Skip to main content

Questions tagged [intrusion-detection]

Intrusion Detection is ability of a system to analyze different parameters on a computer system to determine if a system is compromised or not.

Filter by
Sorted by
Tagged with
23 votes
15 answers
5k views

Recommend an intrusion detection system (IDS/IPS), and are they worth it?

I have tried out various network-based IDS and IPS systems throughout the years and have never been happy with the results. Either the systems were too difficult to manage, only triggered on well-...
Doug Luxem's user avatar
  • 9,632
8 votes
1 answer
359 views

Can Samhain monitor for a file that does not exist, but might in future?

I would like Samhain to monitor a file, say for example, /root/somefile. This file does not currently exist, but I would like to be notified if it gets created at any point. I add this to samhainrc: ...
Richard Downer's user avatar
6 votes
1 answer
15k views

AIDE - How to exclude whole folders?

I've recently installed AIDE on a server of mine after having a run in with hackers a week or so ago. There doesn't appear to be much documentation around for AIDE, especially on their website. I've ...
goji's user avatar
  • 265
6 votes
8 answers
808 views

What is the best strategy for detecting database intrusions?

Filesystem intrusions can be detecting using tools such as Snort but it is more difficult to detect intrusions into a database, such as deletion of rows, modification of tables, etc. What is the best ...
davidmytton's user avatar
4 votes
3 answers
2k views

Comparison of Firewall, Intrusion Prevention, Detection and Antivirus Technologies in Organizational Network Architecture

in these days i'm reading about intrusion prevention/detection systems.When reading i really confused in some points. First, the firewall and antivirus technologies are known terms for years, however ...
Berkay's user avatar
  • 431
4 votes
5 answers
973 views

Why is my port 25 so active?

Using netstat -na I notice that I have a lot of connections like tcp 0 0 XXX.XXX.XXX.XXX:25 YYY.YYY.YYY.YYY:13933 ESTABLISHED tcp 0 0 XXX.XXX.XXX.XXX:25 ZZZ....
user48058's user avatar
  • 863
4 votes
4 answers
21k views

Recommend alternative to tripwire?

Looking for a host-based IDS comparable to tripwire. Preferably one that allows centralized management. Right now I use tripwire and though it works management and reporting through a central server ...
CarpeNoctem's user avatar
  • 2,457
4 votes
3 answers
3k views

Is it normal for AD authentication to generate a lot of ICMP traffic?

is it normal for AD authentication between a workstation and AD server to generate a lot of ICMP traffic? I have a network intrusion prevention in place that is constantly detecting huge amount of ...
JoeST's user avatar
  • 41
4 votes
1 answer
2k views

what tool searches for /w00tw00t.at.ISC.SANS.DFind:)?

In my web server logs I get a lot of these: [error] [client x.x.x.x] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) I know it's just a failed ...
user63623's user avatar
  • 151
4 votes
2 answers
2k views

Removing new fingerprint detection message from nmap

I run a nmap scan of my hosts daily to check for open ports. sudo nmap -f -sS -sV --log-errors -append-output -p1-9999 host.com But along with the output I get a long list of fingerprint ...
Quintin Par's user avatar
  • 4,443
3 votes
2 answers
7k views

aide --init show lots of errors

I have a brand new centos 6.2 server. The first thing I did is yum -y install aide and then next I did aide --init. Below is a whole lot of errors I got.What does it means must I reinstall it? Or ...
newbie14's user avatar
  • 149
3 votes
1 answer
740 views

OSSIM In Production Environment

I am trying to get some real-world feedback on OSSIM. Are you using OSSIM in production? If so, what has your overall experiance been? How many nodes are in your enviroment? Finally, what kind ...
Josh Brower's user avatar
  • 1,669
2 votes
2 answers
158 views

Single file changed: intrusion or corruption?

rkhunter reported a single file change on a virtual server (netstat binary). It didn't report any other warning. The change was not the result of a package upgrade (I reinstalled it and the checksum ...
Michaël Witrant's user avatar
2 votes
2 answers
189 views

breach in my machine [duplicate]

Possible Duplicate: My server’s been hacked EMERGENCY Suddenly, ssh claims that the key on my server is changed. Even freenx doesn't accept my connections no more because of the changed key. ...
user1632812's user avatar
2 votes
4 answers
175 views

What response should be made to a continued web-app crack attempt?

I've issues with a continuous, concerted cracking attempt on a website (coded in php). The main problem is sql-injection attempts, running on a Debian server. A secondary effect of the problem is ...
Kzqai's user avatar
  • 1,288
2 votes
5 answers
1k views

Utility to notify when website files are changed

Does any one know of a (preferably free) windows utility that recursively hashes all the files in a directory tree every x minutes and sends a notification if any files have changed. I want to have a ...
Christopher Edwards's user avatar
2 votes
4 answers
2k views

Simple application level file integrity monitoring & Intrusion detection (IDS)

We've been searching for a simple file integrity monitoring solution on CentOS/Linux that will work on the application level. We are not looking for OS/network level IDS as OSSEC and the others do a ...
Dev's user avatar
  • 21
2 votes
1 answer
217 views

Using a UTM with a Link Aggregrator

I consider changing my office's internet access infrastructure to multilpe ADSL lines aggregated with a link aggregator (Peplink B710). I plan to place my existing UTM (FortiGate-100A) after the ...
Variant's user avatar
  • 278
2 votes
1 answer
276 views

Are random packets normal?

About a month ago on one of my servers I started receiving random packets from IPs all over the world. So I did the smart thing and stopped putting off installing an IDS. This IDS is a ClearOS Gateway ...
TheLQ's user avatar
  • 1,003
2 votes
2 answers
631 views

IIS - Script for repeated hacks on a website

I currently have a site that is armored by ELMAH as its reporting mechanism. Each time someone hits a URL that is incorrect it notifies me or logs to the system. This is annoying for someone fat-...
dodegaard's user avatar
  • 133
1 vote
2 answers
679 views

How to find security-leak after a skynet intrusion?

Some days ago, the server of a friend had an intrusion. The attack installed a new SSH daemon that let any valid account in, without providing a valid password. After login, each account automatically ...
kraftan's user avatar
  • 113
1 vote
3 answers
2k views

What are some of the commonly used rule actions in snort other than the defaults?

I'm writing a strict snort rule parser and I would like to accommodate snort rules from popular plugins. The documentation specifies that any action/type is possible because they can be defined by ...
Elijah's user avatar
  • 547
1 vote
1 answer
76 views

NIDS on bridged firewall

I have a firewall (Debian Stable 7.5) which works in bridged mode. The interfaces eth0 (WAN) and eth1 (LAN) are linked with the bridge interface br0. Can I deploy a NIDS (eg. Snort) on this server? ...
psimon's user avatar
  • 148
1 vote
1 answer
293 views

Intrusion detection

I've got a security project regarding the intrusion detection and prevention. I've been googling about it but didn't land up on something substantial. I'm supposed to submit an abstract as of now, I'd ...
user avatar
1 vote
1 answer
3k views

Can snort output an alert for a portscan (sfPortscan) to syslog?

I've been working on this for too long now. I'm sure the answer should be obvious, but... Snort manual: http://www.snort.org/assets/125/snort_manual-2_8_5_1.pdf lists two logging outputs on pg 39 (pg ...
user avatar
1 vote
3 answers
10k views

How to configure sensor rules in OSSIM

we've recently moved our NIDS installation from StrataGuard to the new OSSIM 2.1 release to take advantage of the additional features (Nagios, ntop, Nessus/OpenVas, etc.) it provides in addition to ...
nedm's user avatar
  • 5,680
1 vote
0 answers
476 views

SonicWall NSA2400 after firmware upgrade to 5.9 - not able to log some intrusion prevention/detection statements

After upgrading firmware to 5.9 version I'm not able to log intrusion prevention/detection for statements like PHP CGI Argument Injection, Remote Command Execution, Remote File Inclusion, WEB-ATTACKS, ...
JackTheKnife's user avatar
0 votes
2 answers
128 views

last night, my server was doing something intensive with the hard drive

I have an ubuntu server running in my bedroom. It's connected to the internet. Last night, at 5am, it was doing some intensive i/o with the hard drive (I heard it) for like 20 minutes. I don't have ...
sybind's user avatar
  • 327
0 votes
1 answer
261 views

Have I Just Been Hacked? (Intrusion Alert, Known Hacker's Email is Marked as Recipient for an Email in Thunderbird) [closed]

I'm a product creator, and in attempt to track and stem my losses from piracy, I occasionally visit a bulletin board dedicated to piracy and piracy-for-profit; my products are regularly pirated and ...
tim's user avatar
  • 1
0 votes
1 answer
94 views

Host says server is affected by malware, anyone knows this one ? What to do? [duplicate]

My host sent a notification that says server is infected with a malware, it doesn't seem very popular. The Symantec site about this malware shows windows machines as targets, but not CentOS. Anyone ...
adrianTNT's user avatar
  • 1,169
0 votes
2 answers
289 views

Strange entry in Apache log

in my previous post I got something weird in Apache log. Again, I found something strange, but what freaks me out is the response code. It's not 501 anymore, but 200. What do you say? Should I enable ...
aL3xa's user avatar
  • 153
0 votes
1 answer
758 views

How Does Cisco IPS Work?

How does it work? Does it typically have predefined patterns of trusted or malicious activity? Is it actually a category of firewall techniques? I am more curious about Cisco than I am about other ...
700 Software's user avatar
  • 2,283
0 votes
1 answer
127 views

Why would /etc/krb5.keytab change?

A half-dozen boxes out of hundreds reported a changed /etc/krb5.keytab all within a few minutes of each other on a random Saturday. No one was logged in at the time of the changes. I have asked for ...
Chris K's user avatar
  • 15
0 votes
1 answer
2k views

ssh spammed from 127.0.0.1 (“Did not receive identification string” and “Bad protocol version identification”)

Prequel: I've seen this question, but it's not quite the same situation. I'm particularly curious about 'heroku' showing up in the logs. I just built and spun up a new Ubuntu 18.04 box that I am ...
eric.mitchell's user avatar
0 votes
2 answers
327 views

SecAst: Failing to Ban IP ''

To Generation D: This was the setup at time this issue was observed: secast-1.0.1.0-x86_64-ub12 on Ubuntu 12.04.4 Server LTS with Asterisk 11.10.2. The following events were captured and observed in ...
Elyod's user avatar
  • 25
0 votes
1 answer
299 views

How can I find out what user from a specified IP is doing with my server?

Yesterday night around 2:00, I occasionally try out a snippet: netstat -ntu | tail -n +3|awk '{ print $5}' | cut -d : -f 1 | sort | uniq -c| sort -n -r | head -n 5 Then it turns out one IP is having ...
allanruin's user avatar
0 votes
1 answer
627 views

Windows: Audit/View logins from remote networks?

i want to audit remote connection attempts to a Windows 2003 Server. i've changed the group policy to show logon successes and failures: >gpedit.msc Local Computer Policy Computer ...
Ian Boyd's user avatar
  • 5,373
0 votes
2 answers
1k views

AWS EC2: How to determine whether my EC2/scalr AMI was hacked? What to do to secure it?

(See update below) I received notification from Amazon that my instance tried to hack another server. there was no additional information besides log dump: Original report: Destination IPs: ...
Niro's user avatar
  • 1,471
0 votes
1 answer
217 views

Detecting database breach

I wonder about detecting database breach. Currently, I use auditd to detect making database dump with mysqldump. I wonder what more can I do to detect potential database breach. Thanks for any ideas!
Miłosz Ryćko-Bożeński's user avatar
0 votes
0 answers
690 views

Suspicious USB activity on a server

I'm working in a sysadmin team. We manage several servers. All of them are runing Debian (various releases). They are located in a locked cabinet in a datacenter. Recently I've added logcheck on our ...
jlecour's user avatar
  • 266
0 votes
0 answers
32 views

Need feature name: ethernet switch recognizes manual cable disconnect and shuts down the port

Once in a hospital's radiology department, we had this nifty security feature -- I just cannot remember the proper name to succeed at various search engines: If a host's ethernet cable was ...
Twonky's user avatar
  • 101
0 votes
1 answer
3k views

IIS - Detecting Brute Force Logins and Password Spraying

TLDR; What techniques are being used to detect brute force logins and/or password spraying on IIS hosted websites (including SharePoint, OWA, etc.)? ModSecurity There are many tools for other ...
phbits's user avatar
  • 236
0 votes
1 answer
57 views

Tracking all network access to server made by particular IP

Is there any way that I can track any network access (on any port) made to my server by a particular IP? I'm on Ubuntu Server 16.04 LTS and am using uncomplicated firewall. Preferably, I'd be able to ...
Ben Wilkinson's user avatar
0 votes
1 answer
52 views

secast init file already exists

I'm installing SecAst on a new computer and I'm on step 2.1.7 (copying init files). I copied the first initd file, but when I copy the second one it says file already exists (and I'm overwriting the ...
user avatar
0 votes
1 answer
4k views

How to detect my server is used as a port scanner? [duplicate]

My Web Server is running Ubuntu 12.04.2 LTS with all security updates installed. It is used as a Web Proxy server that handles incoming requests on HTTP/80 HTTPS/443 but also retrieves web content ...
Chris2M's user avatar
  • 11
0 votes
2 answers
178 views

Remote hosts accessing AD's registry

I have a situation here. I have an intrusion detection system and it constantly alerts me that a remote host is accessing our AD's registry remotely. Our remote hosts are mainly Windows XP and our ...
smitty user's user avatar
-1 votes
1 answer
1k views

Can Wazuh work for a single agent with less than the stated minimum hardware requirements?

I was surprised to find that the Wazuh server requirements state 2gb and 2 cores are the minimum requirements - but I wonder how much these numbers are tailored towards supporting multiple agents. Is ...
Slbox's user avatar
  • 115
-1 votes
2 answers
403 views

How to count the number of SYN, ACK, or SYN-ACK in a second? [closed]

I want to make a DDoS SYN Flood Detection, so i need to count the number of SYN, ACK, or SYN-ACK packet per second.
Gilang Ramadhan's user avatar
-1 votes
1 answer
731 views

barnyard2 for snort permission denied

I installed barnyard2 for snort, but when i run command below this error appear. [root@localhost snort]# barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort/ -f snort.log -w /etc/snort/bylog....
Mohamad's user avatar
-2 votes
1 answer
794 views

FAIL2BAN filters- who can give me filter to block this intrusion?

I see in my mediatemple server maillog endless intrusion. i need to block these ips. who can help with filter file to match these? Jan 21 07:51:44 mydomain postfix/smtpd[23505]: SSL_accept error from ...
alex K's user avatar
  • 11