Security is a vital issue in any system. Some believe that * nix systems are invulnerable to any attack or that they cannot be infected with malware. And that is a misconception. You always have to keep your guard, nothing is 100% safe. Therefore, you should implement systems that help you detect, stop, or minimize the damage of a cyber attack. In this article you will see what is an IDS and some of the best for your Linux distro.
Table of Contents
What is an IDS?
Un IDS (Intrusion Detection System), or intrusion detection system, is a monitoring system that detects suspicious activities and generates a series of alerts to report violations (they can be detected by comparing file signatures, scanning patterns or malicious anomalies, monitoring behavior, configurations, network traffic ...) that may have occurred in the system.
Thanks to these alerts, you can investigate the source of the problem and take appropriate action to remedy the threat. Although, it does not detect all attacks, there are evasion methods, and it does not block them, it only reports them. In addition, if it is based on signatures, the most recent threats (0-day), can also escape and go undetected.
Fundamentally, there are two types of IDS:
- HIDS (Host-Based IDS)- It is deployed on a particular endpoint or machine and is designed to detect internal and external threats. Examples are OSSEC, Wazuh, and Samhain.
- NIDS (Network-based IDS)- To monitor an entire network, but lack visibility within the endpoints connected to that network. Examples are Snort, Suricata, Bro, and Kismet.
Differences with a firewall, IPS and UTM, SIEM ...
There are various terms that can be misleading, but that have differences with an IDS. Some of the security-related terms that you should also know are:
- Firewall: It looks more like an IPS than an IDS, as it is an active detection system. A firewall is designed to block or allow certain communications, depending on the rules that have been configured. It can be implemented both by software and by hardware.
- IPS: is the acronym for Intrusion Prevention System, and is a complement to an IDS. It is a system capable of preventing certain events, therefore it is an active system. Within the IPS, 4 fundamental types can be distinguished:
- NIPS- Network-based and therefore look for suspicious network traffic.
- WIPS: Like NIPS, but for wireless networks.
- NBA- is based on the behavior of the network, examining unusual traffic.
- HIPS- Look for suspicious activity on unique hosts.
- UTM: is the acronym for Unified Threat Management, a management system for cybersecurity that provides multiple centralized functions. For example, they include firewall, IDS, antimalware, antispam, content filtering, some even VPN, etc.
- Others: There are also other terms related to cybersecurity that you have surely heard:
- SIMs.: is the acronym for Security Information Manager, or security information management. In this case, it is a central registry that groups all the security-related data to generate reports, analyze, make decisions, etc. That is, a set of capacities to store this information in the long term.
- SEM: a Security Event Manager function, or security event management, is responsible for detecting abnormal patterns in accesses, provides the ability to monitor in real time, correlation of events, etc.
- SIEM: it is the combination of SIM and SEM, and it is one of the main tools used in SOC or security operations centers.
Best IDS for Linux
As for the the best IDS systems you can find for GNU / Linux, you have the following:
- Bro (Zek): It is of the NIDS type and has functions of traffic logging and analysis, SNMP traffic monitoring, and FTP, DNS, and HTTP activity, etc.
- OSSEC: It is HIDS type, open source and free. In addition, it is cross-platform, and its records also include FTP, web server data and email.
- Snort: it is one of the most famous, open source, and NIDS type. It includes sniffer for packets, log for network packets, threat intelligence, signature blocking, real-time updates of security signatures, ability to detect very numerous events (OS, SMB, CGI, buffer overflow, hidden ports,…).
- Suricata: another type NIDS, also open source. It can monitor low-level activity, such as TCP, IP, UDP, ICMP, and TLS, in real time for applications such as SMB, HTTP, and FTP. It allows integration with third-party tools such as Anaval, Squil, BASE, Snorby, etc.
- Security onion: NIDS / HIDS, another IDS system specially focused on Linux distros, with the ability to detect intruders, business monitoring, packet sniffer, includes graphics of what is happening, and you can use tools such as NetworkMiner, Snorby, Xplico, Sguil, ELSA , and Kibana.