One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 886698 |
| Date de publication | 2018-11-08 14:00:00 (vue: 2018-11-08 16:00:42) |
| Titre | Beginner\'s Guide to Open Source Intrusion Detection (IDS) Tools |
| Texte |
Originally written by Joe Schreiber
Re-written and edited by Trevor Giffen (Editorial Contractor)
Re-re edited and expanded by Rich Langston
Whether you need to monitor hosts or the networks connecting them to identify the latest threats, there are some great open source intrusion detection (IDS) tools available to you.
List of Open Source IDS Tools
Snort
Suricata
Bro
OSSEC
Samhain Labs
OpenDLP
IDS Detection Techniques
There are two primary threat detection techniques: signature-based detection and anomaly-based detection. These detection techniques are important when you’re deciding whether to go with a signature or anomaly detection engine, but vendors have become aware of the benefits of each, and some are building both into their products. Learning their strengths and weaknesses enables you to understand how they can complement one another.
Signature-based IDS Tools
With a signature-based IDS, aka knowledge-based IDS, there are rules or patterns of known malicious traffic being searched for. Once a match to a signature is found, an alert is sent to your administrator. These alerts can discover issues such as known malware, network scanning activity, and attacks against servers.
Anomaly-based IDS Tools
With an anomaly-based IDS, aka behavior-based IDS, the activity that generated the traffic is far more important than the payload being delivered. An anomaly-based IDS tool relies on baselines rather than signatures. It will search for unusual activity that deviates from statistical averages of previous activities or previously seen activity. For example, if a user always logs into the network from California and accesses engineering files, if the same user logs in from Beijing and looks at HR files this is a red flag.
Both signature-based and anomaly-based detection techniques are typically deployed in the same manner, though one could make the case you could (and people have) create an anomaly-based IDS on externally-collected netflow data or similar traffic information.
Advantages and Disadvantages
Fewer false positives occur with signature-based detection but only known signatures are flagged, leaving a security hole for the new and yet-to-be-identified threats. More false positives occur with anomaly-based detection but if configured properly it catches previously unknown threats.
Network-Based IDS (NIDS)
Network-based intrusion detection systems (NIDS) operate by inspecting all traffic on a network segment in order to detect malicious activity. With NIDS, a copy of traffic crossing the network is delivered to the NIDS device by mirroring the traffic crossing switches and/or routers.
A NIDS device monitors and alerts on traffic patterns or signatures. When malicious events are flagged by the NIDS device, vital information is logged. This data needs to be monitored in order to know an event happened. By combining this information with events collected from other systems and devices, you can see a complete picture of your network’s security posture. Note that none of the tools here correlate logs by themselves. This is generally the function of a Security Information and Event Manager (SIEM).
Snort
Ah, the venerable piggy that loves packets. Many people will remember 1998 as the year Windows 98 came out, but it was also the year that Martin Roesch first released Snort. Although Snort wasn't a true IDS at the time, that was its destiny. Since then it has become the de-facto standard for IDS, than |
| Envoyé | Oui |
| Condensat | “what about accelerate according actively administrator afick alerting alienvault also analysis application architecture are assets available based because been before beginner blog breach broader build built can capabilities careful categorized centralized changes checkers checking chkrootkit choices client client/server community comparing compliance consider considering critical current cybersecurity detection developed docs documentation: drive efforts email entire executables explaining faq features file fim final finding flexible get guide has have haven't helped here hidden hids hopefully host how ids important include: integrity intrusion involves known learn let’s log logging maintenance makes management manual many mechanism methods modified monitoring more mostly multi need network never occurred often okay ongoing only open operating options others out output plan planning platform port post processes products proprietary protect provides rdbms read rkhunter rogue rootkit samhain samhain’s secure security servers set shown signal since single solutions some source specified standalone such suid support syslog system systems talk technologies them these thoughts threat tool tools tripwire two understand unhide unified unique unix updated used user uses usm valid validates variety versions website whenever why windows wondering worth years your |
| Tags | Tool Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.