> Services > Intrusion Detection Service

Intrusion Detection Service

The Intrusion Detection service monitors events that are generated by Snort and any other intrusion detection applications installed on your network. 

The intrusion detection application searches the network packets for suspicious patterns that match its predefined class-types and logs them to a local log file or to its database. If the intrusion detection application has been configured to log its events to a local log file, then MSP N-central can monitor the application.

During the monitoring process, the agent that is used for the Intrusion Detection service scans the log file for any keywords that match the regular expressions specified for the service. If a match is found, the agent reports it to the central server. Based on the specified threshold, MSP N-central then displays the appropriate status for the service.

If the status triggers a notification, the notification includes the first line and the line numbers on which the keyword was found unless a numeric pager was used for the notification. The first line and any subsequent line numbers are also displayed in the applicable reports and on the status details screen for the service. This service also supports wide characters.

By default, the Snort class-types are contained in the service's regular expressions, which are classified as Failed or Warning.

The Intrusion Detection service is supported by the Linux agent and all of the Windows agents.

Service Type

Log Appended

Instances on a Device

1

Supported Systems/Applications

Snort and IDS applications

Device Class

Server - Generic, Workstation - Generic, Laptop - Windows, Server - Windows, and Workstation - Windows

Monitored By

Agent (Windows and Red Hat Enterprise Linux)

Scan Interval

5 minutes

Log File Name and Path

The directory path and name of the log file monitored by this service. The name and path specified can be complete or partial, and will change depending on the Intrusion Detection software you use.

For example: C:\N-able\Rocks\MSP.log

Critical (1) Regular Expression 1

Class Type

Description

attempted-admin

Attempted Administrator Privilege Gain

attempted-user

Attempted User Privilege Gain

shellcode-detect

Executable code was detected

successful-user

Successful Administrator Privilege Gain

successful-admin

Successful User Privilege Gain

Critical (2) Regular Expression 2

Class Type

Description

trojan activity

A Network Trojan was detected

unsuccessful-user

Unsuccessful User Privilege Gain

web-application attack

Web Application Attack

Warning (1) Regular Expression 3

Class Type

Description

attempted-dos

Attempted Denial of Service.

attempted-recon

Attempted Information Leak.

bad-unknown

Potentially Bad Traffic.

denial-of-service

Detection of a Denial of Service Attack.

misc-attack

Misc Attack.

non-standard-protocol

Detection of a non-standard protocol or event.

rpc-portmap-decode

Decode of an RPC Query.

successful-dos

Denial of Service.

successful-recon-largescale

Large Scale Information Leak.

successful-recon-limited

Information Leak.

suspicious-filename-detect

A suspicious filename was detected.

suspicious-login

An attempted login using a suspicious username was detected.

Warning (2) Regular Expression 4

Class Type

Description

system-call-detect

A system call was detected

unusual-client-port-connection

A client was using an unusual port

web-application-activity

access to a potentially vulnerable web application

Other status details

Status Details

Class Type

Description

The line count matched regex...

Off

The number of lines, in the log file, that the keyword has been located and returned by the agent. This information is displayed for each regular expression on the status details screen for the service, any applicable reports, and any triggered notifications, except for numeric pages.

The first line matched

 

The first 250 characters of the first line, in the log file, containing the matching keyword returned by the agent. This information is displayed on the service's status details screen, any applicable reports, and any triggered notifications, except for numeric pages.