A while back, a client heard some mention of Intrusion Detection Systems and naturally had to ask me, “What the heck are Intrusion Detection Systems.” (That’s where these “What the heck…” ideas all come from, you know.) I explained it as simply as I could at the time, but I like having something to point to with authority, something with some outbound links to more information; hence, this post.
CERIAS, The Center for Education and Research in Information Assurance and Security, who publishes an excellent list of IDS resources, gives this description:
The purpose of an intrusion detection system (or IDS) is to detect unauthorized access or misuse of a computer system. Intrusion detection systems are kind of like burglar alarms for computers. They sound alarms and sometimes even take corrective action when an intruder or abuser is detected. Many different intrusion detection systems have been developed but the detection schemes generally fall into one of two categories, anomaly detection or misuse detection. Anomaly detectors look for behavior that deviates from normal system use. Misuse detectors look for behavior that matches a known attack scenario. A great deal of time and effort has been invested in intrusion detection, and this list provides links to many sites that discuss some of these efforts.
There is a sub-category of intrusion detection systems called network intrusion detection systems (NIDS). These systems monitors packets on the network wire and look for suspicious activity. Network intrusion detection systems can monitor many computers at a time over a network, while other intrusion detection systems may monitor only one.
One common IDS misconception I run into all the time is that it is usually people outside your network who break into your systems and cause mayhem. The reality, especially for corporate workers, is that insiders can and usually do cause the majority of security breaches. The simplest and easiest way to break in is to let someone have physical access to a system. Despite preventive measures, it is often impossible to stop someone once they have physical access to a machine. If an attacker already has an account on a system, regardless of permission level, he can exploit security vulnerabilities to execute a privilege escalation attack. Finally, there are many ways to gain access to systems even if one is working remotely.
Open Source Intrusion Detection Systems
As you know, I’m a big advocate of Open Source. Below are a few of the open source intrusion detection systems:
AIDE (http://sourceforge.net/projects/aide) – Self-described as “AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more. There are other free replacements available so why build a new one? All the other replacements do not achieve the level of Tripwire. And I wanted a program that would exceed the limitations of Tripwire.”
File System Saint (http://sourceforge.net/projects/fss) – Self-described as, “File System Saint is a lightweight host-based intrusion detection system with primary focus on speed and ease of use.”
Snort (www.snort.org) - Self-described as “Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and approximately 300,000 registered users, Snort has become the de facto standard for IPS. ”
Commercial Intrusion Detection Systems
If you are looking for Commercial Intrusion Detection Systems, here are a few of these as well:
Tripwire – http://www.tripwire.com
IBM Internet Security Systems – http://www.iss.net
eEye Digital Security – http://www.eeye.com