Server Intrusion Detection

Penetration Patrol™ is our Server intrusion detection service. Penetration Patrol™ works to detect when a server has been accessed without permission or 'hacked into'.

Penetration Patrol™ is the last line of defence. Our other countermeasures (a firewall and vulnerability scanning) attempt to stop an attacker gaining access to the server. With Penetration Patrol™ alerts will be sent to an email address you provide whenever a significant event occurs on the server. You can configure the alert level to react where necessary.

How does it Work?

We install software on your server which will monitor changes to configuration and binaries, as well as providing a comprehensive audit trail of changes. When a server is hacked, the infiltrator usually makes changes to existing applications on the server in order to alter their behaviour without alerting the other users.

Alerts will be sent to an email address you provide whenever a significant event occurs on the server allowing you to react where necessary. The degree to which an event is deemed significant depends on the level at which you configure your Penetration Patrol™ service. We will configure the service at our recommended level (10) initially, but this can be changed in your server's control panel or through our API according to your ongoing needs.

Memset® may also be notified and investigate the incident depending on the support level you choose:

  • Self-monitored: Memset will not be alerted or investigate any incidents
  • Memset®-monitored support: Memset will be alerted to and investigate level 13 events and above
  • Memset®-protected support: Memset will be alerted to and investigate level 11 events and above

Alert Levels

Alert Level Definition
Level 1 Alert for intrusion events of any level. Please note that this level can be very noisy.
Level 2 System low priority notification - System notification or status messages. They have no security relevance.
Level 3 Successful/Authorized events - They include successful login attempts, firewall allow events, etc.
Level 4 System low priority error - Errors related to bad configurations or unused devices/applications. They have no security relevance and are usually caused by default installations or software testing.
Level 5 User generated error - They include missed passwords, denied actions, etc. By itself they have no security relevance.
Level 6 Low relevance attack - They indicate a worm or a virus that have no affect to the system (like code red for apache servers, etc). They also include frequently IDS events and frequently errors.
Level 7 "Bad word" matching. They include words like "bad", "error", etc. These events are most of the time unclassified and may have some security relevance.
Level 8 First time seen - Include first time seen events. First time an IDS event is fired or the first time an user logged in. If you just started using OSSEC HIDS these messages will probably be frequently. After a while they should go away, It also includes security relevant actions (like the starting of a sniffer or something like that).
Level 9 Error from invalid source - Include attempts to login as an unknown user or from an invalid source. May have security relevance (specially if repeated). They also include errors regarding the "admin" (root) account.
Level 10 (Recommended) Multiple user generated errors - They include multiple bad passwords, multiple failed logins, etc. They may indicate an attack or may just be that a user just forgot his credentials.
Level 11 Integrity checking warning - They include messages regarding the modification of binaries or the presence of rootkits (by rootcheck). If you just modified your system configuration you should be fine regarding the "syscheck" messages. They may indicate a successful attack. Also included IDS events that will be ignored (high number of repetitions).
Level 12 High importancy event - They include error or warning messages from the system, kernel, etc. They may indicate an attack against a specific application.
Level 13 Unusual error (high importance) - Most of the times it matches a common attack pattern.
Level 14 High importance security event. Most of the times done with correlation and it indicates an attack.
Level 15 Severe attack - No chances of false positives. Immediate attention is necessary.

Please see the OSSEC website for further information.

Whether Penetration Patrol™ is available for your server will depend on your current support level. For more information, please click here.

Penetration Patrol™ is part of our Security Patrol Suite, which also includes:

This service is best used in conjunction with all the above, and can be regarded as a last line of defense against security breaches.

Please contact us today for a free, no-obligation, low-stress technical sales consultation.
Sales Hotline 0800 634 9270