< Orchids IDS

What is OrchIDS ?

OrchIDS is a new generation Intrusion Detection System (IDS) based on real-time event correlation.
OrchIDS can also be used as an offline powerful tool for forensics analysis of past events simultanously from multiple log sources.

Latest News
09/20/11 :

Alerts display with PreWikka using LibPrelude (mod_prelude)

05/26/11 :

Forensics on steroids with mod_prolog_history

05/22/11 :

Read and write IDMEF alerts with mod_idmef
Generate IODEF reports with mod_iodef

04/08/11 :

Rules syntax update (New syntax available here)

02/02/11 :

Orchids WebSite v2 creation

29/01/11 :

Prelude module available : send alerts to a prelude-manager. (See here)

Public Partners

Industrial Partners

Orchids Wiki

All the documentation about orchids is available in the Wiki : Wiki

Main Wiki links :


file description
orchids-1.0-1.i686.rpm Orchids Intrusion Detection System RPMs (How to install)
orchids-1.0.tar.gz Orchids sources (How to compile)
orchids-1.1-beta.tar.gz Orchids 1.1 beta : syntaxe enhancement, new modules (IDMEF, IODEF, prolog_history)

The Orchids Project

The Orchids project started in December 2002, under the direction of Jean GOUBAULT-LARRECQ in the framework of the RNTL project DICO (Réseau National des Technologies Logicielles - Détection d'Intrusions Coopérative) started in December 2001, and the ACI Crypto PSI-Robuste project.
It has been developed by Julien OLIVAIN from 2003 to 2005, and is now updated since 2010 by Baptiste GOURDIN, both members of the SECSI Team, at the LSV. The SECSI Project is a research project on security of information systems.
It is a common project of the INRIA research unit, and of the LSV.


Orchids is available to use under the CECILL license.


The Orchids platform is composed of three main parts :

  • a set of rule definitions (in a dedicated specification language)
  • a set of input plugins which decodes data incoming from external sources.
  • a correlation engine based on a internal state machine


Host : Orchids can be run on any Unix Posix compliant host.

Sources : Orchids comes with a set of modules to receive events from different sources :

  • Prelude: Correlate events stored in a Prelude database.
  • auditd: Parse log generated by Auditd
  • Syslog: Parse log generated using the Syslog standard
  • Netfilter: Parse log generated by Netfilter
  • Snare: Read text log produced by Snare.
  • SNMP : Periodically checks SNMP OIDs.
  • Your format is not in the list ? Write your own orchids input plugin : Writing input plugin for Orchids

Standards :

  • rfc4765 IDMEF (input / output) : Since Orchids is able to work in a prelude system, it can work with the Intrusion Detection Message Exchange Format (IDMEF) . it is able to read and process IDMEF alert and also to write alerts in this format.
  • rfc5070 IODEF (output) : Generate alert reports using The Incident Object Description Exchange Format
  • More information available in the wiki page Orchids Standards.


Orchids consortium is an informal group of people entrusted in the development of Orchids tools.

OrchIDS Consortium current membership:

  • INRIA: Institut National de Recherche en Informatique et Automatique INRIA
  • CNRS: Centre National de la Recherche Scientifique CNRS
  • ENS-Cachan: Ecole Normale Superieure de Cachan ENS-Cachan
  • DGA-MI: Ministere de la Defense Nationale DGA-MI
  • EADS: European Aeronautics, Defence and Space Company EADS
  • THALES : French Aeronautics, Defence & Space Compagny THALES