Skip to main content

Questions tagged [ips]

A Intrusion Prevention System (IPS) is a type of network security system which provides some level of proactive, automated defense against unauthorized access.

Filter by
Sorted by
Tagged with
11 votes
1 answer
3k views

Snort is receiving traffic, but doesn't appear to be applying rules

I have snort installed and running in inline mode via NFQUEUE on my local (as in I can walk in the next room and touch it) gateway. I have the following rule in my /etc/snort/rules/snort.rules: alert ...
Cliff Armstrong's user avatar
8 votes
8 answers
19k views

What is the best Web Application Firewall for IIS? [closed]

What is the best Web Application Firewall(WAF) for IIS? What makes it better than the others? How useful is it at blocking attacks against poorly written code, otherwise known as an Intrusion ...
Rook's user avatar
  • 2,707
5 votes
8 answers
12k views

File transfer problems through VPN when Cisco IPS is enabled

We have a Cisco ASA 5510 firewall with the IPS module installed. We have a customer that we must connect to via VPN to their network to exchange files via FTP. We use the Cisco VPN client (version 5....
Richard West's user avatar
  • 2,958
4 votes
6 answers
14k views

How to manually download individual files from the OpenIndiana (or Solaris) pkg repo?

For a server in an offline environment, how would I download a package from http://pkg.openindiana.org/dev? (or the better known http://pkg.oracle.com) There is an install link which downloads a p5i ...
700 Software's user avatar
  • 2,283
3 votes
2 answers
1k views

is there any real Difference between snort and suricata?

Looking to move forward in deploying IDS/IPS on several FreeBSD firewalls and I was curious about the difference between snort and suricata. I know that Suricata is multi-threaded but in terms of rule ...
Jason's user avatar
  • 3,941
3 votes
1 answer
16k views

(network.c.379) can't bind to port: 80 Address already in use

I have one server running both apache and lighttpd on two separate IPs. After rebooting the server I can't access the stuff on lighttpd: /etc/init.d/lighttpd restart (network.c.379) can't bind to ...
chonko's user avatar
  • 41
3 votes
3 answers
19k views

Blocking Team Viewer

I'd like to block incoming TeamViewer connections to my network, but at the same time to allow outgoing TeamViewer connections. So that users can't connect to their work PCs with TV (circumventing ...
Hubert Kario's user avatar
  • 6,409
3 votes
1 answer
1k views

Solaris IPS: pkg dependency errors bear no relation to actual issue / how best to diagnose IPS dependency failures?

I am running Solaris 11.3 (at present from the non-contract Release repo). I have a large amount of Solaris 10 experience, but I am newer to 11 and am still working on getting confident with IPS. My ...
TheBloke's user avatar
3 votes
1 answer
5k views

fail2ban regex working but no action being taken

I have the following snippet of fail2ban configuration on Ubuntu 13.10 server: #jail.conf [apache-getphp] enabled = true port = http,https filter = apache-getphp action = iptables-multiport[...
fpghost's user avatar
  • 703
3 votes
1 answer
859 views

Solaris 11.3 non-global zones not inheriting IPS facet changes (to version-lock)

I have a Solaris 11.3 system without (presently) a support contract. I am therefore using the IPS repository at http://pkg.oracle.com/solaris/release/, which I have now mirrored locally using pkgrecv....
TheBloke's user avatar
2 votes
1 answer
576 views

Cisco ASA v.s. pfSense - How packet inspection works with VPNs

We have a small office, about 75% of our infrastructure is cloud based including a pfSense deployment we use for remote access and site to site connections which is currently public facing. We've ...
dcd018's user avatar
  • 131
2 votes
4 answers
2k views

Simple application level file integrity monitoring & Intrusion detection (IDS)

We've been searching for a simple file integrity monitoring solution on CentOS/Linux that will work on the application level. We are not looking for OS/network level IDS as OSSEC and the others do a ...
Dev's user avatar
  • 21
2 votes
1 answer
1k views

trying to figure out how to bridge two virtual networks together and in turn bridge that to the internet for a virtual inline IDS/IPS system

I'm trying to figure out how to bridge two vmware (server or workstation, workstation) or virtualbox networks together with a linux IDS/IPS system transparently inline between both the virtual ...
Tony robinson's user avatar
2 votes
1 answer
419 views

iptables traffic redirection for multiple public ips

On my linux machine I have: - one physical interface eth0 with the public ip x.x.x.x - one logical interface eth0:0 with the public ip t.t.t.t - BIND DNS listening to t.t.t.t If I ping t.t.t.t from ...
w00t's user avatar
  • 1,164
2 votes
0 answers
2k views

Suricata logs "A Network Trojan was detected". Is it false positive?

I use the Suricata as IDS on the local network that it doesn't the internet. It logged a few alerts from some clients that said A Network Trojan was detected. All log's properties are in the following:...
Arani's user avatar
  • 338
2 votes
1 answer
1k views

Can Suricata be used as an effective IPS on a single server?

I've been looking for an effective intrusion prevention system (IPS) for an Ubuntu 14.04 server, something like what Symantec or F-Prot might offer for a Windows server. I've contacted major ...
Christopher Hinkle's user avatar
1 vote
2 answers
292 views

Web server hosting infrastructure, does IPS help?

I am working on setting up new networking for datacenter hosting a web site. We have following topology Internet -> Firewall1 -> ReverseProxy(for security) -> Web Server -> firewall2 -> databse ...
mamu's user avatar
  • 342
1 vote
3 answers
321 views

Does it make sense to augment WAF (Web Application Firewall) with an IPS (Intrusion Prevention System)?

Following scenario: Web application, only HTTP/S traffic Firewall in place to only allow traffic on port 80/443 in WAF is in place, set to deny malicious traffic Question: Is there any added value ...
silent's user avatar
  • 432
1 vote
1 answer
1k views

How to hide Origin Server IP address from Reconnaissance tools

When it comes to web server security, I am a paranoid person. On DigitalOcean, I'm running a server. They refer to it as a Droplet. Cloudflare is my DNS provider, and Cloudflare proxies and protects ...
Frustrated Melly's user avatar
1 vote
1 answer
2k views

Cisco ASA 5510 w/ AIP SSM - Can it inspect SSL traffic?

Is is possible for a AIP module within a Cisco 5510 ASA to decrypt and inspect SSL traffic? I have asked my local vendor (who placed the devices of which I speak) and they say that the AIP module is ...
moniker's user avatar
  • 85
1 vote
2 answers
4k views

Adding a host to Cisco IPS Never Block List

We are running a Cisco ASA 5510 with the IPS module. We have an internal server that is preforming a lot of SNMP discovery scans and is being blocked and shutdown by the IPS. Since I'm in control ...
Richard West's user avatar
  • 2,958
1 vote
1 answer
625 views

IPS for web application in Kubernetes

We have an application hosted in Azure under Kubernetes. In a security compliance document shared with us, there are multiple points mentioning about implementation of an IPS (Intrusion Prevention ...
Anonymous Platypus's user avatar
1 vote
1 answer
2k views

Snort not sniffing any traffic except it's own

I'm currently trying to set up Snort on my local machine. At the moment I have 3 VM's: 1 with snort on it and 2 used to ping eachother. Whenever I ping from one of the devices to the Snort-machine, ...
Sander Willems's user avatar
1 vote
1 answer
578 views

I can access http, https on server, but can't ping the server behind sonicwall tz500

I am not sure if this is possible or not. I have set up some web servers and ftp servers that are statically NATted behind a sonicwall tz500. I can access all via ftp, http, https. I have included ...
user202243's user avatar
1 vote
1 answer
521 views

Stateful Signatures in an IPS

I am researching in-line IPS devices and their signatures both stateful and stateless. The test network I am looking to implement the IPS in has asymmetric traffic so stateful inspection would be ...
SomethingSmithe's user avatar
1 vote
1 answer
195 views

unable to get Honeynet Snort Inline Toolkit

I have to deploy a Snort based intrusion prevention system. I am total newbie in this, so any kind of help , references for starters would be highly appreciated. Also snort documentation talks about ...
Ashish Sharma's user avatar
1 vote
0 answers
27 views

Application role in preventing DDOS

I have an application that is being planned to be exposed to internet clients via a reverse proxy deployed in the DMZ, . I have recommended that the deployments use WAF/Cloudflare along with this to ...
computinglife's user avatar
1 vote
0 answers
472 views

Suricata-update doesn't apply modify rules consistently

I have the following /etc/suricata/modify.conf file: ## Reject by classtype re:classtype:\s*attempted-user "alert(.*)" "reject\\1" # high Attempted User Privilege Gain re:...
Cliff Armstrong's user avatar
1 vote
1 answer
764 views

Intrusion Detection/Prevention in AWS

On a normal server, I would have fail2ban handle intrusion detection; how would I go about setting up IDS/IPS on AWS? Any help or pointers would be appreciated.
Cenoc's user avatar
  • 217
0 votes
1 answer
1k views

only allow a specific port that can be connected by only one ip address at the same time

I have a open port, 40002, I want to limit that at the same time the port can only be connected by one ip address(not specific address). if there is an ip address conntecing to that port already, ...
kenyang001's user avatar
0 votes
1 answer
84 views

Anyway to limit IP Access for Certain Users?

I am currently tasked with allowing Vendors onto our process network. The issue is I need to make it so each vendor is only able to connect to PLCs on their own machines "each PLC has its own IP". Is ...
Wally's user avatar
  • 13
0 votes
1 answer
3k views

Switch Before Firewall / Router - Multiple public IPs

I currently Have a 10Mbit Full duplex circuit connected to a small unmanaged switch which then connects to a Sonicwall Firewall / Router. I have several public IP addresses (/28) that are assigned to ...
rii's user avatar
  • 1
0 votes
1 answer
758 views

How Does Cisco IPS Work?

How does it work? Does it typically have predefined patterns of trusted or malicious activity? Is it actually a category of firewall techniques? I am more curious about Cisco than I am about other ...
700 Software's user avatar
  • 2,283
0 votes
6 answers
554 views

Sidewinder Firewall Replacement/Alternative

We own a Sidewinder G2 110D (out-of-stock) and love it. The product was reasonably priced, support was great, and the device was rock-solid. Since McAffee bought out SecureComputing, they have ...
Sysadminicus's user avatar
0 votes
1 answer
921 views

Adding more IP Addresses to a Subnet in AWS

I have a Subnet with CIDR 10.0.4.0/28 (15 IP addresses), which is now exhausted; so I want to add more IP addresses. Is it possible to add more IP addresses to the subnet? I see that I can add a ...
Techboy's user avatar
  • 1,582
0 votes
1 answer
399 views

Snort DAQ: which NIC should run in promiscuous mode?

I want to use Snort 2.x as IPS. I have understood, that I need two NICs to capture the traffic (DAQ-Mode). eth0 = my network card to the WAN eth1 = my internal (virtual) NIC for Snort. My current ...
Gill-Bates's user avatar
0 votes
1 answer
3k views

Is there a benefit from using an IPS for outgoing traffic?

It's probably a stupid question, but still may be it will be useful not only for me. I have an Juniper SRX firewall in a branch office. All ports are blocked from Internet to Internal network. All ...
Roman_T's user avatar
  • 341
0 votes
1 answer
2k views

Bridge Intrusion Prevention Vyatta

I am trying to create a bridge with ThreatStop, IPS and block a few ports. This bridge will sit in front of my servers. All is working apart from the IPS. I have read the documentation on configuring ...
Steve's user avatar
  • 188
0 votes
1 answer
160 views

Looking for a good DDOS IPS system [duplicate]

Could I get some recommendations on an IPS solutions that incorporates some form of DDOS protection / what do you currently implement on your network? Thanks
james moore's user avatar
0 votes
1 answer
8k views

How to temporarily disable a Cisco IPS module for troubleshooting

I have a Cisco IPS module running in my ASA 5510 firewall. Right now I'm trying to troubleshoot a network/VPN problem that two of my users are having when they VPN into a remote partners site. I ...
Richard West's user avatar
  • 2,958
0 votes
0 answers
2k views

IDS/IPS on Ubiquiti EdgeRouter

I have changed my network setup from the default ISP device to an Ubiquiti EdgeRouter (ER-X-SFP) a while ago. Currently I’m planing to switch to an static IPv4 address. From the ISP I would also get ...
MarvinMcFly's user avatar
0 votes
1 answer
802 views

DHCP & macvlan: Only first virtual interface works with unicast DHCPREQUEST

What I am trying to do? I'm trying to acquire 3 public IP addresses via DHCP on a single physical ISP upstream cable. What goes wrong? Renewals go kind of wrong. From interfaces, virtual0 works just ...
Janne Paalijarvi's user avatar
0 votes
0 answers
102 views

Use Snort 2.9 rules for Snort 2.8.6

Unfortunately Snort doesn't release rules update 2.8.6 since 2017. All customer should upgrade to 2.9. But 2.9 is X64 and my OS is Fedora X86. I need to update my Snort 2.8.6 signatures. Is there any ...
Peeter Johnson's user avatar
0 votes
1 answer
70 views

Is it a good idea to point two dns hosts over four servers

I'm trying to add two more DNS servers to our pool to have more reliability under load and avoid losing visitors due to attacks or hardware issues. Since we have many websites setup to point at ns1....
kuteninja's user avatar
0 votes
1 answer
115 views

SNORT: Is a PCRE on SSNs intensive

I'm trying to write a Snort rule to look for SSNs. Due to the limitations of the appliance in place I can not use the pre-processor settings. How intense would it be to run a PCRE rule for SSNs? ...
HatinCisco9234's user avatar
0 votes
1 answer
522 views

Forcing traffic through an IPS on a flat network through a bump in the wire

I have the following topology: Click here, unfortunently I don't have enough rep to post images Essentially I would like the packet flow to go from PC1, to the Core Switch, to the Edge Switch, and ...
HatinCisco9234's user avatar
0 votes
0 answers
167 views

Inter-VLAN Malicious Code Scanning

I am trying to find an inbuilt solution on a Cisco Catayst 3750X Switch to scan all traffic routed from one VLAN to another for malicious code. The situation is that we currently have a development ...
Jackthedog's user avatar
0 votes
1 answer
648 views

Is a reverse proxy useful behind a load balancer and IPS

We have a Web infrastructure with a farm of Web Servers. They are behind a loadbalancer which does SSL offload. We also have a IPS and obviously a set of firewalls. Now, for security reason we have ...
Momo's user avatar
  • 1
0 votes
2 answers
1k views

Sonicwall IPS blocking Simple Help direct connection

We host a remote access tool called Simple Help. It allows us to access our clients computers and assist them with problems. I can log into it from my remote workstation, and connect to a clients ...
skinneejoe's user avatar
-1 votes
2 answers
2k views

How to open ports if there are multiple sub network behind a router or Public ip

Currently this is the our office network. We currently have a single Public ip from the ISP and we have created a single Private ip network behind the NAT as shown below : public ip ( WAN ) - 122.x....
anil kottam's user avatar