> Services > Intrusion Detection Service

Intrusion Detection Service

The Intrusion Detection service monitors events that are generated by Snort and any other intrusion detection applications installed on your network. 

The intrusion detection application searches the network packets for suspicious patterns that match its predefined class-types and logs them to a local log file or to its database. If the intrusion detection application has been configured to log its events to a local log file, then MSP N-central can monitor the application.

During the monitoring process, the agent that is used for the Intrusion Detection service scans the log file for any keywords that match the regular expressions specified for the service. If a match is found, the agent reports it to the central server. Based on the specified threshold, MSP N-central then displays the appropriate status for the service.

If the status triggers a notification, the notification includes the first line and the line numbers on which the keyword was found unless a numeric pager was used for the notification. The first line and any subsequent line numbers are also displayed in the applicable reports and on the status details screen for the service. This service also supports wide characters.

By default, the Snort class-types are contained in the service's regular expressions, which are classified as Failed or Warning.

The Intrusion Detection service is supported by the Linux agent and all of the Windows agents.

Service Type

Log Appended

Instances on a Device


Supported Systems/Applications

Snort and IDS applications

Device Class

Server - Generic, Workstation - Generic, Laptop - Windows, Server - Windows, and Workstation - Windows

Monitored By

Agent (Windows and Red Hat Enterprise Linux)

Scan Interval

5 minutes

Log File Name and Path

The directory path and name of the log file monitored by this service. The name and path specified can be complete or partial, and will change depending on the Intrusion Detection software you use.

For example: C:\N-able\Rocks\MSP.log

Critical (1) Regular Expression 1

Class Type



Attempted Administrator Privilege Gain


Attempted User Privilege Gain


Executable code was detected


Successful Administrator Privilege Gain


Successful User Privilege Gain

Critical (2) Regular Expression 2

Class Type


trojan activity

A Network Trojan was detected


Unsuccessful User Privilege Gain

web-application attack

Web Application Attack

Warning (1) Regular Expression 3

Class Type



Attempted Denial of Service.


Attempted Information Leak.


Potentially Bad Traffic.


Detection of a Denial of Service Attack.


Misc Attack.


Detection of a non-standard protocol or event.


Decode of an RPC Query.


Denial of Service.


Large Scale Information Leak.


Information Leak.


A suspicious filename was detected.


An attempted login using a suspicious username was detected.

Warning (2) Regular Expression 4

Class Type



A system call was detected


A client was using an unusual port


access to a potentially vulnerable web application

Other status details

Status Details

Class Type


The line count matched regex...


The number of lines, in the log file, that the keyword has been located and returned by the agent. This information is displayed for each regular expression on the status details screen for the service, any applicable reports, and any triggered notifications, except for numeric pages.

The first line matched


The first 250 characters of the first line, in the log file, containing the matching keyword returned by the agent. This information is displayed on the service's status details screen, any applicable reports, and any triggered notifications, except for numeric pages.