what type of activities are indications of a potential attack? What type of actions can an IDS respond to? Let’s take a look at activities that may indicate an intrusion has occurred.
Host System Intrusions
What is an indicator of an attack on a host? A wide range of activities could be construed as an attack:
- File system anomalies such as unknown files, altered file attributes, and/or alteration of files.
- New files or folders that appear without explanation or whose purpose cannot be ascertained. New files may be a sign of items such as a rootkit or an attack that could be spread across a network.
- Presence of rogue suid or sgid on a Linux system.
- Unknown or unexplained modifications to files.
- Unknown file extensions.
- Cryptic filenames.
- Double extensions such as filename.exe.exe.
This is not an exhaustive list. As attackers evolve, so do the attacks that may be used against a target.
Indications of a potential network attack or intrusion include the following:
- Increased and unexplained use of network bandwidth
- Probes or services on systems on the network
- Connection requests from unknown IPs outside the local network
- Repeated login attempts from remote hosts
- Unknown or unexplained messages in log files
Nonspecific Signs of Intrusion
Other signs can appear that may indicate the presence of an intruder or potential intrusion in progress:
- Modifications to system software and configuration files
- Missing logs or logs with incorrect permissions or ownership
- System crashes or reboots
- Gaps in the system accounting
- Unfamiliar processes
- Use of unknown logins
- Logins during nonworking hours
- Presence of new user accounts
- Gaps in system audit files
- Decrease in system performance
- Unexplained system reboots or crashes