Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [intrusion-detection]

Intrusion Detection is ability of a system to analyze different parameters on a computer system to determine if a system is compromised or not.

Intrusion Detection is ability of a system to analyze different parameters on a computer system to determine if a system is compromised or not.

These can be done through:

  • Log analysis
  • Hash checking of files
  • Network analysis
49 questions
2
votes
1 answer

Using a UTM with a Link Aggregrator

I consider changing my office's internet access infrastructure to multilpe ADSL lines aggregated with a link aggregator (Peplink B710). I plan to place my existing UTM (FortiGate-100A) after the balancer. Should I expect any problems with this…
Variant
  • 278
  • 1
  • 6
2
votes
4 answers

What response should be made to a continued web-app crack attempt?

I've issues with a continuous, concerted cracking attempt on a website (coded in php). The main problem is sql-injection attempts, running on a Debian server. A secondary effect of the problem is being spidered or repeatedly spammed with urls that,…
Kzqai
  • 1,278
  • 4
  • 17
  • 32
2
votes
5 answers

Utility to notify when website files are changed

Does any one know of a (preferably free) windows utility that recursively hashes all the files in a directory tree every x minutes and sends a notification if any files have changed. I want to have a tool to notify me by email when any of the code…
Christopher Edwards
  • 688
  • 1
  • 8
  • 19
2
votes
1 answer

Are random packets normal?

About a month ago on one of my servers I started receiving random packets from IPs all over the world. So I did the smart thing and stopped putting off installing an IDS. This IDS is a ClearOS Gateway which comes with Snort and SnortSam. I enabled…
TheLQ
  • 973
  • 4
  • 14
  • 31
2
votes
2 answers

IIS - Script for repeated hacks on a website

I currently have a site that is armored by ELMAH as its reporting mechanism. Each time someone hits a URL that is incorrect it notifies me or logs to the system. This is annoying for someone fat-fingering the URL with a misspelling but great when…
dodegaard
  • 133
  • 2
1
vote
3 answers

How to configure sensor rules in OSSIM

we've recently moved our NIDS installation from StrataGuard to the new OSSIM 2.1 release to take advantage of the additional features (Nagios, ntop, Nessus/OpenVas, etc.) it provides in addition to just Snort. So far, I'm very impressed with OSSIM…
nedm
  • 5,610
  • 5
  • 30
  • 52
1
vote
1 answer

NIDS on bridged firewall

I have a firewall (Debian Stable 7.5) which works in bridged mode. The interfaces eth0 (WAN) and eth1 (LAN) are linked with the bridge interface br0. Can I deploy a NIDS (eg. Snort) on this server? If so, which interface should it listen on?
psimon
  • 148
  • 5
1
vote
0 answers

SonicWall NSA2400 after firmware upgrade to 5.9 - not able to log some intrusion prevention/detection statements

After upgrading firmware to 5.9 version I'm not able to log intrusion prevention/detection for statements like PHP CGI Argument Injection, Remote Command Execution, Remote File Inclusion, WEB-ATTACKS, etc. I have enabled alerts for IPS and IDP with…
JackTheKnife
  • 371
  • 1
  • 6
  • 22
1
vote
3 answers

What are some of the commonly used rule actions in snort other than the defaults?

I'm writing a strict snort rule parser and I would like to accommodate snort rules from popular plugins. The documentation specifies that any action/type is possible because they can be defined by plugins. However, I would like to have a list of…
Elijah
  • 527
  • 2
  • 7
  • 17
1
vote
2 answers

How to find security-leak after a skynet intrusion?

Some days ago, the server of a friend had an intrusion. The attack installed a new SSH daemon that let any valid account in, without providing a valid password. After login, each account automatically got root permissions and the server greeted as…
kraftan
  • 113
  • 4
1
vote
1 answer

Intrusion detection

I've got a security project regarding the intrusion detection and prevention. I've been googling about it but didn't land up on something substantial. I'm supposed to submit an abstract as of now, I'd like to know how an IDPS is implemented and what…
Anurag
1
vote
1 answer

Can snort output an alert for a portscan (sfPortscan) to syslog?

I've been working on this for too long now. I'm sure the answer should be obvious, but... Snort manual: http://www.snort.org/assets/125/snort_manual-2_8_5_1.pdf lists two logging outputs on pg 39 (pg 40 according to Acrobat Reader) as: "Unified…
Jamie McNaught
0
votes
1 answer

IIS - Detecting Brute Force Logins and Password Spraying

TLDR; What techniques are being used to detect brute force logins and/or password spraying on IIS hosted websites (including SharePoint, OWA, etc.)? ModSecurity There are many tools for other operating systems to address this with the primary being…
phbits
  • 206
  • 1
  • 8
0
votes
1 answer

ssh spammed from 127.0.0.1 (“Did not receive identification string” and “Bad protocol version identification”)

Prequel: I've seen this question, but it's not quite the same situation. I'm particularly curious about 'heroku' showing up in the logs. I just built and spun up a new Ubuntu 18.04 box that I am using as a personal GPU workstation, and after…
eric.mitchell
  • 101
  • 3
0
votes
1 answer

Tracking all network access to server made by particular IP

Is there any way that I can track any network access (on any port) made to my server by a particular IP? I'm on Ubuntu Server 16.04 LTS and am using uncomplicated firewall. Preferably, I'd be able to hook whatever the solution is into a script to…
Ben Wilkinson
  • 1
1
2
3 4