DecaffeinatID: A Very Simple IDS / Log Watching App / ARPWatch For Windows


------------


This project started because I wanted a simple ARP Watch like application for Windows. In a short matter of time, feature creep set in. DecaffeinatID is a simple little app that acts as an Intrusion Detection System (more of a log watcher really) to notify the user whenever fellow users at their local WiFi hotspot/ LAN are up to the kind of "reindeer games" that often happen at coffee shops and hacker cons. For more information on the sort of attacks I'm talking about see my article Caffeinated Computer Crackers. It's not meant to be a replacement for something more feature rich (but complicated) like Snort. DecaffeinatID watches the Windows logs for three main things and pops up a message in the Windows Systray when it sees any of the following:

New or changed ARP table entries
Think of this as a poor man's ARPWatch for Windows. The IDS gives a special alert whenever it sees the MAC address of the IP gateway change.

New events in security log
This will let you know about attempted and successful logins, assuming you have set up auditing for such things in your local security settings.

New events in the firewall log
DecaffeinatID will read your Windows firewall log (if you have one) and list events.

----------


DecaffeinatID is a simple intrusion detection and alert system for your PC that monitors your Windows logs for suspicious behavior. DecaffeinatID will pop up an alert in your system tray whenever there's an attempted remote login to your computer, and it detects changes in your firewall log, or your ARP changes. The application is currently in beta mode and not foolproof by any means, but it's also not a bad tool to run in your system tray next time you connect to the Wi-Fi at your local coffee shop or McDonalds.