Archive for November, 2020
Network Forensics — Week 8
November 21st, 2020 Posted 2:19 pm
Week 8
This session we learned about network intrusion detection and analysis.
NIDS -> Network-based Intrusion Detection System, the tools here are used to detect if there are anomalies or suspicious behaviour in our personal network. It sees traffic flow in the network, if there is a suspicious activities such as traffic going down. However it does not prevent it, it just detect it. It is like an early warning system which informs the user that someone is trying to attack the network.
NIPS -> Network-based Intrusion Prevention System, the tools here are used to prevent any attack that is recognised by the system, such as if there are ransomware in the network, the system would try to isolate the server that would be impacted by that ransomware. It is one step after the NIDS.
HIDS -> Host-based Intrusion Detection System
HIPS -> Host-based Intrusion Prevention System
Functionality
Both of HIDS and NIDS are rule based that issue alerts. The rules are based on the research of other people and if there are new pattern of attack, the researcher will add new rules to detect that attack. It is configured to capture suspicious packet sequences. In NIPS, the processing time is critical whereas in NIDS it is not. NIDS is only for detection, so there is no problem.
Types of IDS
There are two types of IDS
The first type is Commercial:
-> Check Point IPS Software Blade
-> Next-Generation Intrusion Prevention System (NGIPS)
-> Extreme NIPS
-> Tipping Point IPS
The second type is Open-Source:
For NIDS:
-> Snort
-> Bro
-> Suricata
-> Sagan
For HIDS:
-> OSSEC
-> Fail2Ban
-> AIDE
-> Samhain