Newest ids Questions

Q&A for system and network administrators

Fail2Ban WordPress filter not working on Debian VPS

I am having trouble getting WordPress Fail2Ban filter to work. I have installed the WP Fail2Ban plugin using the latest update which had a few changes, however, nothing is getting blocked. Here is a ...

Snort monitoring of spanning interface

I have configured a Cisco 3500 switch with a port SPAN and have my snort node (fedora 13) plugged into it. I am running snort as a daemon and have configured a rule to log all tcp traffic but I am ...

ossec features vs snort / tripwire for pci compliance

I'm looking for an informed opinion on the advantages of ossec in comparison to snort/tripwire/nessus Therefore anyone shed any light on what features ossec brings that cant be replicated via ...

Lean but effective linux IDS / IPS / WAF? [closed]

I'm looking for a lean but effective IDS/IDP/WAF solution for my tiny VPS webserver. Currently I already use iptables and psad but a lot of the web server scanning attempts slip through. I use ngingx ...

Can IPS monitor both inbound and outbound traffic?

We have a user traffic flow like below (PC - Internet) PC => Cisco ASA FW+IPS integrated => Fortigate Proxy (ISP connected to this Proxy) = > Internet PC = > ASA+IPS ==> Fortigate Proxy ==> Internet....

Stateful Signatures in an IPS

I am researching in-line IPS devices and their signatures both stateful and stateless. The test network I am looking to implement the IPS in has asymmetric traffic so stateful inspection would be ...

last night, my server was doing something intensive with the hard drive

I have an ubuntu server running in my bedroom. It's connected to the internet. Last night, at 5am, it was doing some intensive i/o with the hard drive (I heard it) for like 20 minutes. I don't have ...

Can I use same suricata instance for both IDS (for L3,4) and IPS (for L3,L4,L7)?

I have a interface where traffic is flowing from internet to NGINX server to application server. I want to monitor (IDS) the traffic flowing between Internet and NGINX at L3,4 and IPS the traffic ...

Blocking Team Viewer

I'd like to block incoming TeamViewer connections to my network, but at the same time to allow outgoing TeamViewer connections. So that users can't connect to their work PCs with TV (circumventing ...

is there a way from iptables/iproute to forward all traffic to my IDS and also keep the regular flow

The reason of this, is that to catch all packages into my IDS keeping my existing enviroment, so the IDS does not become a single point of failure. If route all my traffic into my IDS and from my IDS ...

Send logs to remote server from suricata?

I have suricata installed in the server and syslog-ng installed in the remote server. I want to send suricata logs into the remote server using syslog-ng. Can any one tell me how can i achieve that?

snort intrusion detection

Hi im trying to use snort as an IDS on some pcap files I have, I was hoping I would get a log of any intrusions. I know for a fact that there is port scans and ping sweeps etc in the pcap files but ...

IDS for Windows Server 2008?

I am sure my Windows Server 2008 box is constantly under attack both at the network level and web application level. Question is how do I detect these attacks? Is there any light-weight software ...

To what extent can you secure a system? [closed]

To what extent can you filter/firewall for suspicious traffic or lock down a system? If you have everything up to date and secure, what can you do to protect against a 0 day? I assume an IDS might ...

Snort Windows inline mode

I'm setting up Snort on Windows. I can test the inline mode but when I try to put it in inline mode so I can drop instead of alert. When I try to use the DAQ modules (afpacket) it says it can't find ...

Has anyone used any custom decoders with OSSEC?

I have the OSSEC HIDS software version 2.8.3 running on a RHEL 6 server. We have been testing this in the lab with a DNS server to track queries that come into our RPZ and Malware zones. The DNS ...

Simple application level file integrity monitoring & Intrusion detection (IDS)

We've been searching for a simple file integrity monitoring solution on CentOS/Linux that will work on the application level. We are not looking for OS/network level IDS as OSSEC and the others do a ...

Good Firewalling practice for internet facing servers?

Does it make sense to firewall an internet facing server, say a webserver? Assuming I did not want to restrict anyone from accessing the webserver in its capacity to serve web pages, I would be ...

configure frag3 in SNORT

i m trying to test IDS systems on evasion. I have picked up Snort IDS. I have crafted few fragmented packet scenario, and i m sending those fragmented packet to destination address. All these crafted ...

Ubuntu 12.04 Server snort 2.9.2.3 not logging NMAP Scans after first VTR Rules update

I install snort 2.9.2.3 from the Ubuntu repositories along with Oinkmaster. I'm not running LAMP just snort for logging pcap and to the alert log file. Out of the box installation snort worked. ...

Chinese Hacker-Bots attempting to exploit our systems 24/7

Our sites our constantly under attack from bots with IP addresses resolving to China, attempting to exploit our systems. While their attacks are proving unsuccessful, they are a constant drain on our ...

Is the best place to put an IDS sensor before a webproxy or after it?

My IDS sensor is currently located after the webproxy and all I am seeing is heaps of packets originated from the Web Proxy to the remote destination IP addresses. Hence, I don't actually see who does ...

Is there any Linux app available for port scanning monitoring?

Something that will run in background and alert me on mail if some ip is port scanning the server.

is there a way from iptables to forward all traffic to my IDS Suricata in a second interface?

Hello there, is there a way from iptables to forward all traffic to my IDS Suricata and also keep the regular flow, I have two interfaces and I did find how to do it with one interface.. example: -t ...

Standalone Windows HIDS

We are looking into installing a host intrusion detection system on a Windows 2008 R2 web server. Our requirements are, at least for the time being, that the system needs to be standalone and also ...

IDS for Linux?

We need to setup an intrusion detection system (IDS) on our linux proxy server. Please suggest intrusion detection systems ? anything else than Snort ? And ... does snort have a good web interface ?

Recommend alternative to tripwire?

Looking for a host-based IDS comparable to tripwire. Preferably one that allows centralized management. Right now I use tripwire and though it works management and reporting through a central server ...

Web server hosting infrastructure, does IPS help?

I am working on setting up new networking for datacenter hosting a web site. We have following topology Internet -> Firewall1 -> ReverseProxy(for security) -> Web Server -> firewall2 -> databse ...

Total SA/Engineer Management Software

So, as we've seen all over server fault, and over the years I've built several of each system, System / Network Monitoring (I use nagios) System / Network Trending (I use Cacti) Centralized Log ...

Fail2Ban login filter not working on Debian Web Server

So I am having issues getting Fail2Ban to work with as a custom filter for a web app login. First of all, other filter do work such as NGINX Auth. However, my emails have stopped working, not sure why ...

How secure Google Compute Engine is?

We're moving to GCE and we want to know how secure it is. Do we need to install our own intrussion detection/prevention software on our VM Instances? (Tripware, Ossec, Snort). or does GCE handle ...

Watch new process on remote computer without agent

I am setting up an agentless HIDS solution and I wish to know if it's possible to send from a Windows computer the name of every process that starts to the HIDS C&C. The agentless factor is as ...

How to drop packets in a custom Intrusion Detection System

I'm trying to build a custom Intrusion Detection and Prevention System (IDS/IPS). I found a great utility named ROPE which can scan the packet payload and drop the packet that doesn't follow the rules,...

Intrusion Detection/Prevention in AWS

On a normal server, I would have fail2ban handle intrusion detection; how would I go about setting up IDS/IPS on AWS? Any help or pointers would be appreciated.

What are your thoughts on whether or not to use a bastion host

I'm considering a new network layout for our web facing infrastructure and I'm interested in your thoughts of whether or not to use a bastion host. Is it necessary with today's technology? Right now ...

Barnyard2 error on start

Been setting up a snort box with barnyard2, run into the error below. Can someone please help? $Starting Snort Output Processor (barnyard2): ./barnyard2: 35: ./barnyard2: barnyard2: not found /etc/...

is there a PAM module for DNSBL lookups?

I have been enumerating the remaining security concerns on one of my back-end production servers, when I came to the realization that something which could be incredibly useful was missing from my ...

How to forward Bro logs to Security Onion ELSA?

In my environment, I have one Bro IDS and one SecurityOnion running, I want to forward Bro logs to ELSA on SecurityOnion. I tried to configure syslog-ng on my Bro, and the configuration is like this: ...

VirtualBox Networking Lab Configuration [closed]

I'm creating a lab for a project that will test a network security defense product's effectiveness in detecting various attacks. I have a physical server with 32GB of RAM and VirtualBox to create the ...

Blocking geographic cities from accessing Asterisk using Secast

I am using Secast for intrusion protection on my Asterisk PBX. It’s working great, and I now want to start blocking specific geographic regions. My system is getting hammered from Ramallah ...

how can a mirror all of the traffic on a network interface, to virtual interface

I am trying to setup snort to act as an ids, on a debian machine that also functions as a router. Ideally I would like to setup snort in such a way so that I would not have to purchase an additional ...

Is there an appliance-style distribution with web-based configuration for Snort? [closed]

There are some great "appliance" style distributions like pfSense and M0n0wall, that bundle powerful features of their respective operating systems with a nice web application for configuration. In my ...

How to use Snort generate packet logs when in the NIDS mode?

I am using Snort act like a network IDS by implementing snort configuration file and snort rules, I also want to capture all the packets (traffic) going through the specific network interface. My ...

SPAN/Port mirroring on Linksys switch

I'm trying to deploy a Snort box in my LAN. I have a Linksys SRW248G4 and trying to configure Port mirroring so that Snort can listen everything on the network in promiscuous mode. So in ADMIN / Port ...

KVM bridge for promisc interface IDS

I have a KVM virtualization server which serves up a br0 bridge, mapped to eth0. I want to add eth2 as a bridge to br2 for a IDS virtual machine I'm testing, but the guest OS doesn't see either br2 or ...

OSSEC large scale deployment

We have a data-center and as a happy OSSEC user I am trying to convince my management to use it for host intrusion detection. However I have never deployed it on more than a handful of servers and I ...

How to filter errors 404 to show only those which are related to php files?

One of my web servers is getting flooded with requests to resources that do not exist anymore, generating the corresponding 404 error. As I'm using OSSEC and OSSIM, then these errors are sent to the ...

Webserver security, intrusion detection, and file intregrity

I would like to add some type of tracking / alerting on some linux webservers running PHP and Apache. In doing searches I have come across a lot of info from 2006-2009. Would like to revisit ...

Using Snort without a port mirrored switch

I am trying to set up a Snort IDS on a virtual machine for my lab. My problem is that normally, these kinds of IDS are connected to the mirrored port of a switch. My lab has no such device. Here is my ...

POLICY Mozilla Multiple Products HTML href shell attempt - SNORT

We've had a few of these alerts get triggered through Snort: "POLICY Mozilla Multiple Products HTML href shell attempt" I'm struggling to find any information pertaining to this alert, does anyone ...
Translating... 0%