Stack Overflow
Stack Overflow

Questions tagged [intrusion-detection]

143 questions
15
votes
1 answer

Anomaly detection using Python

I work for a webhost and my job is to find and cleanup hacked accounts. The way I find a good 90% of shells\malware\injections is to look for files that are "out of place." For example, eval(base64_decode(.......)), where "....." is a whole bunch…
Josh M
  • 151
  • 1
  • 3
11
votes
2 answers

OSSEC | How to add an exception rule

I have the standard syslog_rules.xml (OSSEC 2.6.0). This is the standard rule for bad words in the /var/log/messages file: core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation…
Anton Shevtsov
  • 1,211
  • 4
  • 16
  • 31
7
votes
3 answers

Difference between Anomaly Detection and Behaviour Detection

In an Intrusion Detection System, There are two techniques called Anomaly Detection and Behaviour Detection. I am implementing an IDS from scratch and was checking for some signatures and from some site they were given as different types of methods…
Pankaj Anand
  • 463
  • 1
  • 5
  • 15
5
votes
1 answer

How to derive KDD99 Features from DARPA pcap file?

I have worked recently with the DARPA network traffic packets and the derived version of it used in KDD99 for intrusion detection evaluation. Excuse my limited domain knowledge in computer networks, I could only derive 9 features from the DARPA…
amaatouq
  • 1,817
  • 3
  • 24
  • 46
3
votes
1 answer

Snort log file output format

I have been using Snort for my school project. My problem is that the log files are in binary format and I am not able to read them using less/cat/vi. How do I do this? I have specified in my snort.conf file unified2 format. Here is my snort.conf…
Tomala
  • 517
  • 2
  • 8
  • 18
3
votes
2 answers

Read the alert log from snort

I have a new instance with snort setup. When I tried to look at the alert log I noticed that the directory doesn't have a /var/log/snort/alert file. I tried to touch this file and to chmod to give read and write access to my snort user but I still…
Elie
  • 121
  • 1
  • 2
  • 11
3
votes
1 answer

Create a Bash init script for Suricata

I'm running an older version "1.1" of Suricata on my Fedora 14 System. It was installed through yum and as such doesn't have a working init script due to some issues that I've read about. Is there a simple way to include the following in a generic…
user1443366
  • 55
  • 1
  • 5
2
votes
2 answers

Verifying process integrity in memory?

It looks like it's impossible to prevent determined attackers from modifying one's process code/data. I'm hoping that its at least possible to detect such tampering. Under Windows, is it possible to listen for DLL injections, WriteProcessMemory and…
Gili
  • 76,473
  • 85
  • 341
  • 624
2
votes
1 answer

Chassis Intrusion API?

Some computer cases come with chassis intrusion detection. I'd like my application to check for chassis intrusion on start-up and if an intrusion is detected to display an error and shut down. Is there a standard way of reading this value…
Gili
  • 76,473
  • 85
  • 341
  • 624
2
votes
2 answers

How to identify if the centroid point touches a line or not?

I am working with an intrusion detection algorithm which works on the basis of line crossing detection. I have developed a basic algorithm using the equation y = mx+c, but it is showing some wrong detection when the person reaches nearer to the…
Adithya Raj
  • 105
  • 9
2
votes
2 answers

Neural network and IDS

I am trying to get a grasp on the efficiency of neural networks over other artificial intelligence algorithms for use in intrusion detection systems. Most of the literature I’m reading isn’t giving a good comparison of neural networks compared to…
G Gr
  • 5,756
  • 20
  • 83
  • 176
2
votes
1 answer

How to generate the software.log from a pcap file using bro?

I'm trying to generate the software.log file from a PCAP file I have, the default bro -r my.pcap seems to generate some of the log files but not this one. After googling about adding local on the end is supposed to fix it, but it doesn't.
Crizly
  • 919
  • 1
  • 10
  • 26
2
votes
1 answer

Testing Snort Rules

I am using the pulledpork to get my rules daily. I want to be able to test these rules and make sure everything is working. Is there anything out there that is up to date and working? I know rules2alert is there but it is vastly unfinished and…
dez
  • 36
  • 5
2
votes
3 answers

how to know if snort detects syn flood attacks since snort alert is not logging any thing

 I have snort running on Centos as IDS.  I am trying to test if snort can detect the syn flood attack. I am sending the attack from the same LAN network. I added this rule in local.rules alert tcp !$HOME_NET any -> $HOME_NET 80 (flags: S;…
Asma
  • 31
  • 1
  • 1
  • 5
2
votes
1 answer

Snort rules for byte code

I just started to learn how to use Snort today. However, I need a bit of help with my rules setup. I am trying to look for the following code on the network sent to a machine. This machine has snort installed on it (as I installed it now). The…
user3419132
  • 21
  • 1
  • 2
1
2 3
9 10