IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [ids]

Intrusion Detection System, a system for detecting and alerting based on behavior.

An Intrusion Detection System, or IDS, can come in many forms but they all share the basic purpose of detecting and alerting based on behavior. Commonly this detection is signature based detection, similar to anti-virus solutions, though adaptive techniques are also available.

The two most common types are Network and Host based systems. NIDS are intended to be standalone devices that monitor network traffic destined for other hosts. HIDS run as applications on the end-system and often monitor both network traffic as well as system activity.

Related reading

431 questions
10
votes
3 answers

What FOSS software do you like to use to build intrusion detection stacks?

Start-ups and organizations with limited budgets that are security conscious are often encouraged to deploy intrusion detection stacks. Given that prevention will always fail, intrusion detection stacks are often vital to learn why defenses…
Tate Hansen
  • 13,804
  • 3
  • 42
  • 84
6
votes
1 answer

New to ossec - what does active response do out of the box

I am new to ossec. I installed the server and wui on a dedicated machine. I have agents running on my zookeeper and kafka servers to start. Below are events I am seeing. I assume the are automated bots. 10 - User missed the password more than…
Tampa
  • 163
  • 1
  • 4
5
votes
1 answer

Anomaly intrusion detection

Anyone know which opensource network IDSs are using anomaly techniques? My project is to compare them, so if you could give me some hints, that would be much appreciated. Currently, I am looking at Snort with SPADE and Snort.AD pre-processor. Bro…
Tho Le Phuoc
  • 51
  • 2
4
votes
1 answer

Anomaly Intrusion Detection relevant features

I am researching on Anomaly Intrusion Detection to implement one. At this phase, I am searching for relevant features to network traffic. I found 41 features from KDD CUP'99 project (the paper: WENKE LEE, SALVATORE J. STOLFO, "A Framework for…
Yasser
  • 353
  • 1
  • 3
  • 8
4
votes
1 answer

Difference between NIDS and NBA

I'm having trouble understanding the difference between NIDS (Network-based Intrusion Detection System) and NBA (Network Behavior Analysis) It is to my understanding that NIDS use two detection methods : Signature-based detection Anomaly-based…
Xavier59
  • 2,924
  • 4
  • 18
  • 34
4
votes
3 answers

Is there an IDS based on process patterns?

After reading what Metasploit is able to do my grey hairs got even more. From my understanding current attack methods are being done without tampering with any file in a filesystem - thus rendering file based HIDS useless. So my idea was: What about…
Nils
  • 121
  • 7
3
votes
1 answer

What is the best place to put my IDS network sensor?

I can only place a single network sensor somewhere within my network. Would it be best placed between the border router and firewall, or between the firewall internal LAN?
sybind
  • 511
  • 2
  • 5
  • 9
3
votes
1 answer

tripwire report - inode number

I am investigating Tripwire and have stumbled upon something about which I am unsure. In a tripwire report generated after I modified hosts.deny to include an extra #, I noticed the inode number changed from 6969 to 6915. I would like to know why…
Mintuz
  • 273
  • 3
  • 5
3
votes
1 answer

Suricata: nmap scan does not match rules

I am using suricata with emerging-scan.rules and other rules. The rules are loaded in the suricata.yaml, homenet and ext_net are configured correctly. For testing detection of suricata I used nmap -sS in the machine in which suricata is installed.…
frank
  • 31
  • 1
  • 3
3
votes
2 answers

C&C domains used by Flame/Skywiper trojan

I'm trying to figure out if any of our clients have been infected by the recent trojan/worm Flame. I have access to our proxy logs, so I want to search for any requests made to the "known" C&C domains. In this article, it says it uses 10 domains for…
Dog eat cat world
  • 5,827
  • 1
  • 28
  • 46
3
votes
2 answers

Ids/ips configuration audit

Is anyone familiar with a tool that can audit the configuration of an intrusion detection/ intrusion prevention tool? I'm looking for a tool that can check for best practices, and non standard configurations. I have googled just about everything…
user2219930
  • 101
  • 1
  • 1
  • 3
2
votes
1 answer

Host Based Prevention System definition

I'm a little bit confused about what a host-based intrusion prevention system is. In order to better understand this concept, I'd like to introduce you a case. Let's say someone designed the following software: The software must be installed on a…
Othman
  • 587
  • 6
  • 16
2
votes
3 answers

Is there any good reason to choose IDS over IPS?

As far as I know, IDS sniffs network traffic, and if intrusion is detected, reports it. And IPS sniffs network traffic, and if intrusion is detected, rejects it, and reports why it was blocked. Am I right? And I read that some IPS can even be…
mau5
  • 134
  • 3
  • 10
2
votes
2 answers

server with eth0 promisc-mode vulnerable to attacks outside firewall?

If you use a passive network tap and a server with an Ethernet port in promiscuous mode to monitor all traffic between WAN port of your router and RJ45 port of your ISP cable modem. Is the IDS instance running snort and snorby vulnerable to attacks…
user3200534
  • 881
  • 10
  • 22
1
vote
1 answer

Query on IPS reports

In the IPS reports i see multiple counts of the same exploit from the same source ip. I wonder why would someone continue to attempt exploiting a vulnerability when he must have realized in the first attempt only that the exploit was blocked?
Rajesh
  • 11
  • 1
1
2 3