Detection modules of the NEMEA system provide mechanisms for automatic detection of malicious network traffic. This repository contains modules with the following detection capabilities:
- amplification_detection: universal detector of DNS/NTP/... amplification attacks
- blacklistfilter: module that checks whether observed IP addresses are listed in any of given public-available blacklists
- hoststatsnemea: universal detection module based on computation of statistics about hosts, it can detect some types of DoS, DDoS, scanning
- sip_bf_detector: detector of brute-force attacks attempting to breach passwords of users on SIP (Session Initiation Protocol) devices
- tunnel_detection: detector of communication tunnels over DNS (e.g. using iodine or tcp2dns)
- voip_fraud_detection: detector of guessing dial scheme of Session Initiation Protocol (SIP)
- vportscan_detector: detector of vertical scans based on TCP SYN