Questions tagged [intrusion-detection]
Intrusion Detection is ability of a system to analyze different parameters on a computer system to determine if a system is compromised or not.
51
questions
23
votes
15
answers
5k
views
Recommend an intrusion detection system (IDS/IPS), and are they worth it?
I have tried out various network-based IDS and IPS systems throughout the years and have never been happy with the results. Either the systems were too difficult to manage, only triggered on well-...
8
votes
1
answer
359
views
Can Samhain monitor for a file that does not exist, but might in future?
I would like Samhain to monitor a file, say for example, /root/somefile. This file does not currently exist, but I would like to be notified if it gets created at any point.
I add this to samhainrc:
...
6
votes
1
answer
15k
views
AIDE - How to exclude whole folders?
I've recently installed AIDE on a server of mine after having a run in with hackers a week or so ago.
There doesn't appear to be much documentation around for AIDE, especially on their website. I've ...
6
votes
8
answers
808
views
What is the best strategy for detecting database intrusions?
Filesystem intrusions can be detecting using tools such as Snort but it is more difficult to detect intrusions into a database, such as deletion of rows, modification of tables, etc. What is the best ...
4
votes
3
answers
2k
views
Comparison of Firewall, Intrusion Prevention, Detection and Antivirus Technologies in Organizational Network Architecture
in these days i'm reading about intrusion prevention/detection systems.When reading i really confused in some points.
First, the firewall and antivirus technologies are known terms for years, however ...
4
votes
5
answers
973
views
Why is my port 25 so active?
Using netstat -na I notice that I have a lot of connections like
tcp 0 0 XXX.XXX.XXX.XXX:25 YYY.YYY.YYY.YYY:13933 ESTABLISHED
tcp 0 0 XXX.XXX.XXX.XXX:25 ZZZ....
4
votes
4
answers
21k
views
Recommend alternative to tripwire?
Looking for a host-based IDS comparable to tripwire. Preferably one that allows centralized management. Right now I use tripwire and though it works management and reporting through a central server ...
4
votes
3
answers
3k
views
Is it normal for AD authentication to generate a lot of ICMP traffic?
is it normal for AD authentication between a workstation and AD server to generate a lot of ICMP traffic? I have a network intrusion prevention in place that is constantly detecting huge amount of ...
4
votes
1
answer
2k
views
what tool searches for /w00tw00t.at.ISC.SANS.DFind:)?
In my web server logs I get a lot of these:
[error] [client x.x.x.x] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
I know it's just a failed ...
4
votes
2
answers
2k
views
Removing new fingerprint detection message from nmap
I run a nmap scan of my hosts daily to check for open ports.
sudo nmap -f -sS -sV --log-errors -append-output -p1-9999 host.com
But along with the output I get a long list of fingerprint ...
3
votes
2
answers
7k
views
aide --init show lots of errors
I have a brand new centos 6.2 server. The first thing I did is yum -y install aide and then next I did aide --init. Below is a whole lot of errors I got.What does it means must I reinstall it? Or ...
3
votes
1
answer
740
views
OSSIM In Production Environment
I am trying to get some real-world feedback on OSSIM.
Are you using OSSIM in production?
If so, what has your overall experiance been?
How many nodes are in your enviroment?
Finally, what kind ...
2
votes
2
answers
158
views
Single file changed: intrusion or corruption?
rkhunter reported a single file change on a virtual server (netstat binary). It didn't report any other warning. The change was not the result of a package upgrade (I reinstalled it and the checksum ...
2
votes
2
answers
189
views
breach in my machine [duplicate]
Possible Duplicate:
My server’s been hacked EMERGENCY
Suddenly, ssh claims that the key on my server is changed.
Even freenx doesn't accept my connections no more because of the changed key.
...
2
votes
4
answers
175
views
What response should be made to a continued web-app crack attempt?
I've issues with a continuous, concerted cracking attempt on a website (coded in php). The main problem is sql-injection attempts, running on a Debian server.
A secondary effect of the problem is ...
2
votes
5
answers
1k
views
Utility to notify when website files are changed
Does any one know of a (preferably free) windows utility that recursively hashes all the files in a directory tree every x minutes and sends a notification if any files have changed.
I want to have a ...
2
votes
4
answers
2k
views
Simple application level file integrity monitoring & Intrusion detection (IDS)
We've been searching for a simple file integrity monitoring solution on CentOS/Linux that will work on the application level. We are not looking for OS/network level IDS as OSSEC and the others do a ...
2
votes
1
answer
217
views
Using a UTM with a Link Aggregrator
I consider changing my office's internet access infrastructure to multilpe ADSL lines aggregated with a link aggregator (Peplink B710).
I plan to place my existing UTM (FortiGate-100A) after the ...
2
votes
1
answer
276
views
Are random packets normal?
About a month ago on one of my servers I started receiving random packets from IPs all over the world. So I did the smart thing and stopped putting off installing an IDS. This IDS is a ClearOS Gateway ...
2
votes
2
answers
631
views
IIS - Script for repeated hacks on a website
I currently have a site that is armored by ELMAH as its reporting mechanism. Each time someone hits a URL that is incorrect it notifies me or logs to the system. This is annoying for someone fat-...
1
vote
2
answers
679
views
How to find security-leak after a skynet intrusion?
Some days ago, the server of a friend had an intrusion. The attack installed a new SSH daemon that let any valid account in, without providing a valid password. After login, each account automatically ...
1
vote
3
answers
2k
views
What are some of the commonly used rule actions in snort other than the defaults?
I'm writing a strict snort rule parser and I would like to accommodate snort rules from popular plugins. The documentation specifies that any action/type is possible because they can be defined by ...
1
vote
1
answer
76
views
NIDS on bridged firewall
I have a firewall (Debian Stable 7.5) which works in bridged mode. The interfaces eth0 (WAN) and eth1 (LAN) are linked with the bridge interface br0.
Can I deploy a NIDS (eg. Snort) on this server? ...
1
vote
1
answer
293
views
Intrusion detection
I've got a security project regarding the intrusion detection and prevention. I've been googling about it but didn't land up on something substantial. I'm supposed to submit an abstract as of now, I'd ...
1
vote
1
answer
3k
views
Can snort output an alert for a portscan (sfPortscan) to syslog?
I've been working on this for too long now. I'm sure the answer should be obvious, but...
Snort manual:
http://www.snort.org/assets/125/snort_manual-2_8_5_1.pdf
lists two logging outputs on pg 39 (pg ...
1
vote
3
answers
10k
views
How to configure sensor rules in OSSIM
we've recently moved our NIDS installation from StrataGuard to the new OSSIM 2.1 release to take advantage of the additional features (Nagios, ntop, Nessus/OpenVas, etc.) it provides in addition to ...
1
vote
0
answers
476
views
SonicWall NSA2400 after firmware upgrade to 5.9 - not able to log some intrusion prevention/detection statements
After upgrading firmware to 5.9 version I'm not able to log intrusion prevention/detection for statements like PHP CGI Argument Injection, Remote Command Execution, Remote File Inclusion, WEB-ATTACKS, ...
0
votes
2
answers
128
views
last night, my server was doing something intensive with the hard drive
I have an ubuntu server running in my bedroom. It's connected to the internet. Last night, at 5am, it was doing some intensive i/o with the hard drive (I heard it) for like 20 minutes. I don't have ...
0
votes
1
answer
261
views
Have I Just Been Hacked? (Intrusion Alert, Known Hacker's Email is Marked as Recipient for an Email in Thunderbird) [closed]
I'm a product creator, and in attempt to track and stem my losses from piracy, I occasionally visit a bulletin board dedicated to piracy and piracy-for-profit; my products are regularly pirated and ...
0
votes
1
answer
94
views
Host says server is affected by malware, anyone knows this one ? What to do? [duplicate]
My host sent a notification that says server is infected with a malware, it doesn't seem very popular. The Symantec site about this malware shows windows machines as targets, but not CentOS.
Anyone ...
0
votes
2
answers
289
views
Strange entry in Apache log
in my previous post I got something weird in Apache log. Again, I found something strange, but what freaks me out is the response code. It's not 501 anymore, but 200. What do you say? Should I enable ...
0
votes
1
answer
758
views
How Does Cisco IPS Work?
How does it work? Does it typically have predefined patterns of trusted or malicious activity? Is it actually a category of firewall techniques? I am more curious about Cisco than I am about other ...
0
votes
1
answer
127
views
Why would /etc/krb5.keytab change?
A half-dozen boxes out of hundreds reported a changed /etc/krb5.keytab all within a few minutes of each other on a random Saturday. No one was logged in at the time of the changes. I have asked for ...
0
votes
1
answer
2k
views
ssh spammed from 127.0.0.1 (“Did not receive identification string” and “Bad protocol version identification”)
Prequel: I've seen this question, but it's not quite the same situation. I'm particularly curious about 'heroku' showing up in the logs.
I just built and spun up a new Ubuntu 18.04 box that I am ...
0
votes
2
answers
327
views
SecAst: Failing to Ban IP ''
To Generation D:
This was the setup at time this issue was observed: secast-1.0.1.0-x86_64-ub12 on Ubuntu 12.04.4 Server LTS with Asterisk 11.10.2.
The following events were captured and observed in ...
0
votes
1
answer
299
views
How can I find out what user from a specified IP is doing with my server?
Yesterday night around 2:00, I occasionally try out a snippet:
netstat -ntu | tail -n +3|awk '{ print $5}' | cut -d : -f 1 | sort | uniq -c| sort -n -r | head -n 5
Then it turns out one IP is having ...
0
votes
1
answer
627
views
Windows: Audit/View logins from remote networks?
i want to audit remote connection attempts to a Windows 2003 Server. i've changed the group policy to show logon successes and failures:
>gpedit.msc
Local Computer Policy
Computer ...
0
votes
2
answers
1k
views
AWS EC2: How to determine whether my EC2/scalr AMI was hacked? What to do to secure it?
(See update below)
I received notification from Amazon that my instance tried to hack another server. there was no additional information besides log dump:
Original report:
Destination IPs:
...
0
votes
1
answer
217
views
Detecting database breach
I wonder about detecting database breach.
Currently, I use auditd to detect making database dump with mysqldump.
I wonder what more can I do to detect potential database breach.
Thanks for any ideas!
0
votes
0
answers
690
views
Suspicious USB activity on a server
I'm working in a sysadmin team. We manage several servers. All of them are runing Debian (various releases). They are located in a locked cabinet in a datacenter.
Recently I've added logcheck on our ...
0
votes
0
answers
32
views
Need feature name: ethernet switch recognizes manual cable disconnect and shuts down the port
Once in a hospital's radiology department, we had this nifty security feature -- I just cannot remember the proper name to succeed at various search engines:
If a host's ethernet cable was ...
0
votes
1
answer
3k
views
IIS - Detecting Brute Force Logins and Password Spraying
TLDR;
What techniques are being used to detect brute force logins and/or password spraying on IIS hosted websites (including SharePoint, OWA, etc.)?
ModSecurity
There are many tools for other ...
0
votes
1
answer
57
views
Tracking all network access to server made by particular IP
Is there any way that I can track any network access (on any port) made to my server by a particular IP? I'm on Ubuntu Server 16.04 LTS and am using uncomplicated firewall.
Preferably, I'd be able to ...
0
votes
1
answer
52
views
secast init file already exists
I'm installing SecAst on a new computer and I'm on step 2.1.7 (copying init files). I copied the first initd file, but when I copy the second one it says file already exists (and I'm overwriting the ...
0
votes
1
answer
4k
views
How to detect my server is used as a port scanner? [duplicate]
My Web Server is running Ubuntu 12.04.2 LTS with all security updates installed. It is used as a Web Proxy server that handles incoming requests on HTTP/80 HTTPS/443 but also retrieves web content ...
0
votes
2
answers
178
views
Remote hosts accessing AD's registry
I have a situation here. I have an intrusion detection system and it constantly alerts me that a remote host is accessing our AD's registry remotely.
Our remote hosts are mainly Windows XP and our ...
-1
votes
1
answer
1k
views
Can Wazuh work for a single agent with less than the stated minimum hardware requirements?
I was surprised to find that the Wazuh server requirements state 2gb and 2 cores are the minimum requirements - but I wonder how much these numbers are tailored towards supporting multiple agents.
Is ...
-1
votes
2
answers
403
views
How to count the number of SYN, ACK, or SYN-ACK in a second? [closed]
I want to make a DDoS SYN Flood Detection, so i need to count the number of SYN, ACK, or SYN-ACK packet per second.
-1
votes
1
answer
731
views
barnyard2 for snort permission denied
I installed barnyard2 for snort, but when i run command below this error appear.
[root@localhost snort]# barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f snort.log -w /etc/snort/bylog....
-2
votes
1
answer
794
views
FAIL2BAN filters- who can give me filter to block this intrusion?
I see in my mediatemple server maillog endless intrusion. i need to block these ips.
who can help with filter file to match these?
Jan 21 07:51:44 mydomain postfix/smtpd[23505]: SSL_accept error from ...