Get it on GitHub.
The basic functionality of the NetStinky app is to check if your network
has appeared on any published network blacklists. This typically occurs
A proactive approach to network monitoring can detect compromise events in real-time. By monitoring the WAN link of your NetStinky IDS enabled router, it is possible to detect fine-grained events before external services have noticed a problem.
The nsids service runs inside of your router and captures traffic traversing the router. Specifically, the service captures two specific classes of traffic in order to perform deep packet inspection on them:
TCP SYN packets have their source and destination IP addresses and port numbers inspected. If a combination of IP address and port number appears in the internal IoC database, a compromise event is recorded.
DNS queries are inspected to read the domain names in their questions section. If a domain name in the query matches one of the domains listed in the internal IoC database, a compromise event is recorded.
The NetStinky project maintains an update server that allows the nsids service to connect to our server and received updated lists of IoCs. nsids will periodically connect to the server and download the updated IoC databases. An alternative server can be provided if you would prefer to use an alternative source or maintain your own IoC blacklist.
The NetStinky update server is publically available and can be used with
the following command-line arguments:
--update-host netstinky-api.wand.net.nz --update-port 15000
We draw our IoCs from a number of blacklist sources. You can view the database in our IoC database explorer