Intrusion Detection service

The Intrusion Detection service monitors events that are generated by Snort and any other intrusion detection applications installed on your network. 

The intrusion detection application searches the network packets for suspicious patterns that match its predefined class-types and logs them to a local log file or to its database. If the intrusion detection application has been configured to log its events to a local log file, then N-able N-central can monitor the application.

During the monitoring process, the agent that is used for the Intrusion Detection service scans the log file for any keywords that match the regular expressions specified for the service. If a match is found, the agent reports it to the central server. Based on the specified threshold, N-able N-central then displays the appropriate status for the service.

If the status triggers a notification, the notification includes the first line and the line numbers where the keyword was found. The first line and any subsequent line numbers are also displayed in the applicable reports and on the status details screen for the service. This service also supports wide characters.

By default, the Snort class-types are contained in the service's regular expressions, which are classified as Failed or Warning.

The Intrusion Detection service is supported by the Linux agent and all of the Windows agents.

Service TypeLog Appended
Instances on a Device1
Supported Systems/ApplicationsSnort and IDS applications
Device ClassServer - Generic, Workstation - Generic, Laptop - Windows, Server - Windows, and Workstation - Windows
Monitored ByAgent (Windows and Red Hat Enterprise Linux)
Scan Interval5 minutes
Log File Name and Path

The directory path and name of the log file monitored by this service. The name and path specified can be complete or partial, and will change depending on the Intrusion Detection software you use.

For example: C:\N-able\Rocks\MSP.log

Critical (1) Regular Expression 1

Class TypeDescription
attempted-adminAttempted administrator privilege gain.
attempted-userAttempted user privilege gain.
shellcode-detectExecutable code was detected.
successful-userSuccessful administrator privilege gain.
successful-adminSuccessful user privilege gain.

Critical (2) Regular Expression 2

Class TypeDescription
trojan activityA network Trojan was detected.
unsuccessful-userUnsuccessful user privilege gain.
web-application attackWeb application attack.

Warning (1) Regular Expression 3

Class TypeDescription
attempted-dosAttempted denial of service.
attempted-reconAttempted information leak.
bad-unknownPotentially bad traffic.
denial-of-serviceDetection of a denial of service attack.
misc-attackMisc attack.
non-standard-protocolDetection of a non-standard protocol or event.
rpc-portmap-decodeDecode of an RPC query.
successful-dosDenial of service.
successful-recon-largescaleLarge scale information leak.
successful-recon-limitedInformation leak.
suspicious-filename-detectA suspicious file name was detected.
suspicious-loginAn attempted login using a suspicious username was detected.

Warning (2) Regular Expression 4

Class TypeDescription
system-call-detectA system call was detected.
unusual-client-port-connectionA client was using an unusual port.
web-application-activityAccess to a potentially vulnerable web application.

Other status details

Status DetailsClass TypeDescription
The line count matched regex...Off The number of lines in the log file that the keyword has been located and returned by the agent. This information is displayed for each regular expression on the status details screen for the service, any applicable reports, and any triggered notifications.
The first line matched The first 250 characters of the first line in the log file containing the matching keyword returned by the agent. This information is displayed on the service's status details screen, any applicable reports, and any triggered notifications.