Shoki is a free, open source network intrusion detection system
for conducting traffic analysis.
The fundamental design goals of shoki are:
- Simplicity. The components of shoki are designed to be as
straightforward (and therefore as easy to understand) as possible
- Modularity. The functionalities provided by the various components
of shoki are intended to be as decoupled from each other as
Major features include:
- Signature matching using libpcap-style filter expressions
- Support for searches using POSIX extended regular expressions
- Optional support for searches using Perl-compatible regular expressions
- Dynamic rule-based signature generation
- Correlation of data from multiple sources
Additional features include:
- Sending alerts to IM clients via the Jabber protocol
- Visualisation of packet data via OpenGL
- Anomaly scoring based on questionable math
- Correlation of events to local assets (and known vulnerabilities)
- Remote OS identification via passive fingerprinting
- RFC 815-style fragment reassembly
- Configurable scan detection
- Configurable threshold-based signature detection
- Analysis of entropy in IP packet fields
A mailing list exists for general discussion of the design and implementation
of the shoki NIDS. You can subscribe to the mailing list
The readme from the distribution. It contains information about the
requirements for installing shoki, as well as the tricks and traps involved
in getting it set up at this stage of development.
The changelog from the distribution.
The shoki users guide, which includes installation instructions, configuration
instructions, and additional details about shoki.
Packet Hustler Documentation
Documentation and screenshots of hustler(1), a 3D GUI for visualisation of
HTML versions of the man pages
Information about the peculiar network symbols used in the shoki documentation
(and the logo)
You can download the latest shoki release from the project's
homepage at sourceforge.net .
Any and all comments, questions, and suggestions are welcome. Don't
hesitate to send mail to
directly to the primary author