Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [ids]

An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.

An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.

Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents.

Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators.

70 questions
1
vote
0 answers

configure frag3 in SNORT

i m trying to test IDS systems on evasion. I have picked up Snort IDS. I have crafted few fragmented packet scenario, and i m sending those fragmented packet to destination address. All these crafted scenarios break RFC rules in some way. So i m…
mgaspar
  • 11
  • 2
1
vote
2 answers

how can a mirror all of the traffic on a network interface, to virtual interface

I am trying to setup snort to act as an ids, on a debian machine that also functions as a router. Ideally I would like to setup snort in such a way so that I would not have to purchase an additional network adapter just to have it listen to the same…
lacrosse1991
  • 1,437
  • 5
  • 20
  • 26
1
vote
1 answer

Stateful Signatures in an IPS

I am researching in-line IPS devices and their signatures both stateful and stateless. The test network I am looking to implement the IPS in has asymmetric traffic so stateful inspection would be nearly impossible. What percentage of threats can…
SomethingSmithe
  • 113
  • 2
1
vote
3 answers

How to drop packets in a custom Intrusion Detection System

I'm trying to build a custom Intrusion Detection and Prevention System (IDS/IPS). I found a great utility named ROPE which can scan the packet payload and drop the packet that doesn't follow the rules, set by a script. This serves my purpose…
tzoukos
  • 13
  • 2
1
vote
1 answer

Snort monitoring of spanning interface

I have configured a Cisco 3500 switch with a port SPAN and have my snort node (fedora 13) plugged into it. I am running snort as a daemon and have configured a rule to log all tcp traffic but I am only seeing traffic with a destination of the snort…
aHunter
  • 314
  • 1
  • 6
  • 21
1
vote
2 answers

Web server hosting infrastructure, does IPS help?

I am working on setting up new networking for datacenter hosting a web site. We have following topology Internet -> Firewall1 -> ReverseProxy(for security) -> Web Server -> firewall2 -> databse Firewall is linux iptables hardened We do not have any…
mamu
  • 342
  • 1
  • 7
  • 18
1
vote
2 answers

Can the bulk execution of "dig domain mx" on 5000 domains be considered an attack to the network?

I have a database containing a lot of invalid emails. I want to remove all the emails whose domain does not have mx record. So after I extracted the domain part I wrote a script to bulk check this for the distinct domains by executing among others…
Marinos An
  • 155
  • 1
  • 8
1
vote
0 answers

Suricata / Filebeat / ELK - iptables tee - Create virtual hosts

I have an IDS setup as follow: Hardware / interfaces WAN <----(brwan)> ROUTER / AP <(br0)----> LAN \ -----(eth1)> | \ | IDS…
Gabriel ROUSSEAU
  • 11
  • 1
1
vote
0 answers

Auditd to CloudwatchLogs to IDS alerts?

I'm administering a relatively simple AWS stack with about 5 heterogeneous Linux EC2 instances. All instances already have been setup to ship important logs to Cloudwatch Logs. Now I want to setup a basic HIDS for this system covering all nodes.…
spinkus
  • 188
  • 2
  • 16
1
vote
0 answers

HIDS: Need a trip wire for a honeypot, best approach?

We run a small VPS hosting company, each vps is based on a fixed 18.04 template. We run a honeypot, a fallow server, to verify the template continues to be secure. We look at it probably once a month seeing what has changed, any intrusion of any…
DaBuddha
  • 31
  • 2
0
votes
0 answers

Use Snort 2.9 rules for Snort 2.8.6

Unfortunately Snort doesn't release rules update 2.8.6 since 2017. All customer should upgrade to 2.9. But 2.9 is X64 and my OS is Fedora X86. I need to update my Snort 2.8.6 signatures. Is there any source to get update or any solution that convert…
Peeter Johnson
  • 1
0
votes
0 answers

Many violations in Tripwire

I've installed Tripwire yesterday (I'm new to Tripwire) in my new VPS (created two days ago). I've followed the steps of this tutorial to setup Tripwire and all worked fine and my report doesn't had any violations or errors. Today, I run tripwire…
user3753202
  • 121
  • 3
0
votes
1 answer

Tripwire skipping files?

TL;DR: Question: how do I configure Tripwire to watch EVERYTHING that is below a certain path? My current config seems to only be looking at certain files / directories in a given path instead of everything. Background / Full story: I've recently…
DrDamnit
  • 348
  • 5
  • 18
0
votes
0 answers

OSSEC - Not seeing alerts on the Server from file changes on the Agent

I have an OSSEC server and Agent installed and configured. I have imported the key to the Agent and they appear to be communicating. However, I am trying test the file integrity monitoring feature and I am not receiving alerts. I followed:…
user8897013
  • 483
  • 1
  • 4
  • 8
0
votes
0 answers

Fail2Ban WordPress filter not working on Debian VPS

I am having trouble getting WordPress Fail2Ban filter to work. I have installed the WP Fail2Ban plugin using the latest update which had a few changes, however, nothing is getting blocked. Here is a log line for a failed login: Apr 11 23:39:13…
Trent
  • 3
  • 2
1 2
3
4 5