Intrusion detection system (IDS)

Intrusion detection system (IDS)

Intrusion detection system is a set of methods that are used to monitor system or network activities and detect malicious activities. Intrusion detection is the act of detecting unwanted traffic on a network or a device. It use to detect the intruder who is attempting to gain unauthorized access.  An IDS can be a piece of installed software or a physical appliance that monitors network traffic in order to detect unwanted activity and events such as illegal and malicious traffic, traffic that violates security policy, and traffic that violates acceptable use policies.


Intrusion detection provides the following:
· Monitoring and analysis of user and system activity
· Auditing of system configurations and vulnerabilities
· Assessing the integrity of critical system and data files
· Statistical analysis of activity patterns based on the matching to known attacks
· Abnormal activity analysis
· Operating system audit


 Many IDS tools will also store a detected event in a log to be reviewed at a later date or will combine events with other data to make decisions regarding policies or damage control. The most popular Open Source intrusion Detection System (IDS) is Snort, developed by SourceFire. Snort can detect thousands of worms, vulnerability exploit attempts, port scans, and other suspicious activities. Snort is available for both Linux and Windows platforms as source files and binaries. Click the following link to download Snort.
http://www.snort.org/snort-downloads?


Network based IDS: A network monitor (eg: the Dragon Sensor) watches live network packets and looks for signs of computer crime, network attacks, network misuse and anomalies. Once the attack is identified, or abnormal behavior is sensed, the alert can be send to the administrator. Example of the NIDS would be installing it on the subnet where you firewalls are located in order to see if someone is trying to break into your firewall.


Host based IDS: A host monitor (eg: the Dragon Squire) looks at system logs for evidence of malicious or suspicious application activity in real time. It also monitors key system files for evidence of tampering.




Read More Here:
http://www.sans.org/reading_room/whitepapers/detection/understanding-intrusion-detection-systems_337