Subscriber Discussion

Intrusion Detection Using IDS Tool Like SNORT

Cs
Chandra sekar Veerappan
Jul 28, 2016

Dear IPVM members,

Cheers! Need a suggestion for my project. (may be interesting for you as well). I have some few cameras in our lab which is exposed to external public. With correct IP and port it will land to login page of camera. In the same, we are collecting a pcap file using tcpdump. Eventually, have a lot of pcap file for OFF-Line analysis. to know few important details.

1. Is anyone trying to use brute force /guess password to login the cameras.

2. These camera should not accessed (except certain public IP in our whilte list). Monitor who is visiting/ from where? etc in log file or cvs file..

Using Snort in IDS mode, to analysis the pcap files (OFF-Line) to with few rules. I am using to Security onion distro for this which has SNORT and other useful tool installed...to make this easier.

So, any one done similar things... will be grateful if you share the best practice or what to do / what not to do?

For example: create the each day's (data wise) pcap file from master folder to sub folder. Snort will use (automatically or manually) this folder data as a input pcap files. etc..

Any thoughts welcome :)

Thanks

Chandra

Avatar
Brian Karas
Jul 28, 2016
IPVM

If you're trying to automatically detect intrusion attempts and block them you might want to check out fail2ban.

(2)
Cs
Chandra sekar Veerappan
Jul 29, 2016

Banning is not option now.. because to collect the data and explore it.

Thanks for info. So, fail2ban run on my each server? if mention black list ip's it will ban automatically and record it. appreciate your thoughts :)

Cheers!

chandra

Avatar
Brian Karas
Jul 29, 2016
IPVM

It sounds like you want to create a Honeypot. Something that is geared specifically to security sounds interesting, especially with the Axis vulnerability potentially being exploited soon.

fail2ban runs on each server, and detects basic intrusion attempts and sets up iptables rules automatically. For what you are doing I think you do not want to use it though because it might block the people you want to detect.

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions