Stack Overflow
Stack Overflow

Questions tagged [intrusion-detection]

137 questions
15
votes
1 answer

Anomaly detection using Python

I work for a webhost and my job is to find and cleanup hacked accounts. The way I find a good 90% of shells\malware\injections is to look for files that are "out of place." For example, eval(base64_decode(.......)), where "....." is a whole bunch…
Josh M
  • 151
  • 1
  • 3
12
votes
2 answers

OSSEC | How to add an exception rule

I have the standard syslog_rules.xml (OSSEC 2.6.0). This is the standard rule for bad words in the /var/log/messages file: core_dumped|failure|error|attack|bad |illegal |denied|refused|unauthorized|fatal|failed|Segmentation…
Anton Shevtsov
  • 1,279
  • 4
  • 16
  • 34
7
votes
4 answers

Difference between Anomaly Detection and Behaviour Detection

In an Intrusion Detection System, There are two techniques called Anomaly Detection and Behaviour Detection. I am implementing an IDS from scratch and was checking for some signatures and from some site they were given as different types of methods…
Pankaj Anand
  • 475
  • 1
  • 6
  • 15
5
votes
1 answer

How to derive KDD99 Features from DARPA pcap file?

I have worked recently with the DARPA network traffic packets and the derived version of it used in KDD99 for intrusion detection evaluation. Excuse my limited domain knowledge in computer networks, I could only derive 9 features from the DARPA…
amaatouq
  • 2,297
  • 5
  • 29
  • 50
3
votes
1 answer

Snort log file output format

I have been using Snort for my school project. My problem is that the log files are in binary format and I am not able to read them using less/cat/vi. How do I do this? I have specified in my snort.conf file unified2 format. Here is my snort.conf…
Tomala
  • 527
  • 2
  • 8
  • 19
3
votes
2 answers

Read the alert log from snort

I have a new instance with snort setup. When I tried to look at the alert log I noticed that the directory doesn't have a /var/log/snort/alert file. I tried to touch this file and to chmod to give read and write access to my snort user but I still…
Elie
  • 131
  • 2
  • 3
  • 12
3
votes
3 answers

how to know if snort detects syn flood attacks since snort alert is not logging any thing

 I have snort running on Centos as IDS.  I am trying to test if snort can detect the syn flood attack. I am sending the attack from the same LAN network. I added this rule in local.rules alert tcp !$HOME_NET any -> $HOME_NET 80 (flags: S;…
Asma
  • 41
  • 1
  • 1
  • 5
3
votes
1 answer

Kyoto2006+ Dataset or other label network/host security datasets

Does anyone know how to access the Kyoto2006+ data set or another labeled security dataset? An email to the Japanese authors of the set has not been returned. The DARPA and KDD sets are outdated. If anyone else is interested, here is the running…
user2735664
  • 33
  • 1
  • 3
3
votes
1 answer

Create a Bash init script for Suricata

I'm running an older version "1.1" of Suricata on my Fedora 14 System. It was installed through yum and as such doesn't have a working init script due to some issues that I've read about. Is there a simple way to include the following in a generic…
user1443366
  • 55
  • 1
  • 5
2
votes
2 answers

Verifying process integrity in memory?

It looks like it's impossible to prevent determined attackers from modifying one's process code/data. I'm hoping that its at least possible to detect such tampering. Under Windows, is it possible to listen for DLL injections, WriteProcessMemory and…
Gili
  • 86,244
  • 97
  • 390
  • 689
2
votes
1 answer

Chassis Intrusion API?

Some computer cases come with chassis intrusion detection. I'd like my application to check for chassis intrusion on start-up and if an intrusion is detected to display an error and shut down. Is there a standard way of reading this value…
Gili
  • 86,244
  • 97
  • 390
  • 689
2
votes
1 answer

Is it possible to use eBPF to block a malicious process in kernel space?

One way to block a malicious process is tracing its behavior in kernel space eBPF program and then just simply kill it in user space program, but there is latency before user space program receiving data from kernel space. I wonder if there is a way…
hdthky
  • 57
  • 1
  • 4
2
votes
2 answers

How to identify if the centroid point touches a line or not?

I am working with an intrusion detection algorithm which works on the basis of line crossing detection. I have developed a basic algorithm using the equation y = mx+c, but it is showing some wrong detection when the person reaches nearer to the…
Adithya Raj
  • 95
  • 9
2
votes
2 answers

Neural network and IDS

I am trying to get a grasp on the efficiency of neural networks over other artificial intelligence algorithms for use in intrusion detection systems. Most of the literature I’m reading isn’t giving a good comparison of neural networks compared to…
G Gr
  • 6,030
  • 20
  • 91
  • 184
2
votes
1 answer

How to generate the software.log from a pcap file using bro?

I'm trying to generate the software.log file from a PCAP file I have, the default bro -r my.pcap seems to generate some of the log files but not this one. After googling about adding local on the end is supposed to fix it, but it doesn't.
Crizly
  • 971
  • 1
  • 12
  • 33
1
2 3
9 10