IDS & IPS with Snort
Intrusion detection and intrusion prevention have been popular topics of computer security, and many of those conversations probably involve Snort at some point or another. Snort is a highly configurable security application, that can work as either a host-based or network-based IDS or IPS. The key difference between an IPS and an IDS is that an IDS generates sophisticated logs based on rules regarding attack signatures, but it does not take action against the attackers. An IPS, on the other hand, can be used to rewrite firewall rules on the fly to keep out traffic that has been detected as malicious. Snort is a popular open source application that is used by over 100,000 businesses worldwide and has portions of its code embedded into no less than 45 commercially-available appliances.
An IDS will generally be deployed in one of two fashions:
- Host-based IDS
- Monitors incoming packets and compares against rules to determine response
- Examine system logs for unusual entries such as repeated login attempts (with statefulness)
- Verifies filesystem integrity
- Network-based IDS
- Monitors all subnet traffic with NIC in promiscuous mode (achieved with libpcap)
- Generates real-time alerts for attacks
- Writes log files to help with the subsequent exploitation investigation
- Accepts CIDR notation (ie class c ip 192.168.1.0 with subnet 255.255.255.0 becomes 192.168.1.0/24)
An IPS can be configured similarly, but instead of using PCAP, it will use libipq for QUEUEing traffic in iptables.
Click one of the following links for more information: