IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [ids]

Intrusion Detection System, a system for detecting and alerting based on behavior.

An Intrusion Detection System, or IDS, can come in many forms but they all share the basic purpose of detecting and alerting based on behavior. Commonly this detection is signature based detection, similar to anti-virus solutions, though adaptive techniques are also available.

The two most common types are Network and Host based systems. NIDS are intended to be standalone devices that monitor network traffic destined for other hosts. HIDS run as applications on the end-system and often monitor both network traffic as well as system activity.

Related reading

420 questions
50
votes
3 answers

Simple example auditd configuration?

Auditd was recommended in an answer to Linux command logging? The default install on Ubuntu seems to barely log anything. There are several examples that come with it (capp.rules, nispom.rules, stig.rules) but it isn't clear what the performance…
nealmcb
  • 20,544
  • 6
  • 69
  • 116
41
votes
6 answers

Difference between IDS and IPS and Firewall

The differences between an IDS and a firewall are that the latter prevents malicious traffic, whereas the IDS: Passive IDS: the IDS only reports that there was an intrusion. Active IDS: the IDS also takes actions against the issue to fix it or at…
The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
39
votes
7 answers

Is it possible to detect 100% of SQLi with a simple regex?

I'm wondering if it is possible to detect 100% of the possible SQLi attacks using a simple regex. In other words, using very simple PHP code as an example: if (preg_match("/select/i", $input)) { attack_log("Possible SELECT SQLi…
reed
  • 15,398
  • 6
  • 43
  • 64
25
votes
4 answers

Reduce Noise when Penetration Testing

Recently I participated in a capture the flag competition which was attached with SOC analysis teams monitoring our traffic. There we were told that many tools were very noisy. Eg Sqlmap which has its full header. As all of us were new so we weren't…
Khopcha
  • 465
  • 5
  • 11
25
votes
8 answers

Can I detect web app attacks by viewing my Apache log file?

I occasionally get clients requesting I look at their access_log file to determine if any web attacks were successful. What tools are helpful to discern attacks?
Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
23
votes
5 answers

Neural networks & anomaly detection

Neural networks, with their ability to learn behavioural patterns from arbitrary data, seem like a natural way to deal with intrusion detection. There are many academic papers on the topic which report good performance and an even better potential.…
anna-earwen
  • 343
  • 2
  • 7
22
votes
8 answers

Tracking down a rogue access point

Over the course of about a month we have received multiple reports of a rogue access point attempting to intercept traffic. I suspect an attacker is using a wifi pineapple, or similar hardware device. They seem to be enabling it for short periods…
rook
  • 46,916
  • 10
  • 92
  • 181
21
votes
5 answers

Do you detect/react to DNS tunnelling?

I've just seen a talk about tunnelling TCP/IP over DNS requests, because port 53 UDP is usually open and unfiltered. What techniques exist to detect and block such tunnels, and have you ever seen that tunnelling on a real network? The technique uses…
user185
20
votes
5 answers

DoS in local network computer

I'm using Snort to study detection, and I wanted to simulate a DoS attack from the inside to another computer in my home network, but I have a question. If I start to flood the target computer with network requests would that only affect the target…
pedromendessk
  • 918
  • 1
  • 6
  • 19
19
votes
4 answers

Detect non HTTP packets using port 80

We are currently doing port whitelisting on our firewalls which is working well but this of course does not prevent the implementation of side channels or the misuse of these ports for other purposes. For example, an attacker could still initialize…
davidb
  • 4,285
  • 3
  • 19
  • 31
18
votes
7 answers

Tripwire - Is it security Theater?

Tripwire type intrusion detection systems supposedly protect your system from rootkits, by monitoring the checksums of important binaries for changes. Let's say I have tripwire configured to run nightly and installed it on a fresh non-rootkitted…
dr jimbob
  • 38,768
  • 8
  • 92
  • 161
16
votes
3 answers

What techniques and tools do you use to relate security events?

You have central logging going, detailed app logging/alerting (e.g. modsec), network based security alerting (e.g. snort), and whatever else feeding your observation deck. Do you have any cool techniques you’d like to share for how you relate…
Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
15
votes
2 answers

How do Intrusion Detection Systems (IDS) work?

How do Intrusion Detection Systems (IDS) work? As I understand it, they monitor network traffic but what exactly do they look for? How can they tell apart regular activity from intrusions?
Olivier Lalonde
  • 5,039
  • 8
  • 31
  • 35
14
votes
5 answers

Testing Snort IDS installation

What is the easiest way to test Snort IDS after installing? Would using and writing a rule that captures all of the traffic work? alert ip any any -> any any ( msg: "ICMP packet detected!"; sid: 1; ) That is, using its own rules. One way that I…
Mohsen Gh.
  • 309
  • 2
  • 5
  • 14
14
votes
2 answers

Detecting attempts to attack a website?

I am currently trying to implement some recommendations from OWASP AppSensor Project and I'd like to respond to the attacker when he tries to break into my website. Is there any resource covering/analyzing specific attack vectors? With specific I…
bretik
  • 1,840
  • 13
  • 22
1
2 3
27 28