The Intrusion Detection System (IDS) checks all inbound and outbound network activities and confirms a suspicious pattern in which IDS can specify the attempt to access (or damage the system) someone's network attack (or system attack ). The intrusion detection system is different from the firewall in that the firewall focuses on intrusion to prevent it from occurring. The firewall restricts access between networks to prevent intrusion, but does not send alarm signals to attacks from inside the network. However, IDS can evaluate suspicious intrusions and issue warnings when they occur. In addition, IDS can also observe internal attacks. In this sense, IDS may be more comprehensive. Today, let's take a look at the five most famous intrusion detection systems below.
1. Snort: this is an open-source ID that almost everyone loves. It uses a flexible rule-based language to describe communication and combines signatures, protocols, and abnormal behavior detection methods. Its update speed is extremely fast. It has become the most widely deployed intrusion detection technology in the world and the standard of defense technology. Through protocol analysis, content search, and a variety of preprocessing programs, Snort can detect thousands of worms, vulnerability Exploitation attempts, port scans, and various suspicious behaviors. Note that you need to check the free BASE to analyze the Snort warning.
2. ossec hids: an open-source host-based intrusion detection system that performs log analysis, integrity check, Windows Registry monitoring, rootkit detection, real-time warning, and dynamic and timely response. In addition to its IDS function, it can also be used as an SEM/SIM solution. Because of its powerful log analysis engine, Internet providers, universities, and data centers are happy to run ossec hids to monitor and analyze their firewalls, IDS, Web servers, and authentication logs. The Windows OSSEC is displayed:
3. fragroute/Fragrouter: a toolbox that can avoid network intrusion detection. It is a self-segmentation routing program that can intercept, modify, and rewrite the communication sent to a specific host, multiple attacks can be implemented, such as insertion, escape, and denial of service attacks. It has a simple set of rules that can delay the transmission of data packets sent to a specific host, or replicate, discard, segment, overlap, print, record, and source route tracking. Strictly speaking, this tool is used to assist in testing the network intrusion detection system. It can also assist in testing the firewall and basic TCP/IP stack behavior. Do not abuse this software.
4. BASE: Also known as the basic analysis and security engine. BASE is a PHP-based analysis engine, it can search for and process security event data generated by a variety of IDS, firewalls, and network monitoring tools. Its features include a query generator and query interface, which can detect warnings of different matching modes, as well as a data packet viewer/decoder, statistical charts based on time, signature, protocol, and IP address.
5. Sguil: This is a console tool called a network security expert to monitor network activities. It can be used for network security analysis. Its main component is an intuitive GUI that provides real-time event activities from Snort/barnyard. You can also use other components to implement event-driven analysis of network security monitoring activities and IDS warnings.