Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [intrusion-detection]

Intrusion Detection is ability of a system to analyze different parameters on a computer system to determine if a system is compromised or not.

Intrusion Detection is ability of a system to analyze different parameters on a computer system to determine if a system is compromised or not.

These can be done through:

  • Log analysis
  • Hash checking of files
  • Network analysis
49 questions
23
votes
15 answers

Recommend an intrusion detection system (IDS/IPS), and are they worth it?

I have tried out various network-based IDS and IPS systems throughout the years and have never been happy with the results. Either the systems were too difficult to manage, only triggered on well-known exploits based on old signatures, or were…
Doug Luxem
  • 9,592
  • 7
  • 49
  • 80
8
votes
1 answer

Can Samhain monitor for a file that does not exist, but might in future?

I would like Samhain to monitor a file, say for example, /root/somefile. This file does not currently exist, but I would like to be notified if it gets created at any point. I add this to samhainrc: [ReadOnly] file = /root/somefile This causes…
Richard Downer
  • 411
  • 1
  • 3
  • 9
6
votes
8 answers

What is the best strategy for detecting database intrusions?

Filesystem intrusions can be detecting using tools such as Snort but it is more difficult to detect intrusions into a database, such as deletion of rows, modification of tables, etc. What is the best way to monitor this to detect unwanted changes in…
davidmytton
  • 666
  • 3
  • 7
  • 17
4
votes
1 answer

AIDE - How to exclude whole folders?

I've recently installed AIDE on a server of mine after having a run in with hackers a week or so ago. There doesn't appear to be much documentation around for AIDE, especially on their website. I've found plenty of info on excluding certain file…
goji
  • 245
  • 1
  • 3
  • 9
4
votes
3 answers

Is it normal for AD authentication to generate a lot of ICMP traffic?

is it normal for AD authentication between a workstation and AD server to generate a lot of ICMP traffic? I have a network intrusion prevention in place that is constantly detecting huge amount of ICMP / ping traffic from AD to workstation; vice…
JoeST
  • 41
  • 1
  • 2
4
votes
2 answers

Removing new fingerprint detection message from nmap

I run a nmap scan of my hosts daily to check for open ports. sudo nmap -f -sS -sV --log-errors -append-output -p1-9999 host.com But along with the output I get a long list of fingerprint submissions for unrecognized ports like this…
Quintin Par
  • 4,293
  • 10
  • 46
  • 72
4
votes
1 answer

what tool searches for /w00tw00t.at.ISC.SANS.DFind:)?

In my web server logs I get a lot of these: [error] [client x.x.x.x] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) I know it's just a failed request and I don't have to worry abut it too…
user63623
  • 151
  • 4
4
votes
5 answers

Why is my port 25 so active?

Using netstat -na I notice that I have a lot of connections like tcp 0 0 XXX.XXX.XXX.XXX:25 YYY.YYY.YYY.YYY:13933 ESTABLISHED tcp 0 0 XXX.XXX.XXX.XXX:25 ZZZ.ZZZ.ZZZ.ZZZ:9528 ESTABLISHED Those are to…
user48058
  • 853
  • 3
  • 10
  • 19
4
votes
4 answers

Recommend alternative to tripwire?

Looking for a host-based IDS comparable to tripwire. Preferably one that allows centralized management. Right now I use tripwire and though it works management and reporting through a central server would be ideal. I'm looking for recommendations…
CarpeNoctem
  • 2,397
  • 4
  • 23
  • 32
4
votes
3 answers

Comparison of Firewall, Intrusion Prevention, Detection and Antivirus Technologies in Organizational Network Architecture

in these days i'm reading about intrusion prevention/detection systems.When reading i really confused in some points. First, the firewall and antivirus technologies are known terms for years, however now IDS becomes popular. My question…
Berkay
  • 431
  • 4
  • 17
3
votes
2 answers

aide --init show lots of errors

I have a brand new centos 6.2 server. The first thing I did is yum -y install aide and then next I did aide --init. Below is a whole lot of errors I got.What does it means must I reinstall it? Or leave it ? /usr/sbin/prelink: /usr/sbin/lusermod: at…
newbie14
  • 149
  • 2
  • 8
3
votes
1 answer

OSSIM In Production Environment

I am trying to get some real-world feedback on OSSIM. Are you using OSSIM in production? If so, what has your overall experiance been? How many nodes are in your enviroment? Finally, what kind of bandwidth are you monitoring? Thanks! Anapologetos
Josh Brower
  • 1,659
  • 3
  • 18
  • 29
2
votes
4 answers

Simple application level file integrity monitoring & Intrusion detection (IDS)

We've been searching for a simple file integrity monitoring solution on CentOS/Linux that will work on the application level. We are not looking for OS/network level IDS as OSSEC and the others do a pretty good job at that. We have looked at…
Dev
  • 21
  • 2
2
votes
2 answers

Single file changed: intrusion or corruption?

rkhunter reported a single file change on a virtual server (netstat binary). It didn't report any other warning. The change was not the result of a package upgrade (I reinstalled it and the checksum is back as it was before). I'm wondering whether…
Michaël Witrant
  • 338
  • 3
  • 5
2
votes
2 answers

breach in my machine

Possible Duplicate: My server’s been hacked EMERGENCY Suddenly, ssh claims that the key on my server is changed. Even freenx doesn't accept my connections no more because of the changed key. Nothing important on it, anyway. But how do I verify if…
user1632812
  • 121
  • 1
  • 3
1
2 3 4