was a Network Intrusion Detection System
designed by Wheelgroup
. Rather than sniffing Ethernet
, the NetRanger would receive UDP
packets from a Borderguard 2000
or BorderGuard 1000
. Later versions of the NetRanger software would work as a sniffer, or accept packets from a Cisco
The component software modules of a NetRanger:
- The component which accepts packets from the network. sensord reads UDP packets with embedded packets, and packetd reads direct from the wire. sensord listens on two ports: one is for packets that are copied directly to the NetRanger, the other is for alert packets - packets containing information about alarms triggered on the BorderGuard. sensord.conf contains both built in binary context signatures, and user-configurable content signatures.
Use of sensord allowed the NetRanger to operate at higher wirespeeds than other NIDS. Rather than attempting to capture all packets, and then discard irrelevant ones, a packet filter selects the packets the NetRanger cares about, and feeds it only those.
- Controls the attached BorderGuard or Cisco, allowing the NetRanger to automatically apply filters, and to let the operators remotely execute commands on the router.
- Controls communication between NetRanger components. It can also communicate between components on different sensors and the director.
- Actually writes events to the logs. Alerts can be forwarded to other sensors or directly to a central director. Typically, a sensor will locally log at a very low threshold, including all TCP SYN, ACK, FIN, and RST packets, but only forward potential incidents (e.g., portscans).
The NetRanger was used by NetSolve
, and the 609th Information Warfare Squadron
, as well as other, smaller groups. Support for the BorderGuard 2000 was discontinued when Wheelgroup was acquired