An Intrusion Detection System (IDS) is used to monitor the entire network, it detects intruders; that is, unexpected, unwanted or unauthorized people or programs on network.
An Intrusion Detection System has a number of sensors that is used to detect unwanted or unexpected flow of network traffic, the major sensors as follows:
- A sensor monitor log files
- A sensor monitor TCP ingoing or outgoing connections
How Intrusion Detection System Works?
Intrusion detection system works by collecting information and then examining it. IDS collects data from it sensors and analyze this data to give notice to the system administrator about malicious activity on the network.
An intrusion detection system can be run manually but most IT administrators find it easier to automate the system checks to ensure that nothing is accidentally overlooked.
We can mainly categorize an IDS into two type:
1. NIDS (Network Intrusion Detection Systems).
2. HIDS (Host Intrusion Detection Systems)
There is still a question, why we use IDS if there is firewall to perform these tasks, Firewall is used to stop unwanted traffic from entering or leaving the internal enterprise network, where as the IDS is deployed to monitor traffic in vital segments in the network, generating alerts when an intrusion is detected.
A firewall has got holes to let things through, without it you wouldn’t be able to access the Internet or send or receive emails, there are different ways to bypass or cheat a firewall.
Snort is an excellent open source Network Intrusion Detection System, OSSEC is an Open Source Host-based Intrusion Detection System.
Below is an an overview of the basic architecture as well as practical examples of how to customize Open Source Host-based Intrusion Detection System to manage logging from your infrastructure and applications.