicate between components on different sensors and the director.
- loggerd
- Actually writes events to the logs. Alerts can be forwarded to other sensors or directly to a central director. Typically, a sensor will locally log at a very low threshold, including all TCP SYN, ACK, FIN, and RST packets, but only forward potential incidents (e.g., portscans).
The NetRanger was used by
NetSolve,
IBM, and the
609th Information Warfare Squadron, as well as other, smaller groups. Support for the BorderGuard 2000 was discontinued when Wheelgroup was
acquired by Cisco.