What is an IDS?
An IDS or intrusion detection system is simply a software system that monitors a host or network for indicators of compromise and sends notifications to security personnel in an organization if such events are found.
There are two types of IDS:
Like an IDS, an IPS or intrusion prevention system also monitors a host or network, however, an IPS can also react to attacks as they happen and prevent them from reaching any systems or networks. An IPS is an in-band system (inline with network traffic) and combines the detection features of an IDS with advanced attack prevention capabilities.
There are two main detection methods used by IDS and IPS installations:
Some popular network IDS/IPS Tools
Snort: This is a rule-based IDS/IPS tool that offers industry-standard features including real-time traffic monitoring, packet logging, and protocol analysis, OS fingerprinting, and content pattern matching. Snort is free open-source software that was originally developed in 1998 and has been maintained by Cisco since 2013. The free version of Snort includes a Cisco-curated ruleset, and users can create their own rules using the Lua scripting language.
Suricata: This is an open-source, rule-based IDS that was developed in 2009 by the Open Information Security Foundation (OISF) and while it has some similarities to Snort, it includes many additional features. In addition to the standard IDS/IPS features, Suricata supports multi-threading so in theory, it can use more processing power to do its work. Suricata supports Snort rules and can also use Lua scripting to create its own rules.
Zeek: Zeek is an open-source network security monitor and software framework that provides sophisticated network traffic analysis and a classification engine. It originally developed in 1994 at the Lawrence Berkeley Laboratory and was known as Bro until late 2018. While it shares most of the features of a traditional IDS, Zeek also can handle incident response, file extraction, hashing, and forensics. An important feature of Zeek is its programming interface which can be used to customize the interpretation of raw traffic data using the Zeek scripting language.