Two very common security appliances used to protect the perimeters and insides of computer networks are Intrusion Prevention and Intrusion Detection systems. Lets discuss what these are, their differences and how to learn them for free. (Please note I will not be discussing HIDS/HIPS – Host Intrusion Detection / Prevention) systems here.

IDS VS IPS VS IDPS

Intrusion Detection system (IDS) taps traffic off the network and analyses it for any malicious activity, threats or protocol violations. If it finds malicious activity, it will alert the security team.

Intrusion Protection system (IPS) differs from this as it sits inline on the network and actively blocks any malicious activity, threats or protocols. It can be setup to still alert the security team if a block does take place.

It is also common to see IDPS setups. This is where the functionalities of an IDS and IPS are combined, giving the best of both worlds.

Signature VS Anomaly based analysis

On top of these three different types of setups, there are also two different methods IDS and IPS can analyse traffic.

Signature means that a pre-defined set of rules which define malicious activity or protocol misuse are used to find malicious activity, then an alert is triggered and / or activity is blocked. For example a rule can be setup to look for the word ‘TEST’ within any packet and then alert or block the traffic based on this. Rules can also be setup to alert on IP addresses, traffic directions, regex matches, well known web exploits and anything else you can really think of.

Anomaly means that machine learning algorithms are set up to create a baseline of normal network activity. When activity deviates far outside this baseline, then an alert is triggered and / or activity is blocked. For example, ICMP traffic is responsible for 5% of traffic when it is only usually responsible for 0.5% of traffic then alert / block.

So why all the different setup types and analysis modes? Why not just an IPS blocking everything using signature analysis for example? Lets discuss further.

Why the differences? IPS and IDS

There are a lot of business use cases that have lead to the various ways you can setup these platforms.

Intrusion Detection taps network traffic off the network to be analysed. This has the major benefit that there is no legitimate business traffic accidentally blocked. It also has the benefit of being easier and cheaper to set up than Intrusion Prevention as data is tapped off the network and there is no involvement with the network traffic flow.

However it also has some major disadvantages. These are linked – firstly an IDS does not actually block anything so an attack could happen and be done before you even have time to deal with it. Also, each IDS alert needs to be investigated and separately actioned by an analyst – which can be costly and time consuming.

It is for these reasons mentioned above that Intrusion Prevention exists. It sits inline with the traffic and can actually actively block any traffic which matches any signature or anomaly rules to stop malicious behavior. This also saves analyst time as threats are dealt with proactively rather than reactively.

There are still downsides to this though. Firstly, legitimate business traffic can be incorrectly flagged as malicious or suspicious and blocked. For example, a new rule may be released which then causes false positives and interruptions to legitimate, important business traffic. It can also be more expensive to set up IPS due to the way it sits inline with the traffic.

It is for the reasons mentioned above that hybrid IDPS setups are now commonly seen. These have all rules which have low false positives rates set to IPS (block), and then any new or untested rules set to IDS (detect) mode. This is the perfect mix to ensure security off a network whilst also ensuring traffic availability.

Why the differences? Signature vs Anomaly

The pros and cons of signature and anomaly based detection techniques are closely linked to one and another.

For signature based detection, its main benefit is that it can detect any well known attacks via signatures / rules. These are rules which look for known malicious patterns, content etc within traffic and then alert or block when this traffic is seen traversing the IDS/IPS.

The downside of this however is that any malicious traffic which does not meet a signature is allowed right through.

For anomaly based – it works to fill this gap. Rather than static signatures, it uses a dynamic approach to create baselines of all network traffic that it sees. Then, if any behaviour goes far outside this baseline an alert is triggered for further investigation. Anomaly detection therefore fills the gap of static signature based detection by looking for anomalies.

However it has its own downsides. Anomaly detection of any sort is highly prone to false positives, and this is no different. Anomaly detection also misses a lot of traffic which can be caught by signature rules.

Therefore, the same as we spoke about with the combined IDPS systems above, many current IPS/IDS use a hybrid method of detection techniques. This uses both signature and anomaly based detections to find and detect malicious or suspicious traffic.

GET LEARNING IDS / IPS (AND PACKET CAPTURES) FOR FREE!

There are two very popular free open source IDS / IPS solutions out there which I recommend using to learn – Snort and Suricata.

I’m not going to spend too much time comparing them here as AT&T already did so in this post at the end of last year – https://cybersecurity.att.com/blogs/security-essentials/open-source-intrusion-detection-tools-a-quick-overview

Have a read and decide for yourself which one you would like to learn. I personally prefer Snort, however I understand the advantages of Suricata.

SNORT

Snort is still open source however since 2013 it is also developed by Cisco. Due to this, there is some great training out there from them.

This Youtube playlist will get you started best – https://www.youtube.com/playlist?list=PLpPXZRVU-dX33VNUeqWrMmBNf5FeKVmi-

The user guide is also available here – http://manual-snort-org.s3-website-us-east-1.amazonaws.com/

SURICATA

For Suricata, the user guide would be my first port of call – https://suricata.readthedocs.io/en/suricata-5.0.3/quickstart.html

If you would like a guide to show you how to setup Suricata and test your enviornment, this article explains the process well – https://resources.infosecinstitute.com/configure-use-suricata-threat-detection/#gref

Packet captures with Wireshark

All these tools will capture packets and the best way to read these is Wireshark. Snort has its own in built reader however nothing beats Wireshark.

There are a LOT of resources out there to learn how to read packet captures and in particular Wireshark, so I am not going to write too much about that here. However, here are some helpful resources to help you learn.

• PCAP Analysis w Wireshark Basics – https://resources.infosecinstitute.com/pcap-analysis-basics-with-wireshark/#gref
• Wireshark Tutorial and Cheat Sheet – https://hackertarget.com/wireshark-tutorial-and-cheat-sheet/
• How to use Wireshark – https://www.varonis.com/blog/how-to-use-wireshark/
• Wireshark Tutorial – https://www.lifewire.com/wireshark-tutorial-4143298

Thanks for reading the blog post, I hope that you have learned something and found it useful. I hope to have more in-depth posts around IDS/IPS in the future so please check back regularly. If you would like to ask me anything or discuss this article further, contact me at https://twitter.com/blueteamblog