IDS Basics
If you aren’t already running network IDS, you should be. There are two types of Network IDS: Signature Detection & Anomaly Detection
In a signature-based IDS, there are rules or patterns of known malicious traffic that it is looking for. Once a match to a signature is found it generates an alert. These alerts can turn up issues such as malware, scanning activity, attacks against servers and much more.
With anomaly-based IDS, the payload of the traffic is far less important than the activity that generated it. An anomaly-based IDS tool relies on baselines rather than signatures. It will look for unusual activity that deviates from statistical averages of previous activities or activity that has been previously unseen. Perhaps a server is sending out more HTTP activity than usual or a new host has been seen inside your DMZ.
Both are typically deployed in the same manner, though one could make the case you could easily (and people have) create an anomaly-based IDS on externally collected netflow data or similar traffic information.
When evaluating IDS solutions, it's important to evaluate whether you need an IDS that can monitor both your cloud and on-premises assets. Whether you need to monitor hosts or the networks connecting them to identify the latest threats, there are some great open source intrusion detection
(IDS) tools available to you.
SNORT
Ah, the venerable piggy that loves packets. I'm sure everyone remembers 1998 as the year a version of Windows came out but it was also the year that Martin Roesch first released Snort. Though then it really wasn't a true IDS, its destiny had been written. Since then it has become the de-facto standard for IDS and eventually IPS (thanks to community effort!). It's important to note that Snort has no real GUI or easy to use administrative console. Lots of other open source tools have been created to help out, notably Snorby [https://snorby.org/] and others like Base and Squil.
- Long product life with no signs of going away
- Great community support
- Plenty of administrative front-ends
- Thoroughly proven and tested
SURICATA
What's the only reason for not running Snort? If you're using Suricata instead. Though Suricata's architecture is different than Snort it behaves the same way as Snort and can use the same signatures. What's great about Suricata is what else it's capable of over Snort. It does so much more that it probably deserves a dedicated post of it's own. Let's run down a few of them:
Multi-Threaded - Snort runs with a single thread meaning it can only use one CPU(core) at a time. Suricata can run many threads so it can take advantage of all the cpu/cores you have available.
There has been much contention on whether this is advantageous, Snort says No and a few benchmarks say Yes.
Built in Hardware Acceleration - Did you know you can use graphic cards to inspect network traffic?
File Extraction - Someone downloading malware? You can capture it right from Suricata and study it.
LuaJIT - It's a lot of letters yes, but it's also a scripting engine that can be used with information from the packets inspected by Suricata. This makes complex matching even easier and you can even gain efficiency by combining multiple rules into one script.
Logging more than packets - Suricata can grab and log things like TLS/SSL certs, HTTP requests, DNS requests.
Bro
Bro, or sometimes referred to as Bro-IDS is a bit different than Snort and Suricata. In a way Bro is both a signature and anomaly-based IDS. Its analysis engine will convert traffic captured into a series of events. An event could be a user logon to FTP, a connection to a website or practically anything. The power of the system is what comes after the event engine and that's the Policy Script Interpreter. This policy engine has it's own language ( Bro-Script ) and it can do some very powerful and versatile tasks.
Open DLP
OpenDLP isn't really a HIDS system but it's functionality makes it worth a mention here. This tool has one goal and that's DLP or Data Loss Prevention. It will scan data while it's "at-rest" looking for pieces of data like credit cards or SSNs and can be extended with regular expressions to find data that is sensitive to your organization. OpenDLP will look for this data on file systems or even inside databases on both Windows and Linux. It can also perform these scans via an installable agent or without any software installation.
• Not a FIM or HIDS technically, but interesting
• Very Windows friendly
• Looks for DLP only
