Questions tagged [ids]
An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.
72 questions
1
vote
0
answers
78
views
Unreliable Hyper-V Port Mirroring
To set the stage:
Host:
Dell Server
Windows Server 2019 Standard
Xeon E-2660
64GB RAM
Broadcom NetExtreme Gigabit Ethernet Card
Guest:
Gen 1
Debian
12288 RAM (not dynamic)
standard network adapters
...
1
vote
0
answers
101
views
Why does snort can not alert this pcap?
the rule is
alert tcp any any <> any any (sid:11111;content:"GET";)
a file named http.pcap,in which has content
GET /s?wd=%E7%99%BE%E5%BA%A6 HTTP/1.0
a config file named 1.conf
...
- 11
0
votes
1
answer
3k
views
update-aide.conf command not found
I'm trying to setup aide IDS on my ubuntu server, I followed the official installation guide but when I try to use the command "update-aide.conf" to generate new config I get error
$ update-...
- 3
1
vote
2
answers
194
views
Can the bulk execution of "dig domain mx" on 5000 domains be considered an attack to the network?
I have a database containing a lot of invalid emails.
I want to remove all the emails whose domain does not have mx record.
So after I extracted the domain part I wrote a script to bulk check this for ...
- 155
1
vote
0
answers
85
views
Suricata / Filebeat / ELK - iptables tee - Create virtual hosts
I have an IDS setup as follow:
Hardware / interfaces
WAN <----(brwan)> ROUTER / AP <(br0)----> LAN
\
-----(eth1)>...
1
vote
1
answer
2k
views
Create an NFQUEUE rule to match a local addresses destination in my raspberry pi router
I'm working on a project to verify the source of each packet if its destination is one of several IPs on the LAN network. I'm interested in the LAN IPs, not the WAN.
I tried to create many matches ...
- 11
0
votes
1
answer
127
views
What is uid in snort means
I was writing a snort rule for the specific exploit and then came across one solution that details as "uid=0(root)". Can someone explain what is that and why it is mentioned in order to ...
0
votes
0
answers
2k
views
IDS/IPS on Ubiquiti EdgeRouter
I have changed my network setup from the default ISP device to an Ubiquiti EdgeRouter (ER-X-SFP) a while ago. Currently I’m planing to switch to an static IPv4 address. From the ISP I would also get ...
- 11
1
vote
0
answers
285
views
Auditd to CloudwatchLogs to IDS alerts?
I'm administering a relatively simple AWS stack with about 5 heterogeneous Linux EC2 instances. All instances already have been setup to ship important logs to Cloudwatch Logs. Now I want to setup a ...
- 217
1
vote
0
answers
73
views
HIDS: Need a trip wire for a honeypot, best approach?
We run a small VPS hosting company, each vps is based on a fixed 18.04 template.
We run a honeypot, a fallow server, to verify the template continues to be secure. We look at it probably once a month ...
- 31
1
vote
0
answers
222
views
Is it possible to decapsulate ERSPAN and forward on RSPAN?
I am currently running into an issue where we are trying to send our network traffic from our physical infrastructure into a virtual Alienvualt appliance, but our switches are unable to send RSPAN ...
0
votes
0
answers
106
views
Use Snort 2.9 rules for Snort 2.8.6
Unfortunately Snort doesn't release rules update 2.8.6 since 2017.
All customer should upgrade to 2.9. But 2.9 is X64 and my OS is Fedora X86.
I need to update my Snort 2.8.6 signatures.
Is there any ...
1
vote
0
answers
255
views
Suricata: Error opening file threshold.config
I use Suricata 4.0.5 (an open source IDPS) on windows server 2012. It raises the below error when I run it, however, it runs.
Error opening file threshold.config
I searched for this error and find ...
- 348
2
votes
0
answers
2k
views
Suricata logs "A Network Trojan was detected". Is it false positive?
I use the Suricata as IDS on the local network that it doesn't the internet. It logged a few alerts from some clients that said A Network Trojan was detected.
All log's properties are in the following:...
- 348
1
vote
1
answer
2k
views
Snort not sniffing any traffic except it's own
I'm currently trying to set up Snort on my local machine. At the moment I have 3 VM's: 1 with snort on it and 2 used to ping eachother.
Whenever I ping from one of the devices to the Snort-machine, ...
0
votes
0
answers
292
views
Many violations in Tripwire
I've installed Tripwire yesterday (I'm new to Tripwire) in my new VPS (created two days ago). I've followed the steps of this tutorial to setup Tripwire and all worked fine and my report doesn't had ...
- 121
0
votes
1
answer
224
views
Tripwire skipping files?
TL;DR:
Question: how do I configure Tripwire to watch EVERYTHING that is below a certain path? My current config seems to only be looking at certain files / directories in a given path instead of ...
- 368
0
votes
0
answers
1k
views
OSSEC - Not seeing alerts on the Server from file changes on the Agent
I have an OSSEC server and Agent installed and configured. I have imported the key to the Agent and they appear to be communicating. However, I am trying test the file integrity monitoring feature and ...
- 513
-3
votes
1
answer
111
views
How can ossec handle a virus that already spread into the deepest system? [closed]
As far as I know, OSSEC is a Open Source HIDS. It's a "Detection System". I read in journals, it collect logs and flag any anomaly that had been found in a system ( e.g. Debian Server ) and do some ...
- 89
-1
votes
1
answer
742
views
specify the order of IDS , Firewall , WAF
i have an ubuntu system and i want to implement iptables as firewall, modsecurity as WAF and snort as IDS in this system and i have a server behind this system and i want to protect the server with ...
- 1
2
votes
1
answer
1k
views
Can Suricata be used as an effective IPS on a single server?
I've been looking for an effective intrusion prevention system (IPS) for an Ubuntu 14.04 server, something like what Symantec or F-Prot might offer for a Windows server. I've contacted major ...
1
vote
1
answer
2k
views
Replaying pcap file for Snort
I currently have the following, presumably standard, setup:
I have a physical server with Snort running. Snort logs into its log files as it should. Those files are tracked by barnyard2 which writes ...
- 121
1
vote
0
answers
7k
views
Snort rule for detecting DNS packets of type NULL
I am trying to detect DNS requests of type NULL using Snort. I located the type field of the request packet using Wireshark:
I found the following rule on McAfee:
alert udp any any -> any 53 (msg:...
- 367
3
votes
2
answers
2k
views
is there any real Difference between snort and suricata?
Looking to move forward in deploying IDS/IPS on several FreeBSD firewalls and I was curious about the difference between snort and suricata. I know that Suricata is multi-threaded but in terms of rule ...
- 3,941
1
vote
1
answer
1k
views
is there a way from iptables to forward all traffic to my IDS Suricata in a second interface?
Hello there, is there a way from iptables to forward all traffic to my IDS Suricata and also keep the regular flow, I have two interfaces and I did find how to do it with one interface.. example:
-t ...
- 115
1
vote
1
answer
778
views
Intrusion Detection/Prevention in AWS
On a normal server, I would have fail2ban handle intrusion detection; how would I go about setting up IDS/IPS on AWS? Any help or pointers would be appreciated.
- 217
2
votes
2
answers
7k
views
KVM bridge for promisc interface IDS
I have a KVM virtualization server which serves up a br0 bridge, mapped to eth0. I want to add eth2 as a bridge to br2 for a IDS virtual machine I'm testing, but the guest OS doesn't see either br2 or ...
- 199
0
votes
0
answers
643
views
Fail2Ban WordPress filter not working on Debian VPS
I am having trouble getting WordPress Fail2Ban filter to work. I have installed the WP Fail2Ban plugin using the latest update which had a few changes, however, nothing is getting blocked.
Here is a ...
- 3
0
votes
1
answer
853
views
Fail2Ban login filter not working on Debian Web Server
So I am having issues getting Fail2Ban to work with as a custom filter for a web app login. First of all, other filter do work such as NGINX Auth. However, my emails have stopped working, not sure why ...
- 3
0
votes
1
answer
411
views
How secure Google Compute Engine is?
We're moving to GCE and we want to know how secure it is.
Do we need to install our own intrussion detection/prevention software on our VM Instances? (Tripware, Ossec, Snort).
or does GCE handle ...
- 11
0
votes
2
answers
2k
views
Has anyone used any custom decoders with OSSEC?
I have the OSSEC HIDS software version 2.8.3 running on a RHEL 6 server. We have been testing this in the lab with a DNS server to track queries that come into our RPZ and Malware zones. The DNS ...
- 649
0
votes
1
answer
879
views
How to use Snort generate packet logs when in the NIDS mode?
I am using Snort act like a network IDS by implementing snort configuration file and snort rules, I also want to capture all the packets (traffic) going through the specific network interface.
My ...
- 142
0
votes
1
answer
417
views
Can I use same suricata instance for both IDS (for L3,4) and IPS (for L3,L4,L7)?
I have a interface where traffic is flowing from internet to NGINX server to application server. I want to monitor (IDS) the traffic flowing between Internet and NGINX at L3,4 and IPS the traffic ...
Samiksha
0
votes
0
answers
339
views
Is the best place to put an IDS sensor before a webproxy or after it?
My IDS sensor is currently located after the webproxy and all I am seeing is heaps of packets originated from the Web Proxy to the remote destination IP addresses. Hence, I don't actually see who does ...
- 101
0
votes
1
answer
1k
views
Can IPS monitor both inbound and outbound traffic?
We have a user traffic flow like below (PC - Internet)
PC => Cisco ASA FW+IPS integrated => Fortigate Proxy (ISP connected to this Proxy) = > Internet
PC = > ASA+IPS ==> Fortigate Proxy ==> Internet....
- 101
0
votes
2
answers
546
views
is there a way from iptables/iproute to forward all traffic to my IDS and also keep the regular flow
The reason of this, is that to catch all packages into my IDS keeping my existing enviroment, so the IDS does not become a single point of failure. If route all my traffic into my IDS and from my IDS ...
- 115
-2
votes
1
answer
938
views
VirtualBox Networking Lab Configuration [closed]
I'm creating a lab for a project that will test a network security defense product's effectiveness in detecting various attacks. I have a physical server with 32GB of RAM and VirtualBox to create the ...
- 333
1
vote
0
answers
1k
views
Barnyard2 error on start
Been setting up a snort box with barnyard2, run into the error below. Can someone please help?
$Starting Snort Output Processor (barnyard2): ./barnyard2: 35: ./barnyard2: barnyard2: not found
/etc/...
- 163
2
votes
3
answers
396
views
is there a PAM module for DNSBL lookups?
I have been enumerating the remaining security concerns on one of my back-end production servers, when I came to the realization that something which could be incredibly useful was missing from my ...
- 571
0
votes
2
answers
259
views
Blocking geographic cities from accessing Asterisk using Secast
I am using Secast for intrusion protection on my Asterisk PBX. It’s working great, and I now want to start blocking specific geographic regions. My system is getting hammered from Ramallah ...
user220412
1
vote
0
answers
828
views
configure frag3 in SNORT
i m trying to test IDS systems on evasion. I have picked up Snort IDS. I have crafted few fragmented packet scenario, and i m sending those fragmented packet to destination address. All these crafted ...
- 11
0
votes
1
answer
53
views
How to filter errors 404 to show only those which are related to php files?
One of my web servers is getting flooded with requests to resources that do not exist anymore, generating the corresponding 404 error. As I'm using OSSEC and OSSIM, then these errors are sent to the ...
user149678
0
votes
1
answer
854
views
Lean but effective linux IDS / IPS / WAF? [closed]
I'm looking for a lean but effective IDS/IDP/WAF solution for my tiny VPS webserver.
Currently I already use iptables and psad but a lot of the web server scanning attempts slip through. I use ngingx ...
- 406
2
votes
4
answers
2k
views
Simple application level file integrity monitoring & Intrusion detection (IDS)
We've been searching for a simple file integrity monitoring solution on CentOS/Linux that will work on the application level. We are not looking for OS/network level IDS as OSSEC and the others do a ...
- 21
0
votes
1
answer
953
views
Using Snort without a port mirrored switch
I am trying to set up a Snort IDS on a virtual machine for my lab. My problem is that normally, these kinds of IDS are connected to the mirrored port of a switch. My lab has no such device. Here is my ...
- 147
1
vote
2
answers
3k
views
how can a mirror all of the traffic on a network interface, to virtual interface
I am trying to setup snort to act as an ids, on a debian machine that also functions as a router. Ideally I would like to setup snort in such a way so that I would not have to purchase an additional ...
- 1,467
2
votes
1
answer
59
views
POLICY Mozilla Multiple Products HTML href shell attempt - SNORT
We've had a few of these alerts get triggered through Snort:
"POLICY Mozilla Multiple Products HTML href shell attempt"
I'm struggling to find any information pertaining to this alert, does anyone ...
- 139
0
votes
1
answer
488
views
snort intrusion detection
Hi im trying to use snort as an IDS on some pcap files I have, I was hoping I would get a log of any intrusions. I know for a fact that there is port scans and ping sweeps etc in the pcap files but ...
- 101
10
votes
2
answers
5k
views
OSSEC large scale deployment
We have a data-center and as a happy OSSEC user I am trying to convince my management to use it for host intrusion detection. However I have never deployed it on more than a handful of servers and I ...
- 891
1
vote
1
answer
526
views
Stateful Signatures in an IPS
I am researching in-line IPS devices and their signatures both stateful and stateless. The test network I am looking to implement the IPS in has asymmetric traffic so stateful inspection would be ...
- 113