No announcement yet.

IDS - Signs Of An Intrusion

  • Filter
  • Time
  • Show
Clear All
new posts

  • IDS - Signs Of An Intrusion

    These lists are not exhaustive but merely inspiration or common signs of malicious activity.

    Host System Intrusions
    • File system anomalies such as unknown files, altered file attributes.
    • New files or folders that are present without explanation or whose purpose cannot be ascertained.
    • Presence of rogue SUID or SGIDs on a Linux system.
    • Unknown or unexplained modifications to files.
    • Unknown file extensions.
    • Cryptic filenames.
    • Double extensions on files.
    • Excessive use of disk space.
    • Unstable system.

    Network Intrusions
    • Increased and unexplained use of bandwidth.
    • Probes or scan like traffic on services.
    • Connection requests from unknown IP addresses both inside and outside the local network.
    • Repeated login attempts from remote hosts.
    • Unknown or unexplained messages in log files.
    • Traffic on protocols not in corporate use.

    General Signs of Intrusion
    • Modifications to system software and configuration files.
    • Missing logs or logs with incorrect permissions or ownership.
    • System crashes or reboots.
    • Gaps in the system accounting.
    • Unfamiliar processes.
    • Use of unknown logins.
    • Logins outside working hours.
    • Presence of new user accounts.
    • Gaps in system audit files.
    • Decrease in system performance.

    It it not just a good idea to check logs for unknown or unexplained behavior on a regular basis but a requirement. Have all corporate systems also log to a centralized syslog system so logs can still be found in case an attacker alter or delete local log files.
    Of course it is important to verify on affected systems, if an attack has actually happened before assuming an intrusion has taken place.
    Certified Security Geek