Intrusion Detection service
The Intrusion Detection service monitors events that are generated by Snort and any other intrusion detection applications installed on your network.
The intrusion detection application searches the network packets for suspicious patterns that match its predefined class-types and logs them to a local log file or to its database. If the intrusion detection application has been configured to log its events to a local log file, then SolarWinds N-central can monitor the application.
During the monitoring process, the agent that is used for the Intrusion Detection service scans the log file for any keywords that match the regular expressions specified for the service. If a match is found, the agent reports it to the central server. Based on the specified threshold, SolarWinds N-central then displays the appropriate status for the service.
If the status triggers a notification, the notification includes the first line and the line numbers where the keyword was found. The first line and any subsequent line numbers are also displayed in the applicable reports and on the status details screen for the service. This service also supports wide characters.
By default, the Snort class-types are contained in the service's regular expressions, which are classified as Failed or Warning.
The Intrusion Detection service is supported by the Linux agent and all of the Windows agents.
|Service Type||Log Appended|
|Instances on a Device||1|
|Supported Systems/Applications||Snort and IDS applications|
|Device Class||Server - Generic, Workstation - Generic, Laptop - Windows, Server - Windows, and Workstation - Windows|
|Monitored By||Agent (Windows and Red Hat Enterprise Linux)|
|Scan Interval||5 minutes|
|Log File Name and Path||
The directory path and name of the log file monitored by this service. The name and path specified can be complete or partial, and will change depending on the Intrusion Detection software you use.
Critical (1) Regular Expression 1
|attempted-admin||Attempted administrator privilege gain.|
|attempted-user||Attempted user privilege gain.|
|shellcode-detect||Executable code was detected.|
|successful-user||Successful administrator privilege gain.|
|successful-admin||Successful user privilege gain.|
Critical (2) Regular Expression 2
|trojan activity||A network Trojan was detected.|
|unsuccessful-user||Unsuccessful user privilege gain.|
|web-application attack||Web application attack.|
Warning (1) Regular Expression 3
|attempted-dos||Attempted denial of service.|
|attempted-recon||Attempted information leak.|
|bad-unknown||Potentially bad traffic.|
|denial-of-service||Detection of a denial of service attack.|
|non-standard-protocol||Detection of a non-standard protocol or event.|
|rpc-portmap-decode||Decode of an RPC query.|
|successful-dos||Denial of service.|
|successful-recon-largescale||Large scale information leak.|
|suspicious-filename-detect||A suspicious file name was detected.|
|suspicious-login||An attempted login using a suspicious username was detected.|
Warning (2) Regular Expression 4
|system-call-detect||A system call was detected.|
|unusual-client-port-connection||A client was using an unusual port.|
|web-application-activity||Access to a potentially vulnerable web application.|
Other status details
|Status Details||Class Type||Description|
|The line count matched regex...||Off||The number of lines in the log file that the keyword has been located and returned by the agent. This information is displayed for each regular expression on the status details screen for the service, any applicable reports, and any triggered notifications.|
|The first line matched||The first 250 characters of the first line in the log file containing the matching keyword returned by the agent. This information is displayed on the service's status details screen, any applicable reports, and any triggered notifications.|