---
id: a125a945-7826-4629-8842-8c73cbfb6a88
---

# Intrusion Detection Alerts Incident

An Intrusion Detection Alerts Incident occurs when an intrusion detection system (IDS) detects a security breach or unauthorized access attempt to a system or network. The IDS generates an alert to notify security personnel to investigate the incident and take appropriate action to prevent any potential damage or data loss. This incident type is critical as it helps to identify and respond to security threats in a timely manner.

### Parameters

```shell
export INTRUSION_DETECTION_SYSTEM="PLACEHOLDER"
export LOG_DIRECTORY="PLACEHOLDER"
export REPLACE_WITH_NECESSARY_PORT_NUMBER="PLACEHOLDER"
export REPLACE_WITH_MINIMUM_PASSWORD_AGE="PLACEHOLDER"
export REPLACE_WITH_DEFAULT_UMASK="PLACEHOLDER"
export REPLACE_WITH_MAXIMUM_PASSWORD_AGE="PLACEHOLDER"
export REPLACE_WITH_PASSWORD_WARNING_PERIOD="PLACEHOLDER"
```

## Debug

### Find the intrusion detection system logs

```shell
grep -r "${LOG_DIRECTORY}" -e "${INTRUSION_DETECTION_SYSTEM}"
```

### Check system logs for unusual activity

```shell
journalctl -k | grep -i "intrusion\|security"
```

### Check iptables rules for any unexpected ports or IP addresses

```shell
iptables -L -n -v
```

### Check network connections

```shell
netstat -tulanp
```

### Check running processes

```shell
ps -aux
```

### Check user accounts

```shell
cat /etc/passwd
```

### Check system configuration

```shell
cat /etc/sysctl.conf
```

### Check for any unauthorized changes to system startup scripts

```shell
ls -la /etc/init.d/
```

## Repair

### Harden system configurations and policies, and deploy additional security measures such as firewalls and intrusion detection systems.

```shell
#!/bin/bash

# Harden system configurations and policies
sed -i 's/PASS_MAX_DAYS ${REPLACE_WITH_MAXIMUM_PASSWORD_AGE}/PASS_MAX_DAYS 90/g' /etc/login.defs
sed -i 's/PASS_MIN_DAYS ${REPLACE_WITH_MINIMUM_PASSWORD_AGE}/PASS_MIN_DAYS 7/g' /etc/login.defs
sed -i 's/PASS_WARN_AGE ${REPLACE_WITH_PASSWORD_WARNING_PERIOD}/PASS_WARN_AGE 14/g' /etc/login.defs
sed -i 's/UMASK ${REPLACE_WITH_DEFAULT_UMASK}/UMASK 027/g' /etc/login.defs
sed -i 's/#DefaultLimitNOFILE=/DefaultLimitNOFILE=65535/g' /etc/systemd/user.conf
sed -i 's/#DefaultLimitNPROC=/DefaultLimitNPROC=65535/g' /etc/systemd/user.conf

# Install and configure firewall
yum -y install firewalld
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --zone=public --add-port=${REPLACE_WITH_NECESSARY_PORT_NUMBER}/tcp --permanent
firewall-cmd --reload

# Install and configure intrusion detection system
yum -y install snort
systemctl start snort
systemctl enable snort
```

An Intrusion Detection Alerts Incident occurs when an intrusion detection system (IDS) detects a security breach or unauthorized access attempt to a system or network. The IDS generates an alert to notify security personnel to investigate the incident and take appropriate action to prevent any potential damage or data loss. This incident type is critical as it helps to identify and respond to security threats in a timely manner.


```shell
export INTRUSION_DETECTION_SYSTEM="PLACEHOLDER"
export LOG_DIRECTORY="PLACEHOLDER"
export REPLACE_WITH_NECESSARY_PORT_NUMBER="PLACEHOLDER"
export REPLACE_WITH_MINIMUM_PASSWORD_AGE="PLACEHOLDER"
export REPLACE_WITH_DEFAULT_UMASK="PLACEHOLDER"
export REPLACE_WITH_MAXIMUM_PASSWORD_AGE="PLACEHOLDER"
export REPLACE_WITH_PASSWORD_WARNING_PERIOD="PLACEHOLDER"
```


### Find the intrusion detection system logs

```shell
grep -r "${LOG_DIRECTORY}" -e "${INTRUSION_DETECTION_SYSTEM}"
```

### Check system logs for unusual activity

```shell
journalctl -k | grep -i "intrusion\|security"
```

### Check iptables rules for any unexpected ports or IP addresses

```shell
iptables -L -n -v
```

### Check network connections

```shell
netstat -tulanp
```

### Check running processes

```shell
ps -aux
```

### Check user accounts

```shell
cat /etc/passwd
```

### Check system configuration

```shell
cat /etc/sysctl.conf
```

### Check for any unauthorized changes to system startup scripts

```shell
ls -la /etc/init.d/
```


### Harden system configurations and policies, and deploy additional security measures such as firewalls and intrusion detection systems.

```shell
#!/bin/bash

# Harden system configurations and policies
sed -i 's/PASS_MAX_DAYS ${REPLACE_WITH_MAXIMUM_PASSWORD_AGE}/PASS_MAX_DAYS 90/g' /etc/login.defs
sed -i 's/PASS_MIN_DAYS ${REPLACE_WITH_MINIMUM_PASSWORD_AGE}/PASS_MIN_DAYS 7/g' /etc/login.defs
sed -i 's/PASS_WARN_AGE ${REPLACE_WITH_PASSWORD_WARNING_PERIOD}/PASS_WARN_AGE 14/g' /etc/login.defs
sed -i 's/UMASK ${REPLACE_WITH_DEFAULT_UMASK}/UMASK 027/g' /etc/login.defs
sed -i 's/#DefaultLimitNOFILE=/DefaultLimitNOFILE=65535/g' /etc/systemd/user.conf
sed -i 's/#DefaultLimitNPROC=/DefaultLimitNPROC=65535/g' /etc/systemd/user.conf

# Install and configure firewall
yum -y install firewalld
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --zone=public --add-port=${REPLACE_WITH_NECESSARY_PORT_NUMBER}/tcp --permanent
firewall-cmd --reload

# Install and configure intrusion detection system
yum -y install snort
systemctl start snort
systemctl enable snort
```


Intrusion Detection Alerts Incident

Overview

Parameters

Debug

Find the intrusion detection system logs

Check system logs for unusual activity

Check iptables rules for any unexpected ports or IP addresses

Check network connections

Check running processes

Check user accounts

Check system configuration

Check for any unauthorized changes to system startup scripts

Repair

Harden system configurations and policies, and deploy additional security measures such as firewalls and intrusion detection systems.

Learn more

Related Runbooks

Support