You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Firewalls enforce access rules, but they cannot detect sophisticated attacks hiding within permitted traffic. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) fill this gap by analysing traffic patterns and payloads to identify malicious activity.
| Feature | IDS (Intrusion Detection) | IPS (Intrusion Prevention) |
|---|---|---|
| Mode | Passive — monitors a copy of traffic | Inline — sits directly in the traffic path |
| Action | Alerts only — does not block traffic | Blocks malicious traffic in real time |
| Risk | May miss attacks if alerts are ignored | May cause false positive disruptions |
| Latency | No impact on network performance | Slight increase due to inline processing |
| Deployment | Connected via TAP or SPAN port | Deployed inline between network segments |
IDS (Passive):
Traffic ─────────────▶ Destination
│
└──── Copy ────▶ IDS ──▶ Alert
IPS (Inline):
Traffic ──▶ IPS ──▶ Destination
│
▼
Block / Allow
Compares network traffic against a database of known attack signatures.
| Pros | Cons |
|---|---|
| Fast and accurate for known threats | Cannot detect zero-day or novel attacks |
| Low false positive rate | Signatures must be regularly updated |
| Easy to understand alerts | Attackers can evade by modifying payloads |
Example: Detecting a known SQL injection pattern in an HTTP request.
Establishes a baseline of "normal" network behaviour and flags deviations.
| Pros | Cons |
|---|---|
| Can detect unknown and zero-day attacks | Higher false positive rate |
| Adapts to the specific network | Requires a training/baseline period |
| Detects insider threats and unusual patterns | Legitimate changes may trigger alerts |
Example: Detecting an unusual data transfer at 3 AM from a server that normally has no overnight activity.
Analyses the behaviour of network flows and processes, using rules and machine learning to identify suspicious patterns.
| Pros | Cons |
|---|---|
| Identifies complex multi-stage attacks | Resource intensive |
| Combines signature and anomaly advantages | Requires tuning and expertise |
Network-based systems monitor traffic across an entire network segment.
| Tool | Type | Description |
|---|---|---|
| Snort | IDS/IPS | Open-source, signature-based, widely deployed |
| Suricata | IDS/IPS | Multi-threaded, supports signatures and anomaly detection |
| Zeek (Bro) | Network monitor | Generates detailed connection logs and metadata |
alert tcp any any -> $HOME_NET 80 (
msg:"Potential SQL Injection";
content:"' OR 1=1";
nocase;
sid:1000001;
rev:1;
)
This rule generates an alert when a TCP packet heading to port 80 contains the string ' OR 1=1.
Host-based systems monitor activity on individual endpoints:
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.