2

First of all I dont want to track the hacker. I want to track if the system is being compromised some way. For example when a website is under attack it'll receive malicious data. I want to check those data and if they are malicious I want to call assistent via mail or sms or phone call.

The bold phrase above is the tricky part. How to define if something is malicious? Hacker sends valid data from the apps point of view. But outside that application domain another tool can examine it.

Is there any tool like that? If not what are the common logic to trace intrusion? I can write a tool then.

Improve this question
3
  • 5
    Have you ever tried any IDS/IPS solutions?
    – anhldbk
    CommentedJan 6, 2013 at 6:34
  • @anhldbk no. I have no idea about it.
    – Shiplu Mokaddim
    CommentedJan 6, 2013 at 9:26
  • 1
    Well, please google about Snort, PHPIDS, modsecurity or any WAF (Web Application Firewall), ... I think you'll get your answer yourself. :)
    – anhldbk
    CommentedJan 6, 2013 at 12:42

2 Answers 2

Reset to default
3

As mentioned in the comments, try and IDS or IPS. My favorite and free one is hostbased and called OSSEC.

It will alert you of break-in attempts and other irregularities on your machine.

Improve this answer
    3

    An IDS (intrusion detection system) or IPS (intrusion prevention system) is the standard solution. It generally works by watching traffic to your protected resources (such as a web server) and looking for characteristics associated with attacks. The big advantages is that it saves a vast amount of time and provides many more ways of scanning for attack vectors than you could on your own. With most systems of this type, you plan a way to get updates, so that attackers evolve, your system follows shortly after.

    For any given type of resource, the attack vectors will vary and are always evolving. As you mention, for web servers, a pretty common vector is faulty inputs - code injection and buffer overflow being the two that come to mind most readily. But this is going to vary for any type of resource you want to protect and any protocol that can an attacker can use to access it.

    A sophisticated system may combine:

    • benchmarks for how the system currently behaves and observation of changes to those benchmarks
    • analysis of protocols and misuse of aspects of those protocols
    • repeated attempts to provide incorrect or invalid input
    • any behavior pattern that shows a type of scanning
    • detection of significantly unusual behavior

    and more...

    There's really no perfect answer to the eternal - "have we been successfully attacked?" question, the real key is knowing a given system, what "normal" is and thus what "abnormal" is, and knowing a given design or communication pattern well enough to know how and when it can be misused

    Improve this answer

      You must log in to answer this question.

      Start asking to get answers

      Find the answer to your question by asking.

      Ask question

      Explore related questions

      See similar questions with these tags.