Knowledgebase

Notice: Monitoring services will be discontinued from March 31st, 2019.

Intrusion detection to Server/Services

The features included with this are realtime monitoring/detection/ prevention of :

ARP Service :

• New host detection
• Monitoring changes in network interface
• Bad address detection
• Detection of ARP spoofing attempt

Apache Server :

• Apache segmentation fault
• Code red attack
• Multiple Authentication failures
• Multiple invalid URI request
• Resource unavailability

System :

• Multiple authentication failures
• Multiple viruses detected
• Failed login attempts
• Network scan from same source IP
• Rootcheck event.
• Ignored common NTFS ADS entries.
• Windows malware detected.
• Windows Adware/Spyware application found.
• Vulnerable web application found.
• Disk space monitor.
• Listened ports status
• Logged user information.
• Integrity checksum changed.
• Host information
• Registry Integrity Checksum

Mail Servers :

• Courier brute force
• Dovecot Fatal Failure
• Dovecot Invalid User Login Attempt
• Dovecot Multiple Authentication Failures
• Dovecot brute force attack
• Multiple Firewall drop events from same source
• Spam detection
• Multiple attempts of spam
• IP Address black-listed by anti-spam (blocked).
• Postfix process error.
• Postfix SASL authentication failure.
• Postfix insufficient disk space error.
• Multiple relaying attempts of spam.
• Multiple misuse of SMTP service
• Multiple SASL authentication failures.
• Grouping of the clamsmtpd rules.
• Multiple attempts to send e-mail from invalid/unknown sender domain.
• SMF-SAV sendmail milter unable to verify address (REJECTED).

Database Servers :

• Database authentication
• Database shutdown message
• Database error
• Database fatal error
• Multiple database error

DNS Server :

• Invalid DNS packet. Possibility of attack.
• Failed attempt to perform a zone transfer.
• DNS update denied.
• General mis-configuration.
• Server does not have enough memory to reload the configuration.

PHP :

• PHP web attack.
• PHP internal error

SSH Server :

• SSH-Possible scan or break in attempt
• OpenSSH challenge-response exploit
• Authentication failure
• Possible brute-force attack
• SSH CRC-32 Compensation attacks.

FTP Server :

• Login failed accessing the FTP server
• Server misconfiguration.
• Multiple failed login attempts.
• Mismatch in server's hostname.
• Reverse lookup error.
• Remote host connected to FTP server.
• FTP server Buffer overflow attempt.
• Unable to bind to adress.
• FTP brute force (multiple failed logins).
• Multiple connection attempts from same source.
• Multiple timed out logins from same source.

Web Applications :

• WordPress Comment Spam
• TimThumb vulnerability exploit attempt.
• osCommerce login.php bypass attempt.
• TimThumb backdoor access attempt.
• Cart.php directory transversal attempt.
• MSSQL Injection attempt (ur.php, urchin.js).
• Blacklisted user agent (known malicious user agent).
• CMS (WordPress or Joomla) login attempt.
• CMS (WordPress or Joomla) brute force attempt.
• Uploadify vulnerability exploit attempt.
• BBS delete.php exploit attempt.
• Simple shell.php command execution.
• PHPMyAdmin scans (looking for setup.php).
• Suspicious URL access.
• SQL injection attempt.
• Common web attack.
• XSS (Cross Site Scripting) attempt.
• PHP CGI-bin vulnerability attempt.
• MSSQL Injection attempt (/ur.php, urchin.js)
• browsers. Possible attack.(500,501,503)
• Ignoring google/msn/yahoo bots.
• Multiple SQL injection attempts from same souce ip.
• Multiple common web attacks from same souce ip.
• Multiple XSS (Cross Site Scripting) attempts from same souce ip.
• Multiple web server attack.
• Wordpress Comment Flood Attempt.
• Multiple wordpress authentication failures.

How are the monitoring incidents handled?

Instances of our monitoring agents are present in your server, that alerts our central monitoring system of any incidents. The entry point of the attack is blocked by the Active Response on our system, that triggers a Firewall block for attacks classified as severe. The intruder IP address is blocked for 10 minutes, which could prevent any further attempts to your server. The alerts are also monitored in the WebUI by our Agents to take actions if necessary on the server.

What is required if you need to be alerted of every instance of an attack?

We can set email alerts for you to your address where you will receive notifications during every attack/incident in real time and the mail will also have information about the follow-up Active response by our system to block.

How are false positives controlled? Can any legitimate requests get blocked?

We have designed and configured our system to have minimum false positives. The attacks are classified based on the type and severity, and are thus prioritised. For low level atacks, the events will be considered as an attack based on the concurrency of the event within a particular time interval. For attacks with higher severeity (above 10), the blocking of IP address of the attacker is instant, and these types of attacks can never be through a legitimate request.

If a legitimate IP address gets blocked somehow, the block would be sustained only for 10 minutes, after which the connection can be resumed to the server.