Questions tagged [hids]

Questions about Host Based Intrusion Detection Systems

For instance OSSEC, Tripwire and similar systems.

24 questions
13
votes
2 answers

HIDS - Choosing between regular OSSEC or Wazuh fork

I intend to set up OSSEC and noticed there seem to be two main flavours: plain OSSEC and Wazuh fork. From what I've been able to gather (from Wazuh's website and documentation), the main advantages of Wazuh are: its ability to integrate with…
simoesf
  • 133
  • 1
  • 1
  • 6
6
votes
3 answers

Which Windows Files Should be Monitored by HIDS?

I highlighted my question below. Here is some background. It's easy to find data showing the most commonly trojaned/modified Linux binaries and config files. ps, ls, find, kill, lsof, passwd, shadow, syslog.conf, etc. are all frequently changed…
nhdgvst
  • 61
  • 1
3
votes
1 answer

Silence OSSEC rootcheck alerts

I'm trying to silence some OSSEC rootcheck alerts like these:- ** Alert 1456448991.70239: mail - ossec,rootcheck, 2016 Feb 26 01:09:51 myhost->rootcheck Rule: 519 (level 7) -> 'System Audit: Vulnerable web application found.' System Audit: Web…
jah
  • 390
  • 2
  • 10
2
votes
1 answer

Can Snort be configured as HIDS?

I need to give a presentation regarding Snort and Security Auditing. I have recently learned to configure Snort as a NIDS. I want to know is there any way I can configure Snort as an HIDS? If I am updating variable HOME_NET to my IP, it'll log all…
Anurag
  • 917
  • 1
  • 7
  • 14
2
votes
1 answer

Confusion Matrix for Generated Signatures in Snort

How do we come with True Positives and False Negatives rates when creating signatures in IDS? How do we measure the signatures efficiency? I've seen so many papers that discuss the same, but how do they come up with these numbers?
2
votes
2 answers

Can OSSEC detect buffer overflow attacks?

I am trying to detect buffer overflow by using OSSEC (a HIDS software) as mentioned in OSSEC rules example and OSSEC book. How can I configure OSSEC for detect a simple buffer overflow example as the following: #include #include…
khant
  • 191
  • 4
2
votes
1 answer

Tap-mode IPS vs IDS

It is my understanding that tap mode IPS, unlike in-line mode, is passive and cannot prevent attacks. In that case, what is the difference between an IDS and a tap mode IPS? I've checked out several links such as this, but can't pin point the exact…
George
  • 739
  • 1
  • 6
  • 22
2
votes
0 answers

USB Rubber Ducky Firmware Upgrade

I just erased my firmware, using dfu-programmer-0.7.2: $ dfu-programmer at32uc3b1256 erase Checking memory from 0x2000 to 0x3FFFF... Not blank at 0x2001. Erasing flash... Success Checking memory from 0x2000 to 0x3FFFF... Empty. The LED on the chip…
voices
  • 1,649
  • 7
  • 22
  • 36
1
vote
0 answers

How to test OSSEC HIDS using a linux dataset containing raw system call traces?

I have been tasked to test effectiveness of OSSEC HIDS (by effectiveness I mean detection rate it achieves as well as false positives rate) when a dataset of raw system call traces are used. The dataset itself is the AFDA-LD dataset which can be…
FoxEM
  • 19
  • 2
1
vote
0 answers

Help in understnading HIDS OSSEC traces

I realized my system Ubuntu and windows dual boot might have been compromised. So, I installed OSSEC HIDS to try to look for issues. When I ran dmesg, i found the following trace: ------------[ cut here ]------------ [ 31.461050] Could not…
dawn
  • 111
  • 3
1
vote
0 answers

How do I create exceptions on Wazuh (OSSEC)?

I currently have a setup with OSSEC and AIDE running on our servers. We are currently receiving a daily alert for each agent when AIDE runs and changes audit.log. I want to make an exception for that, but I still want to be alarmed when other…
1
vote
0 answers

How do use ArcSight ESM to monitor powershell logs?

I have read mixed reviews, our team within our DoD sector suggest that ingestion the logs directly into the SIEM platform would be best and I feel that having a third party tool with signatures, look at the event and determine if was malicious and…
md154199
  • 11
  • 1
1
vote
1 answer

AIDE and OSSEC conflicts?

Being fairly new to both AIDE and OSSEC I've been trying to find out if there are any potential conflicts in having them both installed on one host (CentOS 7.5). It seems like they could work as a multi-layered approach, but I haven't been able to…
jfran3
  • 111
  • 9
1
vote
2 answers

Combine SNORT detection and log with active response OSSEC

As far as i know, NIDS implemented in Network layer and HIDS in Host-based layer, Is it possible for NIDS( for example: Snort or suricata ) log that will included in HIDS(for example: OSSEC) log too ? Do the NIDS and HIDS are stand-alone system that…
gagantous
  • 193
  • 12
1
vote
0 answers

Identifying privilege escalation in OSSEC logs

I am working on an intrusion detection system which can prioritize and attribute the logs generated by OSSEC. So, how can I understand a privilege escalation case (or just the privileges a user has at that time) by looking at these logs?
qwerty
  • 111
  • 1
1
2