Questions tagged [ips]
A Intrusion Prevention System (IPS) is a type of network security system which provides some level of proactive, automated defense against unauthorized access.
50
questions
11
votes
1
answer
3k
views
Snort is receiving traffic, but doesn't appear to be applying rules
I have snort installed and running in inline mode via NFQUEUE on my local (as in I can walk in the next room and touch it) gateway. I have the following rule in my /etc/snort/rules/snort.rules:
alert ...
8
votes
8
answers
19k
views
What is the best Web Application Firewall for IIS? [closed]
What is the best Web Application Firewall(WAF) for IIS? What makes it better than the others? How useful is it at blocking attacks against poorly written code, otherwise known as an Intrusion ...
5
votes
8
answers
12k
views
File transfer problems through VPN when Cisco IPS is enabled
We have a Cisco ASA 5510 firewall with the IPS module installed.
We have a customer that we must connect to via VPN to their network to exchange files via FTP. We use the Cisco VPN client (version 5....
4
votes
6
answers
14k
views
How to manually download individual files from the OpenIndiana (or Solaris) pkg repo?
For a server in an offline environment, how would I download a package from http://pkg.openindiana.org/dev? (or the better known http://pkg.oracle.com)
There is an install link which downloads a p5i ...
3
votes
2
answers
1k
views
is there any real Difference between snort and suricata?
Looking to move forward in deploying IDS/IPS on several FreeBSD firewalls and I was curious about the difference between snort and suricata. I know that Suricata is multi-threaded but in terms of rule ...
3
votes
1
answer
16k
views
(network.c.379) can't bind to port: 80 Address already in use
I have one server running both apache and lighttpd on two separate IPs. After rebooting the server I can't access the stuff on lighttpd:
/etc/init.d/lighttpd restart
(network.c.379) can't bind to ...
3
votes
3
answers
19k
views
Blocking Team Viewer
I'd like to block incoming TeamViewer connections to my network, but at the same time to allow outgoing TeamViewer connections.
So that users can't connect to their work PCs with TV (circumventing ...
3
votes
1
answer
1k
views
Solaris IPS: pkg dependency errors bear no relation to actual issue / how best to diagnose IPS dependency failures?
I am running Solaris 11.3 (at present from the non-contract Release repo). I have a large amount of Solaris 10 experience, but I am newer to 11 and am still working on getting confident with IPS.
My ...
3
votes
1
answer
5k
views
fail2ban regex working but no action being taken
I have the following snippet of fail2ban configuration on Ubuntu 13.10 server:
#jail.conf
[apache-getphp]
enabled = true
port = http,https
filter = apache-getphp
action = iptables-multiport[...
3
votes
1
answer
859
views
Solaris 11.3 non-global zones not inheriting IPS facet changes (to version-lock)
I have a Solaris 11.3 system without (presently) a support contract. I am therefore using the IPS repository at http://pkg.oracle.com/solaris/release/, which I have now mirrored locally using pkgrecv....
2
votes
1
answer
576
views
Cisco ASA v.s. pfSense - How packet inspection works with VPNs
We have a small office, about 75% of our infrastructure is cloud based including a pfSense deployment we use for remote access and site to site connections which is currently public facing. We've ...
2
votes
4
answers
2k
views
Simple application level file integrity monitoring & Intrusion detection (IDS)
We've been searching for a simple file integrity monitoring solution on CentOS/Linux that will work on the application level. We are not looking for OS/network level IDS as OSSEC and the others do a ...
2
votes
1
answer
1k
views
trying to figure out how to bridge two virtual networks together and in turn bridge that to the internet for a virtual inline IDS/IPS system
I'm trying to figure out how to bridge two vmware (server or workstation, workstation) or virtualbox networks together with a linux IDS/IPS system transparently inline between both the virtual ...
2
votes
1
answer
419
views
iptables traffic redirection for multiple public ips
On my linux machine I have:
- one physical interface eth0 with the public ip x.x.x.x
- one logical interface eth0:0 with the public ip t.t.t.t
- BIND DNS listening to t.t.t.t
If I ping t.t.t.t from ...
2
votes
0
answers
2k
views
Suricata logs "A Network Trojan was detected". Is it false positive?
I use the Suricata as IDS on the local network that it doesn't the internet. It logged a few alerts from some clients that said A Network Trojan was detected.
All log's properties are in the following:...
2
votes
1
answer
1k
views
Can Suricata be used as an effective IPS on a single server?
I've been looking for an effective intrusion prevention system (IPS) for an Ubuntu 14.04 server, something like what Symantec or F-Prot might offer for a Windows server. I've contacted major ...
1
vote
2
answers
292
views
Web server hosting infrastructure, does IPS help?
I am working on setting up new networking for datacenter hosting a web site.
We have following topology
Internet -> Firewall1 -> ReverseProxy(for security) -> Web Server -> firewall2 -> databse
...
1
vote
3
answers
321
views
Does it make sense to augment WAF (Web Application Firewall) with an IPS (Intrusion Prevention System)?
Following scenario:
Web application, only HTTP/S traffic
Firewall in place to only allow traffic on port 80/443 in
WAF is in place, set to deny malicious traffic
Question: Is there any added value ...
1
vote
1
answer
1k
views
How to hide Origin Server IP address from Reconnaissance tools
When it comes to web server security, I am a paranoid person.
On DigitalOcean, I'm running a server. They refer to it as a Droplet. Cloudflare is my DNS provider, and Cloudflare proxies and protects ...
1
vote
1
answer
2k
views
Cisco ASA 5510 w/ AIP SSM - Can it inspect SSL traffic?
Is is possible for a AIP module within a Cisco 5510 ASA to decrypt and inspect SSL traffic?
I have asked my local vendor (who placed the devices of which I speak) and they say that the AIP module is ...
1
vote
2
answers
4k
views
Adding a host to Cisco IPS Never Block List
We are running a Cisco ASA 5510 with the IPS module.
We have an internal server that is preforming a lot of SNMP discovery scans and is being blocked and shutdown by the IPS.
Since I'm in control ...
1
vote
1
answer
625
views
IPS for web application in Kubernetes
We have an application hosted in Azure under Kubernetes. In a security compliance document shared with us, there are multiple points mentioning about implementation of an IPS (Intrusion Prevention ...
1
vote
1
answer
2k
views
Snort not sniffing any traffic except it's own
I'm currently trying to set up Snort on my local machine. At the moment I have 3 VM's: 1 with snort on it and 2 used to ping eachother.
Whenever I ping from one of the devices to the Snort-machine, ...
1
vote
1
answer
578
views
I can access http, https on server, but can't ping the server behind sonicwall tz500
I am not sure if this is possible or not. I have set up some web servers and ftp servers that are statically NATted behind a sonicwall tz500. I can access all via ftp, http, https. I have included ...
1
vote
1
answer
521
views
Stateful Signatures in an IPS
I am researching in-line IPS devices and their signatures both stateful and stateless. The test network I am looking to implement the IPS in has asymmetric traffic so stateful inspection would be ...
1
vote
1
answer
195
views
unable to get Honeynet Snort Inline Toolkit
I have to deploy a Snort based intrusion prevention system.
I am total newbie in this, so any kind of help , references for starters would be highly appreciated.
Also snort documentation talks about ...
1
vote
0
answers
27
views
Application role in preventing DDOS
I have an application that is being planned to be exposed to internet clients via a reverse proxy deployed in the DMZ, . I have recommended that the deployments use WAF/Cloudflare along with this to ...
1
vote
0
answers
472
views
Suricata-update doesn't apply modify rules consistently
I have the following /etc/suricata/modify.conf file:
## Reject by classtype
re:classtype:\s*attempted-user "alert(.*)" "reject\\1" # high Attempted User Privilege Gain
re:...
1
vote
1
answer
764
views
Intrusion Detection/Prevention in AWS
On a normal server, I would have fail2ban handle intrusion detection; how would I go about setting up IDS/IPS on AWS? Any help or pointers would be appreciated.
0
votes
1
answer
1k
views
only allow a specific port that can be connected by only one ip address at the same time
I have a open port, 40002, I want to limit that at the same time the port can only be connected by one ip address(not specific address). if there is an ip address conntecing to that port already, ...
0
votes
1
answer
84
views
Anyway to limit IP Access for Certain Users?
I am currently tasked with allowing Vendors onto our process network. The issue is I need to make it so each vendor is only able to connect to PLCs on their own machines "each PLC has its own IP". Is ...
0
votes
1
answer
3k
views
Switch Before Firewall / Router - Multiple public IPs
I currently Have a 10Mbit Full duplex circuit connected to a small unmanaged switch which then connects to a Sonicwall Firewall / Router. I have several public IP addresses (/28) that are assigned to ...
0
votes
1
answer
758
views
How Does Cisco IPS Work?
How does it work? Does it typically have predefined patterns of trusted or malicious activity? Is it actually a category of firewall techniques? I am more curious about Cisco than I am about other ...
0
votes
6
answers
554
views
Sidewinder Firewall Replacement/Alternative
We own a Sidewinder G2 110D (out-of-stock) and love it. The product was reasonably priced, support was great, and the device was rock-solid. Since McAffee bought out SecureComputing, they have ...
0
votes
1
answer
921
views
Adding more IP Addresses to a Subnet in AWS
I have a Subnet with CIDR 10.0.4.0/28 (15 IP addresses), which is now exhausted; so I want to add more IP addresses.
Is it possible to add more IP addresses to the subnet? I see that I can add a ...
0
votes
1
answer
399
views
Snort DAQ: which NIC should run in promiscuous mode?
I want to use Snort 2.x as IPS. I have understood, that I need two NICs to capture the traffic (DAQ-Mode).
eth0 = my network card to the WAN
eth1 = my internal (virtual) NIC for Snort.
My current ...
0
votes
1
answer
3k
views
Is there a benefit from using an IPS for outgoing traffic?
It's probably a stupid question, but still may be it will be useful not only for me.
I have an Juniper SRX firewall in a branch office. All ports are blocked from Internet to Internal network. All ...
0
votes
1
answer
2k
views
Bridge Intrusion Prevention Vyatta
I am trying to create a bridge with ThreatStop, IPS and block a few ports. This bridge will sit in front of my servers. All is working apart from the IPS.
I have read the documentation on configuring ...
0
votes
1
answer
160
views
Looking for a good DDOS IPS system [duplicate]
Could I get some recommendations on an IPS solutions that incorporates some form of DDOS protection / what do you currently implement on your network?
Thanks
0
votes
1
answer
8k
views
How to temporarily disable a Cisco IPS module for troubleshooting
I have a Cisco IPS module running in my ASA 5510 firewall.
Right now I'm trying to troubleshoot a network/VPN problem that two of my users are having when they VPN into a remote partners site.
I ...
0
votes
0
answers
2k
views
IDS/IPS on Ubiquiti EdgeRouter
I have changed my network setup from the default ISP device to an Ubiquiti EdgeRouter (ER-X-SFP) a while ago. Currently I’m planing to switch to an static IPv4 address. From the ISP I would also get ...
0
votes
1
answer
802
views
DHCP & macvlan: Only first virtual interface works with unicast DHCPREQUEST
What I am trying to do?
I'm trying to acquire 3 public IP addresses via DHCP on a single physical ISP upstream cable.
What goes wrong?
Renewals go kind of wrong. From interfaces, virtual0 works just ...
0
votes
0
answers
102
views
Use Snort 2.9 rules for Snort 2.8.6
Unfortunately Snort doesn't release rules update 2.8.6 since 2017.
All customer should upgrade to 2.9. But 2.9 is X64 and my OS is Fedora X86.
I need to update my Snort 2.8.6 signatures.
Is there any ...
0
votes
1
answer
70
views
Is it a good idea to point two dns hosts over four servers
I'm trying to add two more DNS servers to our pool to have more reliability under load and avoid losing visitors due to attacks or hardware issues.
Since we have many websites setup to point at ns1....
0
votes
1
answer
115
views
SNORT: Is a PCRE on SSNs intensive
I'm trying to write a Snort rule to look for SSNs. Due to the limitations of the appliance in place I can not use the pre-processor settings. How intense would it be to run a PCRE rule for SSNs? ...
0
votes
1
answer
522
views
Forcing traffic through an IPS on a flat network through a bump in the wire
I have the following topology:
Click here, unfortunently I don't have enough rep to post images
Essentially I would like the packet flow to go from PC1, to the Core Switch, to the Edge Switch, and ...
0
votes
0
answers
167
views
Inter-VLAN Malicious Code Scanning
I am trying to find an inbuilt solution on a Cisco Catayst 3750X Switch to scan all traffic routed from one VLAN to another for malicious code.
The situation is that we currently have a development ...
0
votes
1
answer
648
views
Is a reverse proxy useful behind a load balancer and IPS
We have a Web infrastructure with a farm of Web Servers.
They are behind a loadbalancer which does SSL offload.
We also have a IPS and obviously a set of firewalls.
Now, for security reason we have ...
0
votes
2
answers
1k
views
Sonicwall IPS blocking Simple Help direct connection
We host a remote access tool called Simple Help. It allows us to access our clients computers and assist them with problems. I can log into it from my remote workstation, and connect to a clients ...
-1
votes
2
answers
2k
views
How to open ports if there are multiple sub network behind a router or Public ip
Currently this is the our office network. We currently have a single Public ip from the ISP and we have created a single Private ip network behind the NAT as shown below :
public ip ( WAN ) - 122.x....