Intrusion Detection and Prevention Systems

IDS

An Intrusion Detection System (IDS) is a system for detection of attacks against a computer or a network. The IDS can complement a firewall complement or run directly on the monitored computer system.

There are two main types of IDS:

Host-based IDS: HIDS are installed on each system to be monitored. They thus have to support the given host operating system. They get information from log files, kernel data,…

Network-based IDS: NIDS try to capture all packets on the network, analyze them and report suspicious activities. These systems also try to recognize attack patterns in the network traffic.

Here are a few open source IDS:

Prelude : Linux

Samhain : Unix, Linux, Windows

Snort : Linux, Mac OS X, Windows

 

IPS

Intrusion Prevention Systems (IPS) are Intrusion Detection Systems (IDS) that can also defend against a specific attack.

 

HIPS

The acronym HIPS stands for “Host-based Intrusion Prevention System”. HIPS are IPS running on the computer on which intrusion is to be prevented.

HIPS hook themselves directly into the communication system and decide whether a packet should be forwarded or not (i.e. they can interrupt or pause data streams). They can also check the transferred data and block possibly harmful content.

Here’s a short list of open source HIPS:

Core Force (http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Core_Force): it is not technically open source but the license allows it to be reverse engineered, disassembled or decompiled: Windows

DenyHOSTS : Linux, Mac OS X

Fail2ban : Linux, Mac OS X

OSSEC : Linux, Windows, FreeBSD, OpenBSD, NetBSD, Solaris, AIX, HP-UX, Mac OS X.

 

NIPS

NIPS (Network IPS) monitor the network traffic in order to protect the connected computer from intruders. They investigate either the content of the transmitted data, the transmissions at the protocol level and/or the type and amount of data traffic in order to indentify possible attack patterns and/or initiate network-related countermeasures.

Snort is the most well-known open source NIPS.

 

2 thoughts on “Intrusion Detection and Prevention Systems

Leave a Reply

Your email address will not be published.