Intrusion detection and prevention system

Intrusion detection and prevention system

Intrusion Detection System (IDS) monitors network or applications activities for being malicious. Intrusion Prevention System (IPS) identifies malicious activity similarly to IDS, log it, block it, and finally send an intrusion report to an administrator. In other words, IPS is an extension to the IDS funtionality that actively blocks detected cyber attacks by triggering alarms in a system, dropping malicious packets, or even blocking intruder’s IP address.

There two types of IDPS:

  • Network-based
  • Host-based

Network-based IDPS

Use Network-based IDPS (NIDPS) to detect:

  • General purpose cyberattacks
  • Probes initiated as a part of targeted attacks
  • Policy violations. For example, usage of prohibited communication tools, social networks, TOR access points, Bitcoin miners, so on.

NIDPS is preferable to deploy in a cloud infrastructure.

There are two types of NIDPS based on detection type:

  • Signature-based
  • Anomaly-based

They work more or less the same way performing real-time traffic scan and analysis, logging, protocol analysis, and content detection.

The available open source solutions are: Suricata, Snort, and Bro.


To visualize information from Suricata logs, use Snorby, Base, or Squil GUI applications.

Download rulesets for Snort and Suricata from the EmergingThreats repository.

To improve detection capabilities of your IDPS, purchase the ET Pro ruleset, which provides more frequent updates and extra rules to block targeted attacks such as C&C servers, DoS attacks, botnets, informational events, exploits, vulnerabilities, SCADA network protocols, exploit kit activity, and more.

NIDPS can monitor a network traffic in several ways:

  • Inline

    This may affect a network channel throughput and a failure of IDPS may lead to disconnecting an internal network from external resources.

  • Using a switch spanning port

    You can use vSwitch Switched Port Analyzer (SPAN) or Remote Switched Port Analyer (RSPAN) for port mirroring.

  • Using a network tap

    You can use Tap-as-a-Service (TaaS) - a project developed to introduce the functionality of port mirroring in OpenStack Neutron provisioned networks.

  • Listening directly to a physical interfaces on a host.

    For example, on a compute node.

You can deploy NIDPS:

  • Inline with a Firewall on a gateway when using the service-leg DMZ.
  • On a compute node to listen to a network traffic related to projects hosted on this node.
  • On a network controller.
  • On a VM. This is the preferable way, which enables easy scaling, migration, and deployment. You need only to mirror traffic from a VM to the monitoring VM with NIDPS on board.

You can use a standalone open source NIDPS or commercial commercial NGFW, NGIPS, and UTM solutions that include an NIDPS component.

Host-based IDPS

NIDPS do not protect from layer 7 attacks. If an attack exploits an unknown vulnerability, you need to have Host-based IDPS (HIDPS) that monitors a host for suspicious activity by analyzing anomalies occurring within that host.

HIDPS may include: a firewall, exploit prevention module, application control, file integrity monitoring, log monitoring, policy enforcement, and antivirus signature scanner.

The open source OSSEC HIDPS is available for Linux, Solaris, AIX, HP-UX, BSD, Windows, Mac and vSphere/ESXI.

Accelerate IDPS

To sniff more than 1 Gbps channel, use a packet steering solution such as PF_RING.

PF_RING is an open source packet processing framework for Linux used to provide Direct NIC Access (DNA) to bypass kernel for line rate RX/TX packet processing. A kernel does not need to use CPU cycles to process network packets. PF_RING sends packets directly from NIC to IDS application bypassing kernel. This is called zero-copy (ZC, 0-copy) and helps improving performance of network traffic analysis.

PF_RING also supports 1-copy mode for non-Intel NICs and wireless connections. These packets can be injected into a 0-copy stream.

PF_RING ZC can send packets to a VM with an IDPS installed on it.

The following solutions support PF_RING ZC:

  • Snort, Suricata, Bro, Wireshark scanners
  • KVM
  • Docker containers

PF_RING supports the NIC adapters 1/10/40/100 Gbit by the following vendors:

  • Intel
  • Accolade Technologies
  • telesoft
  • Napatech
  • Mellanox Technologies