N-central Help

Intrusion Detection service

The Intrusion Detection service monitors events that are generated by Snort and any other intrusion detection applications installed on your network. 

The intrusion detection application searches the network packets for suspicious patterns that match its predefined class-types and logs them to a local log file or to its database. If the intrusion detection application has been configured to log its events to a local log file, then SolarWinds N-central can monitor the application.

During the monitoring process, the agent that is used for the Intrusion Detection service scans the log file for any keywords that match the regular expressions specified for the service. If a match is found, the agent reports it to the central server. Based on the specified threshold, SolarWinds N-central then displays the appropriate status for the service.

If the status triggers a notification, the notification includes the first line and the line numbers where the keyword was found. The first line and any subsequent line numbers are also displayed in the applicable reports and on the status details screen for the service. This service also supports wide characters.

By default, the Snort class-types are contained in the service's regular expressions, which are classified as Failed or Warning.

The Intrusion Detection service is supported by the Linux agent and all of the Windows agents.

Service Type Log Appended
Instances on a Device 1
Supported Systems/Applications Snort and IDS applications
Device Class Server - Generic, Workstation - Generic, Laptop - Windows, Server - Windows, and Workstation - Windows
Monitored By Agent (Windows and Red Hat Enterprise Linux)
Scan Interval 5 minutes
Log File Name and Path

The directory path and name of the log file monitored by this service. The name and path specified can be complete or partial, and will change depending on the Intrusion Detection software you use.

For example: C:\N-able\Rocks\MSP.log

Critical (1) Regular Expression 1

Class Type Description
attempted-admin Attempted administrator privilege gain.
attempted-user Attempted user privilege gain.
shellcode-detect Executable code was detected.
successful-user Successful administrator privilege gain.
successful-admin Successful user privilege gain.

Critical (2) Regular Expression 2

Class Type Description
trojan activity A network Trojan was detected.
unsuccessful-user Unsuccessful user privilege gain.
web-application attack Web application attack.

Warning (1) Regular Expression 3

Class Type Description
attempted-dos Attempted denial of service.
attempted-recon Attempted information leak.
bad-unknown Potentially bad traffic.
denial-of-service Detection of a denial of service attack.
misc-attack Misc attack.
non-standard-protocol Detection of a non-standard protocol or event.
rpc-portmap-decode Decode of an RPC query.
successful-dos Denial of service.
successful-recon-largescale Large scale information leak.
successful-recon-limited Information leak.
suspicious-filename-detect A suspicious file name was detected.
suspicious-login An attempted login using a suspicious username was detected.

Warning (2) Regular Expression 4

Class Type Description
system-call-detect A system call was detected.
unusual-client-port-connection A client was using an unusual port.
web-application-activity Access to a potentially vulnerable web application.

Other status details

Status Details Class Type Description
The line count matched regex... Off The number of lines in the log file that the keyword has been located and returned by the agent. This information is displayed for each regular expression on the status details screen for the service, any applicable reports, and any triggered notifications.
The first line matched   The first 250 characters of the first line in the log file containing the matching keyword returned by the agent. This information is displayed on the service's status details screen, any applicable reports, and any triggered notifications.