Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [ids]

An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.

An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.

Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents.

Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators.

70 questions
0
votes
1 answer

Fail2Ban login filter not working on Debian Web Server

So I am having issues getting Fail2Ban to work with as a custom filter for a web app login. First of all, other filter do work such as NGINX Auth. However, my emails have stopped working, not sure why yet. These are the failed login attempts in the…
Trent
  • 3
  • 2
0
votes
1 answer

How secure Google Compute Engine is?

We're moving to GCE and we want to know how secure it is. Do we need to install our own intrussion detection/prevention software on our VM Instances? (Tripware, Ossec, Snort). or does GCE handle security by itself? how much must we do in this…
Arthur
  • 11
  • 2
0
votes
2 answers

Has anyone used any custom decoders with OSSEC?

I have the OSSEC HIDS software version 2.8.3 running on a RHEL 6 server. We have been testing this in the lab with a DNS server to track queries that come into our RPZ and Malware zones. The DNS server has the OSSEC agent installed. In order for…
user53029
  • 629
  • 3
  • 14
  • 36
0
votes
3 answers

Firewalling gateways and IDS's

For IDS, I plan to have a Win 2008 server running on the gateway with the majority of roles disabled. I plan to firewall the Internet connection, but I'd also like to install Snort to work as an IDS. However, I am guessing that regardless of the…
Scott Davies
  • 423
  • 1
  • 5
  • 9
0
votes
1 answer

How to use Snort generate packet logs when in the NIDS mode?

I am using Snort act like a network IDS by implementing snort configuration file and snort rules, I also want to capture all the packets (traffic) going through the specific network interface. My command is sudo snort -dev -P 65535 -i wlan0 -c…
technoob
  • 142
  • 1
  • 14
0
votes
1 answer

Can I use same suricata instance for both IDS (for L3,4) and IPS (for L3,L4,L7)?

I have a interface where traffic is flowing from internet to NGINX server to application server. I want to monitor (IDS) the traffic flowing between Internet and NGINX at L3,4 and IPS the traffic flowing out from NGINX to application server at…
Samiksha
0
votes
0 answers

Is the best place to put an IDS sensor before a webproxy or after it?

My IDS sensor is currently located after the webproxy and all I am seeing is heaps of packets originated from the Web Proxy to the remote destination IP addresses. Hence, I don't actually see who does what! IDS, on the other hand, detects so many…
mazkopolo
  • 101
  • 1
0
votes
1 answer

Can IPS monitor both inbound and outbound traffic?

We have a user traffic flow like below (PC - Internet) PC => Cisco ASA FW+IPS integrated => Fortigate Proxy (ISP connected to this Proxy) = > Internet PC = > ASA+IPS ==> Fortigate Proxy ==> Internet. Question is Can this IPS monitor if there is any…
PCIrs
  • 101
  • 1
0
votes
2 answers

is there a way from iptables/iproute to forward all traffic to my IDS and also keep the regular flow

The reason of this, is that to catch all packages into my IDS keeping my existing enviroment, so the IDS does not become a single point of failure. If route all my traffic into my IDS and from my IDS to the internet then if the IDS goes down my…
merge delete
  • 115
  • 1
  • 8
0
votes
2 answers

Blocking geographic cities from accessing Asterisk using Secast

I am using Secast for intrusion protection on my Asterisk PBX. It’s working great, and I now want to start blocking specific geographic regions. My system is getting hammered from Ramallah Palestine, and I want to block them. Is this right? I…
user220412
0
votes
1 answer

How to filter errors 404 to show only those which are related to php files?

One of my web servers is getting flooded with requests to resources that do not exist anymore, generating the corresponding 404 error. As I'm using OSSEC and OSSIM, then these errors are sent to the OSSEC server (OSSIM), flooding it as well. I want…
user149678
0
votes
1 answer

Lean but effective linux IDS / IPS / WAF?

I'm looking for a lean but effective IDS/IDP/WAF solution for my tiny VPS webserver. Currently I already use iptables and psad but a lot of the web server scanning attempts slip through. I use ngingx but would prefer a web server independent…
binaryanomaly
  • 406
  • 1
  • 4
  • 14
0
votes
1 answer

Using Snort without a port mirrored switch

I am trying to set up a Snort IDS on a virtual machine for my lab. My problem is that normally, these kinds of IDS are connected to the mirrored port of a switch. My lab has no such device. Here is my topology: [Internet]->[Linux…
m6a-uds
  • 147
  • 1
  • 1
  • 7
0
votes
1 answer

snort intrusion detection

Hi im trying to use snort as an IDS on some pcap files I have, I was hoping I would get a log of any intrusions. I know for a fact that there is port scans and ping sweeps etc in the pcap files but when I try this command: C:\Snort\bin> snort -r…
G Gr
  • 101
  • 1
0
votes
3 answers

Good Firewalling practice for internet facing servers?

Does it make sense to firewall an internet facing server, say a webserver? Assuming I did not want to restrict anyone from accessing the webserver in its capacity to serve web pages, I would be blocking other servcices on the machine. If the machine…
Sonny Ordell
  • 145
  • 3
  • 7
1 2 3
4
5