Detection modules of the NEMEA system provide mechanisms for automatic detection of malicious network traffic. This repository contains modules with the following detection capabilities:

• amplification_detection: universal detector of DNS/NTP/... amplification attacks
• blacklistfilter: module that checks whether observed IP addresses are listed in any of given public-available blacklists
• hoststatsnemea: universal detection module based on computation of statistics about hosts, it can detect some types of DoS, DDoS, scanning
• sip_bf_detector: detector of brute-force attacks attempting to breach passwords of users on SIP (Session Initiation Protocol) devices
• tunnel_detection: detector of communication tunnels over DNS (e.g. using iodine or tcp2dns)
• voip_fraud_detection: detector of guessing dial scheme of Session Initiation Protocol (SIP)
• vportscan_detector: detector of vertical scans based on TCP SYN