Chapter 13: Intrusion Prevention Systems on Linux

In this chapter, we'll build on packet capture and logging to explore intrusion prevention options on the Linux platform. An Intrusion Prevention System (IPS) does exactly what it sounds like – it monitors traffic, and either alerts on or blocks suspicious or known malicious traffic. This can be done in a variety of ways, depending on what traffic you are trying to monitor.

In particular, we'll cover the following topics:

  • What is an IPS?
  • Architecture/IPS placement
  • Classic IPS solutions for Linux – Snort and Suricata
  • IPS evasion techniques
  • Suricata IPS example
  • Constructing an IPS rule
  • Passive traffic monitoring
  • Zeek example – collecting network metadata

Let's get started!

Technical requirements ...

Get Linux for Networking Professionals now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.