Server Intrusion Detection

Introduction

Virginia Tech’s IT Security Office runs a network intrusion detection system 24/7 that can help protect your computer. However it is important to run intrusion detection systems locally to provide an extra layer of defense.

The Virginia Tech minimum security standards requires that some form of a security monitoring tool must be used. The following are options that may be used:

Wazuh Security Monitoring

Wazuh security monitoring is a service that provides security for server machines. The platform features Endpoint Security, Threat Intelligence, Security Operations and Cloud Security. These tools help you review alerts as they come in.

OSSEC Security Monitoring

OSSEC Security monitoring is a host intrusion detection platform that can be used to help protect a system. OSSEC is open source and is free. The software is PCI compliant and is multiplatform.

Procedures

Windows Server

Detecting intrusions on a Windows Server can be very important in ensuring that the server and devices connected to the server are protected. The following steps show how to detect possible intrusions on a Windows Server using the built-in service Windows Event Viewer.

Windows Event Viewer

The Windows Event Viewer allows you to find and manage activity that comes in and out of a Windows Server.

  1. Open the Start Menu.
  2. Search for Event Viewer
  3. On the left, select Windows Logs
  4. From here, different logs are viewable from various parts of the Windows Server.
    • Application - Application will show all logs related to applications.
    • Security - Security will show all logs related to security, such as log on and log off procedures.
    • Setup - Setup will show all logs generated from setup.
    • System - System will show all logs that the system generates.
  5. After selecting the type of log to view, go to the right, and select Filter Current Log.
  6. In this menu you can specify a specific event ID. Event IDs represent some action done on the system, for example the ID 4624 represents a successful logon to the system. A table showing what each ID represents can be found in the Windows Server documentation.
  7. More information on the Windows Event Viewer and how to use it can be found in the Microsoft Documentation.

macOS

Apple has discontinued macOS server.

Linux

There are a few open source tools designed to detect intrusions. One of the most popular options is called Snort, the following will explain how to install and configure Snort on a Linux server:

Debian/Ubuntu

  1. Update your system. 
    $ sudo apt-get update
  2. Install Snort. 
    sudo apt-get install snort
  3. Specify which interface Snort should listen on.
  4. Specify the address range for the network.
  5. After it finishes installing it should once again ask you to configure the interfaces Snort should listen on. Given this is a server, you will specify the network interface where traffic comes in from the router as well as the interface that supplies the network to the connected devices.
  6. Once Snort has finished installing, it can be run via the following command: 
    $ snort -c /etc/snort/snort.conf -l /var/log/snort/
    This will send any alerts to the log file in /var/log/snort/.
  7. The Snort package comes with a set of community rules. If you are interested in further configuring your Snort installation, consult the Snort documentation.

Fedora

  1. yum install [https://www.snort.org/downloads/snort/](https://www.snort.org/downloads/snort/)
  2. yum install [https://www.snort.org/downloads/snort/snort-2.9.20-1.f35.x86_64.rpm](https://www.snort.org/downloads/snort/snort-2.9.20-1.f35.x86_64.rpm)
  3. Once Snort has finished installing, it can be run via the following command: snort -c /etc/snort/snort.conf -l /var/log/snort/
    This will send any alerts to the log file in /var/log/snort/.