Intrusion Detection System

Similar Messages

• Intrusion Detection system in non-global zone

  I have a zone configured with exclusive-ip. The zone will be used for an intrusion detection system and the software needs low-level access to the network interface. (thus using exclusive-ip) The problem I'm having is that I need to use another interface for local login and management of the zone. I do not/can not use another interface exclusively for this purpose. The best scenario would be a combination of exclusive-ip and shared-ip, but that's not possible. Vlans would be another option, but the version of Solaris I'm using does not have crossbow.
  I'm currently using Solaris 10 138888-08
  Any suggestions?

  Hi Kevin
  As you mentioned yourself I would use VLAN tagging. You do not need to have crossbow to be able to use VLANs.
  I am assuming that it will be possible for the switch port you are connected to to be configured for tagged VLANs?
  E.g.
  Let say your servers physical NIC is e1000g0. Get the switch configured so that your port is a vlan trunk with 2 tagged VLANs, e.g. VLANs 100 and 200.
  You can then use e1000g100000 (for vlan 100) and e1000g200000 (for vlan 200) in your exclusive IP zone config. One will carry the traffic for your IDS and the other can be used as your login/management network.
  Solaris will handle all the tagging/untagging for you automatically when you plumb in the interfaces e1000g100000 and e1000g200000. The formula for calculating the number part of the name of the NIC is:
  (vlan ID * 1000 + NIC_id)
  e.g. if your physical NIC is bge3 and you had a vlan id of 150 then the interface to plumb in would be called bge150003
  I believe the Solaris IP services manual should explain this.
  hope this helps
  Martin

• java code for intrusion detection system

  hi
  how can i write a java code for intrusion detection system wireless network (steps)
  help please whith any documentation , exemples , name of packages thank you

  hi
  anyone have code source java projet of an IDS intrusion detection system for VANET and thank you

• Intrusion Detection System for Wireless Sensor Networks (IDS for WSN)

  Hello, 
  Does anyone know how i can make an IDS for a WSN, using a Labview application or any other available application ? 
  I don't know how to start, analyzing timestamps ? ARP ? 
  Thank you

  Kaoutar,
  If you are only worried about other nodes trying to communicate with your gateway I dont think you should have any issue. In order to communicate between a node and a gateway the node needs to be added to the gateway see step 1 in the following KB http://digital.ni.com/public.nsf/allkb/88B2957808343185862575EC00120872. So unless you add the node it will not communicate with your gateway. Is this all that you are concerned about? If so I think you should also check out this example.
  Let me know if this is not correct.
  Scott B.
  AE NI

• Intrusion detection/Distributed Denial of Service (DDoS) Defense

  Hi,
  As an Azure customer with a website and a web service (not a virtual machine), am I correct
  in saying that I do not personally need to worry about DDoS attacks as Azure has a team that will monitor these threats?
  Thanks in advance.

  Hi,
  As an Azure customer with a website and a web service (not a virtual machine), am I correct in saying
  that I do not personally need to worry about DDoS attacks as Azure has a team that will monitor these threats?
  Thanks in advance.
  Perhaps the 16 page .PDF which begins download when you select this link
  Microsoft Azure Network Security - Download Center can provide some information for you.
  Here's a link for some info from
  LifeHacker - Top 10 Lesser-Known Facts About Windows Azure Security and a link to
  What happens if a DDOS attack hits Windows Azure Web Sites?. 
  With regard to
  DDoS if Microsofts own systems are involved no doubt they either have their own people and or some contractor(s) monitoring their own network infrastructure and probably systems also. Plus when you're a multibillion dollar American corporation
  no doubt numerous politicians ears will get a call when something like this happens so official U.S. Government agencies will become immediately involved with an occuring large event of this type. As well they no doubt have appropriate hardware and software
  in place to assist in confronting issues like a DDoS. I doubt they would provide any information on that since it would be considered confidential by the corporation.
  Although depending on the DDoS attack it's not impossible to stop one from occuring. But once enough data is being sent from one or multiple locations on the net to an attack location nowadays a DDoS probably will not last long. Just terminate all links
  to China/North Korea and the problem will most likely stop in a millisecond or so (possibly Russia too nowadays).
  From the .PDF
  Protecting against DDoS
  Threat mitigation and protection of customer environments is similar to that used in many on-premises datacenters.
  To protect Azure platform services, Microsoft provides distributed denial-of-service (DDoS) defense system that is part of Azure’s continuous monitoring and penetration-testing processes. Azure’s DDoS defense system is not only designed to withstand attacks
  from the outside, but also from other Azure tenants.
  The following are examples of several different kinds of DDoS attacks that the system focuses on:
  1. Network-layer high volume attacks choke network pipes and packet processing capabilities. The Azure DDoS defense technology provides detection and mitigation techniques such as SYN cookies, rate limiting, and connection limits to help ensure that such
  attacks do not impact customer environments.
  2. Application-layer attacks can be launched against a customer VM. Azure does not provide mitigation or actively block network traffic affecting individual customer deployments, because the infrastructure does not interpret the expected behavior of customer
  applications. In this case, similar to on-premises deployments, impacts can be minimized by:
  Running multiple VM instances behind a load-balanced Public IP address
  Using firewall proxy devices (such as Web Application Firewalls (WAFs)) that terminate and forward traffic to endpoints running in a Virtual Machine, providing protection against a broad range of
  DoS and other attacks (e.g. low-rate, HTTP, and application-layer threats). Some virtualized solutions available are also capable of both intrusion detection and prevention (such as Barracuda). Virtual appliances should work on Azure as long as they are certified
  by the vendor.
  Web Server add-ons that protect against certain DoS attacks
  Network ACLs which can prevent packets from certain IP addresses from reaching your deployment.
  If a customer determines that their application is under attack, they should contact Microsoft Azure Customer Support immediately to receive assistance. Azure Customer Support personnel are trained to react promptly to these types of requests.
  La vida loca

• IDA (intrusion detection APP) for my mac

  Is there an app that starts recording or snaps pics when someone tries to login and get the password wrong ???? also whats the IR sensor in the front for ?

  Prey
  http://preyproject.com/
  Only catches the young dumb crooks who use the machine.
  The crackheads take it to a fence or drug dealer and they sit on it and have a evil geek strip it as they know all about software like this and sneaky background stuff. Then it's shipped overseas for sale and you don't want it even if they find it.
  The IR on the front is for the AppleRemote.
  For real intrusion detection, like hackers, then you want Snort, but it's all command line and you have to know a lot about computers to use it.

• Recommendation Needed on Host Based Intrusion Detection

  Hi,
  I don't have any experience in selecting or implementing a host based intrusion detection package.
  I need a package to sit on a web server (Win 2k / 2003 with IIS), running some e-Commerce websites, and I need to make sure that this package can detect and/or block any attempt to manipulate the scripts or web pages. If it's possible, I want to make sure that only certain IP addresses are allowed to carry out changes for this web service.
  Can Cisco Security Agent fullfil my requirements? What is the licensing scheme if I wanted to deploy this on multiple servers? And do I have to get any central management station for these servers (any CiscoWorks platform for instance) or I can manage them individually?
  Any comment or recommendation would be highly appreciated.
  Thanks alot.
  Salem.

  CSA will work well for this. You would need a license for each server. It is managed with CiscoWorks VMS.
  http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html
  Tom S

• FMS has detected system time is going backwards

  Hi,
  I have a REGISTERED Flash media server version with update 1
  and when i try to start it I have this error in the evnet log :
  "FMS has detected system time is going backwards;shutting
  down server"
  i try to reinstall it, the system clock is ok ! I'm using
  windows 2003 it makes me crazy !!!!!!!!
  thanks

  I ran into this issue today and have not seen any posting regarding how to fix this in Linux, after using find and stat this is how you fix it....
  Within your fms directory their is a file named '. ' notice the extra spacing at the end, or follow this example.
  [root@xxx fms]# stat .*
    File: `.'
    Size: 4096            Blocks: 8          IO Block: 4096   directory
  Device: 301h/769d       Inode: 1167925     Links: 10
  Access: (0775/drwxrwxr-x)  Uid: (   xxx/  xxxxxx)   Gid: (  xxx/xxxxxx)
  Access: 2011-03-22 16:30:47.000000000 -0400
  Modify: 2011-03-22 16:17:13.000000000 -0400
  Change: 2011-03-22 16:28:42.000000000 -0400
    File: `.        '
    Size: 18              Blocks: 8          IO Block: 4096   regular file
  Device: 301h/769d       Inode: 1167965     Links: 1
  Access: (0660/-rw-rw----)  Uid: (    xxx/    xxxxxx)   Gid: (  xxx/xxxxxx)
  Access: 2011-03-22 16:16:53.000000000 -0400
  Modify: 2011-03-23 16:59:26.000000000 -0400
  Change: 2011-03-23 16:59:26.000000000 -0400
  Notice that the directory has a newer timestamp, and the file has a timestamp in the future due to adjusting the system clock.
  Simply stop fms, mv the file, and start fms, tail -f your master.00.log file to confirm things start without a clock error.
  service fms stop && mv '.        '  test && service fms start

• Intrusion-detection-module 7 data-port 2: Capture not allowed on a SPAN destination port

  Hi all
  I have 2 switches Cat6509E. each with IDSM module
  I have on first switch this commands
  intrusion-detection module 7 data-port 1 capture
  intrusion-detection module 7 data-port 2 capture
  intrusion-detection module 7 data-port 1 capture allowed-vlan 4,6,16,17,66
  intrusion-detection module 7 data-port 2 capture allowed-vlan 68,70,74,134,145
  And when I trying to put the same on second switch I will get this error message
  Intrusion-detection-module 7 data-port 2:  Capture not allowed on a SPAN destination port
  What does it mean?
  Output "sh monitor" is the same on both switches
  Session 1
  Type                   : Service Module Session
  Modules allowed        : 1-9
  Modules active         : 1,7
  BPDUs allowed          : Yes
  Session 2
  Type                   : Local Session
  Source VLANs           :
      Both               : 4
  Destination Ports      : analysis-module 8 data-port 1
  Peter

  Hi Peter,
       The first switch that you mention is configured (judging from the "intrusion-detection" commands) to use the VACL capture method of sending traffic to the IDSM-2 for inspection.  You can read about this method here:
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030828
  In short, you configure a VACL to define the traffic you want to capture and apply it to the appropriate VLANs.  When traffic matches the VACL, it's copied to the IDSM-2 ports that have been configured with the "intrusion-detection module 7 data-port 1  capture" commands.
  On the second switch it appears that there is a monitor session setup SPANing traffic to the IDSM-2 port.  This is an alternative method of sending trafic to the IDSM-2 for inspection and is mutually exclusive with the VACL method on a particular IDSM-2 interface.  You can read about the SPAN method here:
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030816
  This method, in short, simply involves configuring a SPAN session with the IDSM-2 interface as the desination.
  You'll need to choose one method or the other for configuring the second switch.  If you want it to match the configuration on the first switch, simply remove the monitor (SPAN) session that's currently configured.
  Best Regards,
  Justin

• Host Based Intrusion Detection software

  Hello,
  We are looking to set up some sort of intrusion detection on our new Leopard Server. So far the only solution we've found is OSSEC. Does anyone have any experience using this on Leopard Server? Any hints/tips/warnings/recommendations you have would be great.
  Thanks!

  http://www.snort.org

• How to detect system date Format?

  Could some one help to find out how to detect local system is in MM/DD/YYYY or DD/MM/YYYY format?
  Thanks.

  What happens when you run this code in a country where the default format is yyyy-MM-dd?
  My advice is to either use the deault format for a given locale, or allow your app to be configured with a format.
  demo:
  import java.text.*;
  import java.util.*;
  public class RingingTheFormats {
      public static void main(String[] args) {
          Date now = new Date();
          for(Locale locale: Locale.getAvailableLocales()) {
              DateFormat fmt = DateFormat.getDateInstance(DateFormat.SHORT, locale);
              System.out.format("%20s %s%n", fmt.format(now), locale.getDisplayName());
  }What's going on in the Japanese format? What is H21?
  edit: [Heisei |http://en.wikipedia.org/wiki/Heisei] period. nvm.

• Virtualbox no longer detects system theme

  Hi.  I just upgraded all the virtualbox packages.  I replaced virtualbox-additions with virtualbox-iso-additions, and virtualbox-modules with virtualbox-host-modules <-- I think those were the replacements.  There were two that pacman asked me about and I chose the default answer, which was Y.
  I also re-installed the updated virtualbox-ext-oracle from the aur.  So, everything still works ok, but the virtualbox manager is not detecting my system theme properly.  By properly, I mean that it detects some stuff - for example, the menus and toolbar look right, but the sections with text are giving me white on white.  See below,
  >>moderator edit: Removed large image. Please read Forum Etiquette: Pasting Pictures and Code. Thanks. --fsckd<<
  I used to have the problem that virtualbox wouldn't detect the system theme AT ALL.  After reading some threads, I just installed libgnomeui and that fixed the problem, and virtualbox looked just fine up until this recent update.
  Anyone know what's going on here?
  Last edited by fsckd (2012-09-20 16:43:29)

  https://wiki.archlinux.org/index.php/ABS
  # pacman -S abs
  # abs
  $ mkdir -p ~/.builds/virtualbox
  $ cp /var/abs/community/virtualbox/* ~/.builds/virtualbox
  $ cd ~/.builds/virtualbox
  $ makepkg -do
  Then have fun poking around in:
  "~/.builds/virtualbox/src/VirtualBox-4.2.0/src/VBox/Frontends/VBoxManage/"
  "~/.builds/virtualbox/src/VirtualBox-4.2.0/src/VBox/Frontends/VirtualBox/"
  When you're done, build and tell pacman to install it with:
  $ makepkg -si
  Edit: Then again, you should probably ask on their forum or IRC channel (#vbox on freenode).
  Last edited by DSpider (2012-09-22 13:33:19)

• Java applet detecting system states

  I am currently working on a chat room applet to keep all of our emplyees connected during the day for user support and general communication; however, we have been having an issue with people not going idle lately. The solution we have settled on is trying to detect if the user's computer has been locked (a much more habitual thing to do) from the java applet that they access the system from (all of our users are accessing the applet from a windows machine). I cannot for the life of me figure out how to do this. Is this even possible in an applet or would it have to be an actual application?
  thanks in advance for the help!

  It's probably possible if you sign the applet code, but it's messy. You need to use JNI to access the system status which requires that an appropriate DLL is in place on the client machine. A signed applet can install one.
  But you quickly get to the point where it might make more sense to use a stand-alone program, which you could place on a shared directory.

• How to Detect System Availability from WD Application Integrator iView

  Hey All -
  I've created an WD ABAP iView using the wizard (SAP Web Dynpro iView template) to connect to SAP's SNC bolt-on module (Supplier Network Collaboration).  The application is written in ABAP WD and I can connect to it rendering the application just fine by supplying the correct namespace and application name.
  When I simulate SNC not being available for some reason (down), I do not get any kind of message - Just a blank iView.  My user community would like a custom error message telling them that the "system is unavailable."
  How do I accomplish this ??  In a nutshell - when I cannot access the application, how can I control what the user see's in the iView ?  Do I need to create a custom template or what would be the best way to handle this.  I assume this is a common question, but was unable to locate it.
  Many thanks in Advance !!

  Hi Christopher,
  the WD ABAP iView will only display whatever the underlying system returns. Are you able to send back a message from the SNC system when it's unavailable? If not you would have to create a custom iView that can detect if the system is down and report it to the user. The iView could first check if the system us up and running and if so redirect the user to the application. If not it would display a message. Alternatively, you could have both in a page where the first one raises an event depending on the SNC system status. The WD app would subscribe to that event and react accordingly.
  Hope this is of help.
  Cheers,
  Dion

• [SOLVED] Intrusion detection on unsupervised laptop

  Hi all,
  I have forgoten my arch laptop in my hotel room while logged in. Apparently no commands where run while i was missing, but i still want to make sure everything is fine.
  I have already done the following checks:
  - bash history for my user - ok
  - bash history for root - ok
  - /var/log files - everything seems fine i guess...
  - chkrootkit - nothing detected.
  I have already changed passwords for regular user and root and I plan to also change password for encrypted harddrive as soon as possible - must do some reading on the wiki first.
  Does anybody have any other ideas/hints ?
  Thanks.
  Last edited by sargas83 (2012-02-24 21:03:09)

  Even without your password, someone could've uploaded something from your computer. You don't have a password for the file manager or web browser, do you? No.
  A clipboard manager could've came in handy. For instance, parcellite keeps records of file transfers too. So if someone managed to Copy-Paste something to a USB stick, at least you'd know what (and take necessary measures). Well, unless they've cleared the cache, but that would make it obvious it was tampered with. Or they meticulously edited the ~/.local/share/parcellite/history file, which is a bit unlikely if they're not too familiar with the program - unless they googled it, haha.
  Relax. If you use sudo on a regular basis (which you should) instead of logging in as the root user to do maintenance, it's ok. Because it logs you out after about a minute or so. There's no way someone could've installed a keylogger or something in there. Well, unless they opened up your laptop, took out the HDD (or SDD), hooked it up to another computer and did their thing... Or, or... You left the Optical drive/Removable devices in the BIOS to boot first. Using a LiveCD someone could've easily compromised your system. Rootkit all the way, baby!!! In which case, you're fucked. Burn it.