Questions tagged [intrusion-detection]
143 questions
15
votes
1 answer
Anomaly detection using Python
I work for a webhost and my job is to find and cleanup hacked accounts. The way I find a good 90% of shells\malware\injections is to look for files that are "out of place." For example, eval(base64_decode(.......)), where "....." is a whole bunch…
Josh M
- 151
- 1
- 3
11
votes
2 answers
OSSEC | How to add an exception rule
I have the standard syslog_rules.xml (OSSEC 2.6.0).
This is the standard rule for bad words in the /var/log/messages file:
core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation…
Anton Shevtsov
- 1,211
- 4
- 16
- 31
7
votes
3 answers
Difference between Anomaly Detection and Behaviour Detection
In an Intrusion Detection System, There are two techniques called Anomaly Detection and Behaviour Detection. I am implementing an IDS from scratch and was checking for some signatures and from some site they were given as different types of methods…
Pankaj Anand
- 463
- 1
- 5
- 15
5
votes
1 answer
How to derive KDD99 Features from DARPA pcap file?
I have worked recently with the DARPA network traffic packets and the derived version of it used in KDD99 for intrusion detection evaluation.
Excuse my limited domain knowledge in computer networks, I could only derive 9 features from the DARPA…
amaatouq
- 1,817
- 3
- 24
- 46
3
votes
1 answer
Snort log file output format
I have been using Snort for my school project.
My problem is that the log files are in binary format and I am not able to read them using less/cat/vi. How do I do this?
I have specified in my snort.conf file unified2 format.
Here is my snort.conf…
Tomala
- 517
- 2
- 8
- 18
3
votes
2 answers
Read the alert log from snort
I have a new instance with snort setup.
When I tried to look at the alert log I noticed that the directory doesn't have a /var/log/snort/alert file.
I tried to touch this file and to chmod to give read and write access to my snort user but I still…
Elie
- 121
- 1
- 2
- 11
3
votes
1 answer
Create a Bash init script for Suricata
I'm running an older version "1.1" of Suricata on my Fedora 14 System. It was installed through yum and as such doesn't have a working init script due to some issues that I've read about. Is there a simple way to include the following in a generic…
user1443366
- 55
- 1
- 5
2
votes
2 answers
Verifying process integrity in memory?
It looks like it's impossible to prevent determined attackers from modifying one's process code/data. I'm hoping that its at least possible to detect such tampering.
Under Windows, is it possible to listen for DLL injections, WriteProcessMemory and…
Gili
- 76,473
- 85
- 341
- 624
2
votes
1 answer
Chassis Intrusion API?
Some computer cases come with chassis intrusion detection.
I'd like my application to check for chassis intrusion on start-up and if an intrusion is detected to display an error and shut down.
Is there a standard way of reading this value…
Gili
- 76,473
- 85
- 341
- 624
2
votes
2 answers
How to identify if the centroid point touches a line or not?
I am working with an intrusion detection algorithm which works on the basis of line crossing detection. I have developed a basic algorithm using the equation y = mx+c, but it is showing some wrong detection when the person reaches nearer to the…
Adithya Raj
- 105
- 9
2
votes
2 answers
Neural network and IDS
I am trying to get a grasp on the efficiency of neural networks over other artificial intelligence algorithms for use in intrusion detection systems. Most of the literature I’m reading isn’t giving a good comparison of neural networks compared to…
G Gr
- 5,756
- 20
- 83
- 176
2
votes
1 answer
How to generate the software.log from a pcap file using bro?
I'm trying to generate the software.log file from a PCAP file I have, the default bro -r my.pcap seems to generate some of the log files but not this one. After googling about adding local on the end is supposed to fix it, but it doesn't.
Crizly
- 919
- 1
- 10
- 26
2
votes
1 answer
Testing Snort Rules
I am using the pulledpork to get my rules daily. I want to be able to test these rules and make sure everything is working. Is there anything out there that is up to date and working? I know rules2alert is there but it is vastly unfinished and…
dez
- 36
- 5
2
votes
3 answers
how to know if snort detects syn flood attacks since snort alert is not logging any thing
I have snort running on Centos as IDS. I am trying to test if snort can detect the syn flood attack. I am sending the attack from the same LAN network. I added this rule in local.rules alert tcp !$HOME_NET any -> $HOME_NET 80 (flags: S;…
Asma
- 31
- 1
- 1
- 5
2
votes
1 answer
Snort rules for byte code
I just started to learn how to use Snort today.
However, I need a bit of help with my rules setup.
I am trying to look for the following code on the network sent to a machine. This machine has snort installed on it (as I installed it now).
The…
user3419132
- 21
- 1
- 2