Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [ids]

An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.

An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.

Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents.

Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators.

70 questions
2
votes
0 answers

Suricata logs "A Network Trojan was detected". Is it false positive?

I use the Suricata as IDS on the local network that it doesn't the internet. It logged a few alerts from some clients that said A Network Trojan was detected. All log's properties are in the following: Protocol: 006 Source: Client IP Destination:…
Arani
  • 326
  • 3
  • 20
2
votes
1 answer

Can Suricata be used as an effective IPS on a single server?

I've been looking for an effective intrusion prevention system (IPS) for an Ubuntu 14.04 server, something like what Symantec or F-Prot might offer for a Windows server. I've contacted major companies which say they support products for Ubuntu and…
Christopher Hinkle
  • 36
  • 6
2
votes
2 answers

KVM bridge for promisc interface IDS

I have a KVM virtualization server which serves up a br0 bridge, mapped to eth0. I want to add eth2 as a bridge to br2 for a IDS virtual machine I'm testing, but the guest OS doesn't see either br2 or eth2 as a valid interface. I ran tcpdump on eth2…
batflaps
  • 179
  • 1
  • 3
  • 10
2
votes
3 answers

is there a PAM module for DNSBL lookups?

I have been enumerating the remaining security concerns on one of my back-end production servers, when I came to the realization that something which could be incredibly useful was missing from my operating systems upstream repository. I have been…
RapidWebs
  • 571
  • 4
  • 13
2
votes
4 answers

Simple application level file integrity monitoring & Intrusion detection (IDS)

We've been searching for a simple file integrity monitoring solution on CentOS/Linux that will work on the application level. We are not looking for OS/network level IDS as OSSEC and the others do a pretty good job at that. We have looked at…
Dev
  • 21
  • 2
2
votes
1 answer

POLICY Mozilla Multiple Products HTML href shell attempt - SNORT

We've had a few of these alerts get triggered through Snort: "POLICY Mozilla Multiple Products HTML href shell attempt" I'm struggling to find any information pertaining to this alert, does anyone have any idea what it could mean? Thanks in advance
mbuk2k
  • 139
  • 1
  • 2
  • 9
2
votes
1 answer

Webserver security, intrusion detection, and file intregrity

I would like to add some type of tracking / alerting on some linux webservers running PHP and Apache. In doing searches I have come across a lot of info from 2006-2009. Would like to revisit things and see what others are doing now. The main…
enfield
  • 267
  • 1
  • 3
  • 12
1
vote
0 answers

Is it possible to decapsulate ERSPAN and forward on RSPAN?

I am currently running into an issue where we are trying to send our network traffic from our physical infrastructure into a virtual Alienvualt appliance, but our switches are unable to send RSPAN traffic. Nexus 9k's support SPAN and…
brittonballard
  • 31
  • 4
1
vote
0 answers

Suricata: Error opening file threshold.config

I use Suricata 4.0.5 (an open source IDPS) on windows server 2012. It raises the below error when I run it, however, it runs. Error opening file threshold.config I searched for this error and find these links: Suricata can't start due to…
Arani
  • 326
  • 3
  • 20
1
vote
1 answer

Snort not sniffing any traffic except it's own

I'm currently trying to set up Snort on my local machine. At the moment I have 3 VM's: 1 with snort on it and 2 used to ping eachother. Whenever I ping from one of the devices to the Snort-machine, Snort notices it and sends an alert. However, when…
Sander Willems
  • 13
  • 3
1
vote
1 answer

Replaying pcap file for Snort

I currently have the following, presumably standard, setup: I have a physical server with Snort running. Snort logs into its log files as it should. Those files are tracked by barnyard2 which writes the traffic to a database for Snorby. Snort and…
Roper
  • 121
  • 3
1
vote
0 answers

Snort rule for detecting DNS packets of type NULL

I am trying to detect DNS requests of type NULL using Snort. I located the type field of the request packet using Wireshark: I found the following rule on McAfee: alert udp any any -> any 53 (msg:"NULL request"; content:"|01 00|"; offset:2; within…
arne.z
  • 357
  • 1
  • 6
  • 24
1
vote
1 answer

is there a way from iptables to forward all traffic to my IDS Suricata in a second interface?

Hello there, is there a way from iptables to forward all traffic to my IDS Suricata and also keep the regular flow, I have two interfaces and I did find how to do it with one interface.. example: -t mangle -A PREROUTING -i eth0 -j TEE --gateway…
merge delete
  • 115
  • 1
  • 8
1
vote
1 answer

Intrusion Detection/Prevention in AWS

On a normal server, I would have fail2ban handle intrusion detection; how would I go about setting up IDS/IPS on AWS? Any help or pointers would be appreciated.
Cenoc
  • 217
  • 1
  • 12
1
vote
0 answers

Barnyard2 error on start

Been setting up a snort box with barnyard2, run into the error below. Can someone please help? $Starting Snort Output Processor (barnyard2): ./barnyard2: 35: ./barnyard2: barnyard2: not found /etc/init.d/barnyard2 file #!/bin/sh # # Init file for…
user3329963
  • 163
  • 1
  • 4
  • 9
1
2
3 4 5