Skip to main content

Questions tagged [ids]

An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.

Filter by
Sorted by
Tagged with
13 votes
11 answers
6k views

Chinese Hacker-Bots attempting to exploit our systems 24/7

Our sites our constantly under attack from bots with IP addresses resolving to China, attempting to exploit our systems. While their attacks are proving unsuccessful, they are a constant drain on our ...
George's user avatar
  • 293
10 votes
2 answers
5k views

OSSEC large scale deployment

We have a data-center and as a happy OSSEC user I am trying to convince my management to use it for host intrusion detection. However I have never deployed it on more than a handful of servers and I ...
lisa1987's user avatar
  • 891
7 votes
5 answers
382 views

Total SA/Engineer Management Software

So, as we've seen all over server fault, and over the years I've built several of each system, System / Network Monitoring (I use nagios) System / Network Trending (I use Cacti) Centralized Log ...
grufftech's user avatar
  • 6,900
6 votes
3 answers
3k views

Modern open source NIDS/HIDS and consoles? [closed]

Years back we set up an IDS solution by placing a tap in front of our exterior firewall, piping all the traffic on our DS1 through an IDS box and then sending the results off to a logging server ...
MattC's user avatar
  • 377
5 votes
3 answers
382 views

Is there any Linux app available for port scanning monitoring?

Something that will run in background and alert me on mail if some ip is port scanning the server.
daniels's user avatar
  • 1,215
5 votes
2 answers
2k views

Updating snort rules automatically

I've been working on getting my snort machine up and running, and working through Snort IDS and IPS Toolkit. The authors suggest using Oinkmaster, but on that website, the last update was February ...
Matt Simmons's user avatar
  • 20.5k
4 votes
4 answers
21k views

Recommend alternative to tripwire?

Looking for a host-based IDS comparable to tripwire. Preferably one that allows centralized management. Right now I use tripwire and though it works management and reporting through a central server ...
CarpeNoctem's user avatar
  • 2,457
4 votes
3 answers
5k views

IDS for Windows Server 2008?

I am sure my Windows Server 2008 box is constantly under attack both at the network level and web application level. Question is how do I detect these attacks? Is there any light-weight software ...
user avatar
4 votes
3 answers
10k views

ossec features vs snort / tripwire for pci compliance

I'm looking for an informed opinion on the advantages of ossec in comparison to snort/tripwire/nessus Therefore anyone shed any light on what features ossec brings that cant be replicated via ...
Sirex's user avatar
  • 5,557
4 votes
4 answers
2k views

What are your thoughts on whether or not to use a bastion host

I'm considering a new network layout for our web facing infrastructure and I'm interested in your thoughts of whether or not to use a bastion host. Is it necessary with today's technology? Right now ...
4 votes
2 answers
3k views

Is there an appliance-style distribution with web-based configuration for Snort? [closed]

There are some great "appliance" style distributions like pfSense and M0n0wall, that bundle powerful features of their respective operating systems with a nice web application for configuration. In my ...
user avatar
3 votes
5 answers
3k views

IDS for Linux?

We need to setup an intrusion detection system (IDS) on our linux proxy server. Please suggest intrusion detection systems ? anything else than Snort ? And ... does snort have a good web interface ?
nitin's user avatar
  • 2,589
3 votes
2 answers
1k views

is there any real Difference between snort and suricata?

Looking to move forward in deploying IDS/IPS on several FreeBSD firewalls and I was curious about the difference between snort and suricata. I know that Suricata is multi-threaded but in terms of rule ...
Jason's user avatar
  • 3,941
3 votes
3 answers
19k views

Blocking Team Viewer

I'd like to block incoming TeamViewer connections to my network, but at the same time to allow outgoing TeamViewer connections. So that users can't connect to their work PCs with TV (circumventing ...
Hubert Kario's user avatar
  • 6,409
3 votes
1 answer
3k views

Standalone Windows HIDS

We are looking into installing a host intrusion detection system on a Windows 2008 R2 web server. Our requirements are, at least for the time being, that the system needs to be standalone and also ...
user75709's user avatar
2 votes
1 answer
891 views

Webserver security, intrusion detection, and file intregrity

I would like to add some type of tracking / alerting on some linux webservers running PHP and Apache. In doing searches I have come across a lot of info from 2006-2009. Would like to revisit ...
enfield's user avatar
  • 267
2 votes
2 answers
6k views

KVM bridge for promisc interface IDS

I have a KVM virtualization server which serves up a br0 bridge, mapped to eth0. I want to add eth2 as a bridge to br2 for a IDS virtual machine I'm testing, but the guest OS doesn't see either br2 or ...
batflaps's user avatar
  • 199
2 votes
3 answers
391 views

is there a PAM module for DNSBL lookups?

I have been enumerating the remaining security concerns on one of my back-end production servers, when I came to the realization that something which could be incredibly useful was missing from my ...
RapidWebs's user avatar
  • 571
2 votes
4 answers
2k views

Simple application level file integrity monitoring & Intrusion detection (IDS)

We've been searching for a simple file integrity monitoring solution on CentOS/Linux that will work on the application level. We are not looking for OS/network level IDS as OSSEC and the others do a ...
Dev's user avatar
  • 21
2 votes
1 answer
59 views

POLICY Mozilla Multiple Products HTML href shell attempt - SNORT

We've had a few of these alerts get triggered through Snort: "POLICY Mozilla Multiple Products HTML href shell attempt" I'm struggling to find any information pertaining to this alert, does anyone ...
mbuk2k's user avatar
  • 139
2 votes
0 answers
2k views

Suricata logs "A Network Trojan was detected". Is it false positive?

I use the Suricata as IDS on the local network that it doesn't the internet. It logged a few alerts from some clients that said A Network Trojan was detected. All log's properties are in the following:...
Arani's user avatar
  • 338
2 votes
1 answer
1k views

Can Suricata be used as an effective IPS on a single server?

I've been looking for an effective intrusion prevention system (IPS) for an Ubuntu 14.04 server, something like what Symantec or F-Prot might offer for a Windows server. I've contacted major ...
Christopher Hinkle's user avatar
1 vote
3 answers
787 views

How to drop packets in a custom Intrusion Detection System

I'm trying to build a custom Intrusion Detection and Prevention System (IDS/IPS). I found a great utility named ROPE which can scan the packet payload and drop the packet that doesn't follow the rules,...
tzoukos's user avatar
  • 13
1 vote
2 answers
3k views

how can a mirror all of the traffic on a network interface, to virtual interface

I am trying to setup snort to act as an ids, on a debian machine that also functions as a router. Ideally I would like to setup snort in such a way so that I would not have to purchase an additional ...
lacrosse1991's user avatar
  • 1,457
1 vote
2 answers
292 views

Web server hosting infrastructure, does IPS help?

I am working on setting up new networking for datacenter hosting a web site. We have following topology Internet -> Firewall1 -> ReverseProxy(for security) -> Web Server -> firewall2 -> databse ...
mamu's user avatar
  • 342
1 vote
2 answers
170 views

Can the bulk execution of "dig domain mx" on 5000 domains be considered an attack to the network?

I have a database containing a lot of invalid emails. I want to remove all the emails whose domain does not have mx record. So after I extracted the domain part I wrote a script to bulk check this for ...
Marinos An's user avatar
1 vote
1 answer
2k views

Create an NFQUEUE rule to match a local addresses destination in my raspberry pi router

I'm working on a project to verify the source of each packet if its destination is one of several IPs on the LAN network. I'm interested in the LAN IPs, not the WAN. I tried to create many matches ...
zezo mehdawi's user avatar
1 vote
1 answer
2k views

Snort not sniffing any traffic except it's own

I'm currently trying to set up Snort on my local machine. At the moment I have 3 VM's: 1 with snort on it and 2 used to ping eachother. Whenever I ping from one of the devices to the Snort-machine, ...
Sander Willems's user avatar
1 vote
1 answer
2k views

Replaying pcap file for Snort

I currently have the following, presumably standard, setup: I have a physical server with Snort running. Snort logs into its log files as it should. Those files are tracked by barnyard2 which writes ...
Roper's user avatar
  • 121
1 vote
1 answer
962 views

is there a way from iptables to forward all traffic to my IDS Suricata in a second interface?

Hello there, is there a way from iptables to forward all traffic to my IDS Suricata and also keep the regular flow, I have two interfaces and I did find how to do it with one interface.. example: -t ...
merge delete's user avatar
1 vote
1 answer
521 views

Stateful Signatures in an IPS

I am researching in-line IPS devices and their signatures both stateful and stateless. The test network I am looking to implement the IPS in has asymmetric traffic so stateful inspection would be ...
SomethingSmithe's user avatar
1 vote
1 answer
2k views

Snort monitoring of spanning interface

I have configured a Cisco 3500 switch with a port SPAN and have my snort node (fedora 13) plugged into it. I am running snort as a daemon and have configured a rule to log all tcp traffic but I am ...
aHunter's user avatar
  • 324
1 vote
0 answers
41 views

Unreliable Hyper-V Port Mirroring

To set the stage: Host: Dell Server Windows Server 2019 Standard Xeon E-2660 64GB RAM Broadcom NetExtreme Gigabit Ethernet Card Guest: Gen 1 Debian 12288 RAM (not dynamic) standard network adapters ...
Mixinitup4Christ's user avatar
1 vote
0 answers
80 views

Why does snort can not alert this pcap?

the rule is alert tcp any any <> any any (sid:11111;content:"GET";) a file named http.pcap,in which has content GET /s?wd=%E7%99%BE%E5%BA%A6 HTTP/1.0 a config file named 1.conf ...
zhzhy's user avatar
  • 11
1 vote
0 answers
76 views

Suricata / Filebeat / ELK - iptables tee - Create virtual hosts

I have an IDS setup as follow: Hardware / interfaces WAN <----(brwan)> ROUTER / AP <(br0)----> LAN \ -----(eth1)>...
Gabriel ROUSSEAU's user avatar
1 vote
0 answers
276 views

Auditd to CloudwatchLogs to IDS alerts?

I'm administering a relatively simple AWS stack with about 5 heterogeneous Linux EC2 instances. All instances already have been setup to ship important logs to Cloudwatch Logs. Now I want to setup a ...
spinkus's user avatar
  • 207
1 vote
0 answers
68 views

HIDS: Need a trip wire for a honeypot, best approach?

We run a small VPS hosting company, each vps is based on a fixed 18.04 template. We run a honeypot, a fallow server, to verify the template continues to be secure. We look at it probably once a month ...
DaBuddha's user avatar
1 vote
0 answers
213 views

Is it possible to decapsulate ERSPAN and forward on RSPAN?

I am currently running into an issue where we are trying to send our network traffic from our physical infrastructure into a virtual Alienvualt appliance, but our switches are unable to send RSPAN ...
brittonballard's user avatar
1 vote
0 answers
235 views

Suricata: Error opening file threshold.config

I use Suricata 4.0.5 (an open source IDPS) on windows server 2012. It raises the below error when I run it, however, it runs. Error opening file threshold.config I searched for this error and find ...
Arani's user avatar
  • 338
1 vote
0 answers
7k views

Snort rule for detecting DNS packets of type NULL

I am trying to detect DNS requests of type NULL using Snort. I located the type field of the request packet using Wireshark: I found the following rule on McAfee: alert udp any any -> any 53 (msg:...
arne.z's user avatar
  • 367
1 vote
1 answer
764 views

Intrusion Detection/Prevention in AWS

On a normal server, I would have fail2ban handle intrusion detection; how would I go about setting up IDS/IPS on AWS? Any help or pointers would be appreciated.
Cenoc's user avatar
  • 217
1 vote
0 answers
1k views

Barnyard2 error on start

Been setting up a snort box with barnyard2, run into the error below. Can someone please help? $Starting Snort Output Processor (barnyard2): ./barnyard2: 35: ./barnyard2: barnyard2: not found /etc/...
user3329963's user avatar
1 vote
0 answers
797 views

configure frag3 in SNORT

i m trying to test IDS systems on evasion. I have picked up Snort IDS. I have crafted few fragmented packet scenario, and i m sending those fragmented packet to destination address. All these crafted ...
mgaspar's user avatar
  • 11
0 votes
2 answers
128 views

last night, my server was doing something intensive with the hard drive

I have an ubuntu server running in my bedroom. It's connected to the internet. Last night, at 5am, it was doing some intensive i/o with the hard drive (I heard it) for like 20 minutes. I don't have ...
sybind's user avatar
  • 327
0 votes
2 answers
531 views

is there a way from iptables/iproute to forward all traffic to my IDS and also keep the regular flow

The reason of this, is that to catch all packages into my IDS keeping my existing enviroment, so the IDS does not become a single point of failure. If route all my traffic into my IDS and from my IDS ...
merge delete's user avatar
0 votes
2 answers
2k views

Has anyone used any custom decoders with OSSEC?

I have the OSSEC HIDS software version 2.8.3 running on a RHEL 6 server. We have been testing this in the lab with a DNS server to track queries that come into our RPZ and Malware zones. The DNS ...
user53029's user avatar
  • 649
0 votes
1 answer
847 views

Lean but effective linux IDS / IPS / WAF? [closed]

I'm looking for a lean but effective IDS/IDP/WAF solution for my tiny VPS webserver. Currently I already use iptables and psad but a lot of the web server scanning attempts slip through. I use ngingx ...
binaryanomaly's user avatar
0 votes
3 answers
2k views

Good Firewalling practice for internet facing servers?

Does it make sense to firewall an internet facing server, say a webserver? Assuming I did not want to restrict anyone from accessing the webserver in its capacity to serve web pages, I would be ...
Sonny Ordell's user avatar
0 votes
3 answers
285 views

Firewalling gateways and IDS's

For IDS, I plan to have a Win 2008 server running on the gateway with the majority of roles disabled. I plan to firewall the Internet connection, but I'd also like to install Snort to work as an IDS. ...
Scott Davies's user avatar
0 votes
1 answer
410 views

How secure Google Compute Engine is?

We're moving to GCE and we want to know how secure it is. Do we need to install our own intrussion detection/prevention software on our VM Instances? (Tripware, Ossec, Snort). or does GCE handle ...
Arthur's user avatar
  • 11