What is an IDS?
An IDS or intrusion detection system is simply a software system that monitors a host or network for indicators of compromise and sends notifications to security personnel in an organization if such events are found.
There are two types of IDS:
- HIDS or host intrusion detection system: this is software that is typically installed on a workstation or server. A HIDS can detect potential attacks by monitoring traffic as it passes through the network interface (NIC). It also can be configured to monitor application activity and analyze traffic as a protocol analyzer. You may find a HIDS installed alongside a standard antivirus program so it can catch sophisticated attacks that are missed by standard antivirus software.
- NIDS or network intrusion detection system: this system monitors network traffic and uses programs called collectors or sensors that are installed on various network devices (routers, firewalls, etc.). These collectors pull in raw network traffic at various points around the network and forward the data to a central NIDS server. A NIDS normally cannot monitor traffic to or from a particular host (as a HIDS can), and it is not able to decrypt encrypted traffic on the network. Inside the network, a NIDS can make use of port mirroring to collect traffic from a network switch.
Like an IDS, an IPS or intrusion prevention system also monitors a host or network, however, an IPS can also react to attacks as they happen and prevent them from reaching any systems or networks. An IPS is an in-band system (inline with network traffic) and combines the detection features of an IDS with advanced attack prevention capabilities.
There are two main detection methods used by IDS and IPS installations:
- Signature-based aka definition-based: this method uses a database of known vulnerabilities and/or attack patterns. It must be periodically updated by the vendor so that it can continue to detect emerging threats.
- Heuristic aka behavioral-based or anomaly-based: this method creates a performance baseline showing normal operating conditions for the system or network. Then during operations, it compares traffic with the baseline and looks for anomalous activity. This can be an advantage over signature-based detection as it can detect new types of attacks just from observing network behavior.
Some popular network IDS/IPS Tools
Snort: This is a rule-based IDS/IPS tool that offers industry-standard features including real-time traffic monitoring, packet logging, and protocol analysis, OS fingerprinting, and content pattern matching. Snort is free open-source software that was originally developed in 1998 and has been maintained by Cisco since 2013. The free version of Snort includes a Cisco-curated ruleset, and users can create their own rules using the Lua scripting language.
Suricata: This is an open-source, rule-based IDS that was developed in 2009 by the Open Information Security Foundation (OISF) and while it has some similarities to Snort, it includes many additional features. In addition to the standard IDS/IPS features, Suricata supports multi-threading so in theory, it can use more processing power to do its work. Suricata supports Snort rules and can also use Lua scripting to create its own rules.
Zeek: Zeek is an open-source network security monitor and software framework that provides sophisticated network traffic analysis and a classification engine. It originally developed in 1994 at the Lawrence Berkeley Laboratory and was known as Bro until late 2018. While it shares most of the features of a traditional IDS, Zeek also can handle incident response, file extraction, hashing, and forensics. An important feature of Zeek is its programming interface which can be used to customize the interpretation of raw traffic data using the Zeek scripting language.