It may seem obvious to talk about intrusion detection systems (IDS) in a book about network forensics, though you may ask, if an IDS is in place, how much need is there for forensic investigation? The answer is that, in addition to identifying intrusions as they take place, an IDS can also be used to simply generate data that could be used during the course of an investigation. As a result, understanding how an IDS works and how to interpret the output can be beneficial to an investigator. This includes different styles of detection that may be used, the architectures that may be in place and, most specifically, the logs and alerts that the different systems will generate.

A number of intrusion detection systems are available, both commercial and open source, but the rules that are used by Snort, which started as an open source IDS, are used in a number of other places, which makes it useful to understand. As a result, we will be covering the use and implementation of Snort. We will also talk about Suricata, another open source IDS, that uses Snort rules to function. Finally, Bro is referred to as a network security monitor but it will do much the same thing that Snort and other intrusion detection systems do. Because all of these ...