top of page

IDS/IPS: Deciphering the Layers of Intrusion Detection System and Intrusion Prevention System

In the ever-evolving landscape of cybersecurity, Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) emerge as stalwart guardians, shielding networks from nefarious activities. These systems employ a diverse array of detection techniques, each carrying its distinct advantages and constraints. Let's navigate the complexities of IDS/IPS, unraveling the intricacies of detection methodologies and their subtle nuances.


Detection Techniques in IDS/IPS: Unveiling the Arsenal


  1. Pattern Matching: The Signature-Based Sentry

  • Overview: Pattern matching, a signature-based detection method, excels in identifying established attack patterns.

  • Advantages: Recognizes well-known attacks, fortifying defenses against established threats.

  • Drawbacks: Limited in detecting new attacks; frequent rule updates may lead to potential false positives (F/P).

  1. Statistical Anomaly Detection: Navigating the Normal-Abnormal Spectrum

  • Overview: Anomaly-based, focuses on deviations from normal network behavior.

  • Advantages: Capable of detecting unknown attacks by highlighting deviations from established baselines.

  • Drawbacks: Prone to generating numerous false positives due to sensitivity to anomalies.

  1. Policy-Based Detection: Enforcing Order Through Policies

  • Overview: Detection hinges on predefined policies; any deviation triggers an alert.

  • Advantages: Offers a tailored approach with defined policies for specific environments.

  • Drawbacks: Limited adaptability to emerging threats, heavily reliant on pre-established policies.

  1. Stateful Protocol Analysis Detection: Unveiling Payload Secrets

  • Overview: Analyzes TCP/UDP payloads for potential threats.

  • Advantages: Offers in-depth analysis by scrutinizing the content of network packets.

  • Drawbacks: Resource-intensive; may not catch sophisticated attacks embedded in encrypted payloads.

Types of IDS/IPS and Operational Modes: Navigating the Cybersecurity Landscape


  • Network-based IDS (NIDS): Monitors network traffic passively, identifies suspicious patterns without actively blocking.

  • Host-based IDS (HIDS): Focuses on individual devices, analyzing local logs for signs of intrusion.

  • Wireless IPS (WIPS): Specialized in securing wireless networks, detecting and preventing unauthorized access.


Operational Modes: Passive vs. Inline

  • Passive Mode: IDS operates passively, observing and alerting without actively blocking traffic.

  • Inline Mode: IPS actively intervenes, blocking traffic upon detecting a rule match.


Depth of Inspection: Layering Security Measures

  • IDS: Scrutinizes network packets from Layer 2 to Layer 7, providing comprehensive packet analysis.

  • IPS: Concentrates on Layer 3 to Layer 4, ensuring a vigilant watch over the network's transport layer.


In conclusion, IDS/IPS stands as a critical fortress in the cybersecurity landscape. Understanding the intricacies of detection techniques and operational modes is imperative for organizations to construct robust defense mechanisms against evolving cyber threats.


IDS and IPS Actions List


Analyzing logs is crucial when assessing the criticality of a situation, and the actions taken play a pivotal role. The names of these actions may vary depending on the products.

Here is a general list of actions you might encounter during log analysis:


  1. Allow: Permits the traffic without any intervention.

  2. Alert: Serves as a notification. If the attack volume exceeds a predefined threshold, an alert is generated. Since alert responses do not initiate any block action, taking further action is necessary.

  3. Drop: Disallows the traffic without generating any response.

  4. Deny: Rejects the traffic, indicating a refusal.

  5. Reset Client: If the protocol used is TCP, the client terminates the connection. For UDP, it implies blocking the traffic.

  6. Reset Server: Indicates the termination of the connection from the server side.

  7. Reset Both: Signifies the termination of the traffic from both the client and server sides.

  8. Block IP: Prevents traffic from a specific IP address.

  9. Sinkhole: Redirects detected DNS queries for a malicious domain to an IP address used for sinkholing. Sinkholing ensures that DNS queries for a malicious domain are not processed. It is a secure action.


In log analysis, understanding these actions is essential for making informed decisions and responding effectively to various situations.



Snort: An Intrusion Detection and Prevention System


What is Snort?

Snort is an open-source network intrusion detection and prevention system (NIDS/NIPS) developed by Sourcefire, now a part of Cisco. It is widely used for detecting and preventing various types of attacks on computer networks.


Key Features of Snort:

  1. Packet Sniffing: Snort captures and analyzes network packets in real-time.

  2. Signature-Based Detection: It uses a signature-based approach, comparing network traffic against a predefined set of rules to identify known threats.

  3. Protocol Analysis: Snort can perform protocol analysis, identifying deviations from expected behaviors.

  4. Logging and Reporting: The system logs detected events, allowing administrators to review and respond to potential security threats.

  5. Flexibility: Snort is highly customizable, enabling users to create and modify rules to suit specific network environments.


Example Snort Rule:

A Snort rule consists of several components, including the rule header and rule options. Here's an example rule:

alert tcp any any -> any 80 (content:"GET"; msg:"HTTP GET Request"; sid:100001;)

alert tcp any any -> any 80 (content:"GET"; msg:"HTTP GET Request"; sid:100001;)

Explanation:

  • alert: Specifies that Snort should generate an alert when the rule matches.

  • tcp: Indicates the protocol (in this case, TCP).

  • any any -> any 80: Defines the source and destination IP addresses and ports.

  • content:"GET";: Specifies the content to match within the packet (in this case, the string "GET").

  • msg:"HTTP GET Request";: Sets the alert message.

  • sid:100001;: Assigns a unique ID to the rule.


Scenario:

Consider a scenario where you want to detect HTTP GET requests to your web server. The example rule provided will trigger an alert whenever Snort detects a TCP packet with the string "GET" in its payload destined for port 80.

In this scenario:


  • Action: Alert.

  • Protocol: TCP.

  • Source and Destination Ports: Any to 80 (HTTP).

  • Content: "GET" within the packet payload.


This rule helps in identifying potential HTTP-based attacks or unauthorized access attempts targeting the web server. Administrators can then review the logs generated by Snort and take appropriate actions to secure the network.






72 views0 comments

Comments


bottom of page