Signs of an Intrusion

what type of activities are indications of a potential attack? What type of actions can an IDS respond to? Let’s take a look at activities that may indicate an intrusion has occurred.

Host System Intrusions

What is an indicator of an attack on a host? A wide range of activities could be construed as an attack:

  • File system anomalies such as unknown files, altered file attributes, and/or alteration of files.
  • New files or folders that appear without explanation or whose purpose cannot be ascertained. New files may be a sign of items such as a rootkit or an attack that could be spread across a network.
  •  Presence of rogue suid or sgid on a Linux system.
  •  Unknown or unexplained modifications to files.
  •  Unknown file extensions.
  •  Cryptic filenames.
  •  Double extensions such as filename.exe.exe.

This is not an exhaustive list. As attackers evolve, so do the attacks that may be used against a target.

Network Intrusions

Indications of a potential network attack or intrusion include the following:

  •  Increased and unexplained use of network bandwidth
  •  Probes or services on systems on the network
  •  Connection requests from unknown IPs outside the local network
  •  Repeated login attempts from remote hosts
  •  Unknown or unexplained messages in log files

Nonspecific Signs of Intrusion

Other signs can appear that may indicate the presence of an intruder or potential intrusion in progress:

  • Modifications to system software and configuration files
  •  Missing logs or logs with incorrect permissions or ownership
  •  System crashes or reboots
  •  Gaps in the system accounting
  •  Unfamiliar processes
  •  Use of unknown logins
  •  Logins during nonworking hours
  •  Presence of new user accounts
  •  Gaps in system audit files
  •  Decrease in system performance
  •  Unexplained system reboots or crashes