Modular System for Network Payload Analysis
Ruminate is a platform for analyzing data transferred through the network. Ruminate focuses on scalability, flexibility, and the ability to perform arbitrary actions on objects transferred through the network. Ruminate is designed address today's attacks, which are increasingly found in client application objects (like documents or multimedia files) transferred through the network. Another goal of Ruminate is to be able to support the needs of organizations responding to persistent targeted attacks, including collection of layer 7 and embedded client application metadata. Ruminate doesn't do many of the tasks that traditional IDS do, such as packet header analysis, port scan detection, etc. Ruminate is not as well refined as other IDS out there, but the hope is that it will drive research and possibly be of use to operational environments also. Absolute efficiency and elegance of implementation are not current foci of the ruminate project.
Check out Charles's blog posts with a tag of ruminate for recent news.
Blog Post on HTTP 206 and Ruminate
As of yet, no peer reviewed journal articles have been published.
GMU Technical Report 2010-20 This technical report discusseses the benefits ruminate provides, focussing largely on the scalability of the platform and ability to operate on network payload objects, even when high latency or computationally expensive analysis is required.
Future publications will focus on real world detection capbilities of ruminate platform, improvements to the platform, and new detection capabilities facilititated by the ruminate platform.
Version 20101021 The 20101021 release provides essentially the same functionality as decribed in the 2010-20 technical report.
Version 20110226 This release is much better suited for operational environments. Notable features include significantly improved HTTP parsing including better logging and HTTP 206 defrag and pervasive use of yara.
Between each "major" release weekendly releases that are provided "as is" every weekend or two.
The primary developer/researcher of Rumiante is Charles Smutz who is working towards a PhD.
Angelos Stavrou is advising, directing, and faciltating this research.
Steve Adair is also a collaborator.
If you are interested in collaborating or contributing, contact Charles or Angelos.
Development and testing of ruminate is currently being performed predominately at George Mason University
Thanks to Lockheed Martin for releasing vortex as open source.