Chapter 19. Network Monitoring
Network Intrusion Detection Sensors (NIDS) try to detect network intrusions by monitoring the network. NIDS detect attacks only; they do not respond to them. Devices that respond to attacks are known as Network Intrusion Prevention Systems, or NIPS. This chapter will only cover detecting the attacks with NIDS devices that are free and open source.
NIDS are not plug-and-forget devices. They generate logs that need to be analyzed by humans, and then decisions based upon those logs need to be made. Using NIDS and not analyzing the logs is not very useful. So while NIDS solutions for network monitoring have proven themselves to be very effective, they are not a silver bullet solution that you can just plug in and forget.
Snort
Snort is probably to best known network intrusion detection software. Its deployment ranges from home user to financial institutions. Many different books have already been written on Snort. This section offers a quick start and ideas on some usual and some unusual implementation of Snort. Although Snort is specialized, it ends up being useful in a multitude of situations.
Different Snort Modes
Snort can be used in basically three different modes:
Network Intrusion Detection Sensor (NIDS)
Network Intrusion Prevention System (NIPS)
Basic packet sniffer (the same as tcpdump)
When used in the NIDS mode, Snort has several submodes depending on the level of reporting, logging, and stealth required. When used as a NIDS, Snort acquires only information ...
Get Security Power Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.