Patriot NG is a Host IDS‟ tool that allows real-time monitoring changes in Windows systems. According to Wikipedia, an IDS is defined as “a program used to detect unauthorized access to a computer or a network”.
Prerequisites.
You need to have installed correctly Winpcap (http://www.winpcap.org/install/default.htm) to be fully functional Patriot 2.0.
Patriot monitors:
- Changes in Registry keys: Indicating whether any sensitive key (autorun, internet explorer settings…) is altered.
- New files in ‘Startup’ directories
- New Users in the System
- New Services installed
- Changes in the hosts file
- New scheduled jobs
- Alteration of the integrity of Internet Explorer: (New BHOs, configuration changes, new toolbars)
- Changes in ARP table (Prevention of MITM attacks)
- Installation of new Drivers
- New Netbios shares
- TCP/IP Defense (New open ports, new connections made by processes, PortScan detection…)
- Files in critical directories (New executables, new DLLs…)
- New hidden windows (cmd.exe / Internet Explorer using OLE objects)
- Netbios connections to the System
- ARP Watch (New hosts in your network)
- NIDS (Detect anomalous network traffic based on editable rules)
