Skip to content


Repository files navigation

NEMEA Detectors

Detection modules of the NEMEA system provide mechanisms for automatic detection of malicious network traffic. This repository contains modules with the following detection capabilities:

  • amplification_detection: universal detector of DNS/NTP/... amplification attacks
  • blacklistfilter: module that checks whether observed IP addresses are listed in any of given public-available blacklists
  • hoststatsnemea: universal detection module based on computation of statistics about hosts, it can detect some types of DoS, DDoS, scanning
  • sip_bf_detector: detector of brute-force attacks attempting to breach passwords of users on SIP (Session Initiation Protocol) devices
  • tunnel_detection: detector of communication tunnels over DNS (e.g. using iodine or tcp2dns)
  • voip_fraud_detection: detector of guessing dial scheme of Session Initiation Protocol (SIP)
  • vportscan_detector: detector of vertical scans based on TCP SYN