Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Netzwerksicherheit Glossary

IDS / IPS (Intrusion Detection/Prevention System)

Intrusion Detection Systems (IDS) detect suspicious network activity and attacks, while Intrusion Prevention Systems (IPS) also actively intervene to block attacks. Modern next-generation IPS systems combine signatures, behavioral analysis, and threat intelligence to provide multi-layered network defense.

IDS and IPS form a critical detection layer in the network: While firewalls are based on allow/deny rules, IDS/IPS analyze the actual content of traffic for signs of attacks. An IPS can block detected attacks in real time before they reach their target.

IDS vs. IPS - The Difference

IDS (Intrusion Detection System)

  • Mode: Passive - monitors, does not intervene
  • Detects: Attack patterns, anomalies
  • Action: Alert → SOC → Analyst decides
  • Deployment: Mirror/SPAN port (Copy of traffic)
  • Advantage: No impact on traffic, no latency impact
  • Disadvantage: No auto-block, response takes time

IPS (Intrusion Prevention System)

  • Mode: Active – sits inline in the traffic flow
  • Detects + Blocks: Attacks are stopped
  • Action: Drop or reset the connection
  • Positioning: Inline (traffic must pass through IPS)
  • Advantage: Immediate response, no human intervention required
  • Disadvantage: False positives can block legitimate traffic

NIDS/NIPS (Network-based)

  • Analyzes network packets between systems
  • Detects: network attacks, port scans, exploits

HIDS/HIPS (Host-based)

  • Runs as an agent on a single system
  • Analyzes: local processes, file system, system calls
  • Examples: OSSEC, Wazuh, CrowdStrike HIPS mode
  • Often part of EDR solutions today

Detection Methods

1. Signature-based Detection

  • Database of known attack patterns (Snort rules, ET rules)
  • Fast and reliable for known attacks
  • Problem: Zero-day exploits have no signature

Snort rule example (EternalBlue / MS17-010):

alert tcp $EXTERNAL_NET any -> $HOME_NET 445
(msg:"ET EXPLOIT Possible EternalBlue Probe MS17-010";
 flow:to_server,established;
 content:"|00 00 00 23 ff 53 4d 42 72 00 00 00 00|";
 depth:13; offset:4; nocase;
 sid:2024217; rev:2;)

2. Anomaly-based Detection (Behavioral)

  • Define a baseline for normal traffic
  • Deviations → Alarm
  • Detects: Zero-days, unknown attacks, insider threats
  • Problem: Higher false positive rate

Example: Normally 1,000 DNS queries/hour from a workstation → suddenly 100,000 DNS queries/hour → suspected DNS tunneling.

3. Protocol Analysis (Protocol State Tracking)

  • Check RFC compliance
  • Example: HTTP request with invalid header → Fuzzing?
  • Detects: Protocol abuse, evasion techniques

4. Reputation-based Detection

  • Threat Intelligence Feeds: known malicious IPs, domains, hashes
  • Snort ET Pro: reputation lists updated daily
  • Connection to known C2 server → immediate block

Open-Source IDS/IPS Tools

Suricata (recommended - modern successor to Snort)

Installation (Ubuntu):

apt install suricata

Configuration (/etc/suricata/suricata.yaml):

vars:
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8]"
    EXTERNAL_NET: "!$HOME_NET"

rules:
  - /etc/suricata/rules/suricata.rules
  - /etc/suricata/rules/emerging-threats.rules  # ET Open Rules
# Download ET Rules:
suricata-update  # Updates all rules

# In IDS mode (passive):
suricata -c /etc/suricata/suricata.yaml -i eth0

# In IPS mode (inline, nfqueue):
suricata -c /etc/suricata/suricata.yaml -q 0

Output: /var/log/suricata/fast.log (Alerts), eve.json (Structured)

Snort 3 (Market leader in signatures)

  • Largest rule database (VRT Rules)
  • Snort 3: new architecture, multi-threaded
  • Integration with Cisco Firepower

Zeek (formerly Bro) - Network analysis, not an IPS

  • Generates network activity logs (no focus on alerts)
  • HTTP logs, DNS logs, SSL logs, connection logs
  • Very valuable for threat hunting and forensics
  • Zeek scripts for custom analysis

Example - Zeek HTTP log:

ts          uid    orig_h       resp_h       method  host          uri
1709123456  C4BHgr  10.0.1.50   93.184.216.34 GET    example.com  /index.html

Wazuh (HIDS + NIDS)

  • Open-source security platform
  • Host-based IDS, log analysis, vulnerability detection
  • Good SIEM integration (Elasticsearch)
  • Free, scalable

IPS Deployment - Network Positioning

Internet → Firewall → IPS → Switch → Internal Systems

                  Inline: sees and blocks all traffic

Deployment Variants

1. Perimeter IPS (North-South Traffic)

  • Between the Internet and the firewall or between the firewall and the DMZ
  • Detects/blocks external attacks

2. Internal Segmentation IPS (East-West Traffic)

  • Between internal network segments
  • Detects lateral movement within the network
  • Particularly important for ransomware detection

3. Campus IPS / Data Center IPS

  • In front of critical servers
  • More granular control over server access

Bypass Mechanism

  • If the IPS fails, a bypass relay allows traffic to pass through—no total outage
  • Fail-Open: In the event of an IPS failure, traffic continues → no outage, but no protection
  • Fail-Closed: In the event of an IPS failure, no traffic → no attack, but an outage

Tuning Effort

An IPS without tuning generates many false positives that block legitimate traffic.

  • Discovery phase (2–4 weeks): detection only, no blocking
  • Activate step by step: critical signatures first, then more
  • Regular review: new false positives due to new applications

AWARE7 Services on This Topic

Penetrationstest Netzwerk ISO 27001 Beratung
Back to Glossary Book a free consultation