Highest Voted 'hids' Questions - IT Security Stack Exchange

13

votes

2 answers

HIDS - Choosing between regular OSSEC or Wazuh fork

I intend to set up OSSEC and noticed there seem to be two main flavours: plain OSSEC and Wazuh fork. From what I've been able to gather (from Wazuh's website and documentation), the main advantages of Wazuh are: its ability to integrate with…

asked Jan 27 '17 at 11:32

simoesf

133
1
1
6

6

votes

3 answers

Which Windows Files Should be Monitored by HIDS?

I highlighted my question below. Here is some background. It's easy to find data showing the most commonly trojaned/modified Linux binaries and config files. ps, ls, find, kill, lsof, passwd, shadow, syslog.conf, etc. are all frequently changed…

windows integrity hids

asked Feb 08 '15 at 17:47

nhdgvst

61
1

3

votes

1 answer

Silence OSSEC rootcheck alerts

I'm trying to silence some OSSEC rootcheck alerts like these:- ** Alert 1456448991.70239: mail - ossec,rootcheck, 2016 Feb 26 01:09:51 myhost->rootcheck Rule: 519 (level 7) -> 'System Audit: Vulnerable web application found.' System Audit: Web…

hids

asked Feb 26 '16 at 02:42

jah

390
2
10

2

votes

1 answer

Can Snort be configured as HIDS?

I need to give a presentation regarding Snort and Security Auditing. I have recently learned to configure Snort as a NIDS. I want to know is there any way I can configure Snort as an HIDS? If I am updating variable HOME_NET to my IP, it'll log all…

ids snort hids

asked Apr 04 '15 at 17:33

Anurag

917
1
7
14

2

votes

1 answer

Confusion Matrix for Generated Signatures in Snort

How do we come with True Positives and False Negatives rates when creating signatures in IDS? How do we measure the signatures efficiency? I've seen so many papers that discuss the same, but how do they come up with these numbers?

ids snort bash hids

asked Apr 30 '19 at 16:14

Tasneem Singh

23
2

2

votes

2 answers

Can OSSEC detect buffer overflow attacks?

I am trying to detect buffer overflow by using OSSEC (a HIDS software) as mentioned in OSSEC rules example and OSSEC book. How can I configure OSSEC for detect a simple buffer overflow example as the following: #include #include…

ids audit buffer-overflow software hids

asked May 22 '17 at 10:47

khant

191
4

2

votes

1 answer

Tap-mode IPS vs IDS

It is my understanding that tap mode IPS, unlike in-line mode, is passive and cannot prevent attacks. In that case, what is the difference between an IDS and a tap mode IPS? I've checked out several links such as this, but can't pin point the exact…

ids detection intrusion packet hids

asked Apr 07 '16 at 08:56

George

739
1
6
22

2

votes

0 answers

USB Rubber Ducky Firmware Upgrade

I just erased my firmware, using dfu-programmer-0.7.2: $ dfu-programmer at32uc3b1256 erase Checking memory from 0x2000 to 0x3FFFF... Not blank at 0x2001. Erasing flash... Success Checking memory from 0x2000 to 0x3FFFF... Empty. The LED on the chip…

flash usb firmware badusb hids

asked Dec 20 '15 at 14:22

voices

1,649
7
22
36

1

vote

0 answers

How to test OSSEC HIDS using a linux dataset containing raw system call traces?

I have been tasked to test effectiveness of OSSEC HIDS (by effectiveness I mean detection rate it achieves as well as false positives rate) when a dataset of raw system call traces are used. The dataset itself is the AFDA-LD dataset which can be…

ids intrusion hids

asked Jun 07 '15 at 15:31

FoxEM

19
2

1

vote

0 answers

Help in understnading HIDS OSSEC traces

I realized my system Ubuntu and windows dual boot might have been compromised. So, I installed OSSEC HIDS to try to look for issues. When I ran dmesg, i found the following trace: ------------[ cut here ]------------ [ 31.461050] Could not…

system-compromise log-analysis hids ossec

asked Nov 19 '19 at 05:33

dawn

111
3

1

vote

0 answers

How do I create exceptions on Wazuh (OSSEC)?

I currently have a setup with OSSEC and AIDE running on our servers. We are currently receiving a daily alert for each agent when AIDE runs and changes audit.log. I want to make an exception for that, but I still want to be alarmed when other…

linux centos hids ossec

asked Feb 26 '19 at 16:13

Thiago Escobar

79
7

1

vote

0 answers

How do use ArcSight ESM to monitor powershell logs?

I have read mixed reviews, our team within our DoD sector suggest that ingestion the logs directly into the SIEM platform would be best and I feel that having a third party tool with signatures, look at the event and determine if was malicious and…

logging siem powershell hids

asked Feb 11 '19 at 16:04

md154199

11
1

1

vote

1 answer

AIDE and OSSEC conflicts?

Being fairly new to both AIDE and OSSEC I've been trying to find out if there are any potential conflicts in having them both installed on one host (CentOS 7.5). It seems like they could work as a multi-layered approach, but I haven't been able to…

hids ossec

asked Aug 22 '18 at 09:03

jfran3

111
9

1

vote

2 answers

Combine SNORT detection and log with active response OSSEC

As far as i know, NIDS implemented in Network layer and HIDS in Host-based layer, Is it possible for NIDS( for example: Snort or suricata ) log that will included in HIDS(for example: OSSEC) log too ? Do the NIDS and HIDS are stand-alone system that…

ids detection hids

asked Oct 30 '17 at 03:16

gagantous

193
12

1

vote

0 answers

Identifying privilege escalation in OSSEC logs

I am working on an intrusion detection system which can prioritize and attribute the logs generated by OSSEC. So, how can I understand a privilege escalation case (or just the privileges a user has at that time) by looking at these logs?

ids log-analysis hids ossec

asked Oct 21 '17 at 22:26

qwerty

111
1

Questions tagged [hids]