Questions[intrusion-detection](server)

is it normal for AD authentication between a workstation and AD server to generate a lot of ICMP traffic? I have a network intrusion prevention in place that is constantly detecting huge amount of ICMP / ping traffic from AD to workstation; vice versa. So much so that it detects them as 'flood' attack.

I've checked on both the AD and workstation both seems to be fine. No trojans, viruses, malware and the endpoint protection is working fine.

Any opinions on this kind of behavior? Possible false positives?

I run a nmap scan of my hosts daily to check for open ports.

sudo nmap -f -sS -sV --log-errors -append-output -p1-9999 host.com 

But along with the output I get a long list of fingerprint submissions for unrecognized ports like this

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port4000-TCP:V=5.21%I=7%D=2/9%Time=4F30CAC%P=x86_64-redhat-linux-gnu%r
SF::\r\nERR\x20UNKNOWN_COMMAND\x20Unknown\+server\+commandCSeq:\r\nERR\x20
-------------------------------------------

How do I remove these from my nmap reports?

In my web server logs I get a lot of these: [error] [client x.x.x.x] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

I know it's just a failed request and I don't have to worry abut it too much. In the past I have tried searching for the actual script or tool that does this. It must be pretty commonly available judging from the number of occurences of this request. I found different tips on how to deal with the message, but I'm interested in looking at this tool/script itself and I never found its name or location mentioned.

My question ends here. A bit more background: Today I noticed one of the clients doing this request is an IP of another server of mine, quite important, actually, because it's my server virtualization host. I suspect intrusion. That's why I want to look at this script - so I can analyze what it does and how to find it.

I have tried out various network-based IDS and IPS systems throughout the years and have never been happy with the results. Either the systems were too difficult to manage, only triggered on well-known exploits based on old signatures, or were simply too chatty with the output.

In any case, I don't feel they provided real protection for our network. In some instances, they were harmful due to dropping valid connections or just plain failing.

In the past few years, I am sure things have changed, so what are the recommended IDS systems these days? Do they have heuristics that work and don't alert on legitimate traffic?

Or, is it just better to rely on good firewalls and hardened hosts?

If you recommend a system, how do you know it's doing its job?

As some have mentioned in the answers below, let's also get some feedback on host intrusion detection systems as they are closely related to network-based IDS.

For our current setup, we would need to monitor two separate networks with a total bandwidth of 50mbps. I am looking for some real-world feedback here, not a list of devices or services capable doing IDS.

Filesystem intrusions can be detecting using tools such as Snort but it is more difficult to detect intrusions into a database, such as deletion of rows, modification of tables, etc. What is the best way to monitor this to detect unwanted changes in the DB?

I am using MySQL so anything that is not database-agnostic should ideally be aimed at MySQL.