Open in app

Sign in

Write

Sign in

IDS vs IPS difference and working

Nikhil Chaudhari
4 min readOct 27, 2024

--

❄️ Introduction to IDS/IPS

Before diving into Snort and analysing traffic, let’s have a brief overview of what an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) is.

❄️Intrusion Detection System (IDS)

IDS is a passive monitoring solution for detecting possible malicious activities/patterns, abnormal incidents, and policy violations. It is responsible for generating alerts for each suspicious event.

There are two main types of IDS systems;

  • Network Intrusion Detection System (NIDS) — NIDS monitors the traffic flow from various areas of the network. The aim is to investigate the traffic on the entire subnet. If a signature is identified, an alert is created.
  • Host-based Intrusion Detection System (HIDS) — HIDS monitors the traffic flow from a single endpoint device. The aim is to investigate the traffic on a particular device. If a signature is identified, an alert is created.

❄️Intrusion Prevention System (IPS)

IPS is an active protecting solution for preventing possible malicious activities/patterns, abnormal incidents, and policy violations. It is responsible for stopping/preventing/terminating the suspicious event as soon as the detection is performed.

There are four main types of IPS systems;

  • Network Intrusion Prevention System (NIPS) — NIPS monitors the traffic flow from various areas of the network. The aim is to protect the traffic on the entire subnet. If a signature is identified, the connection is terminated.
  • Behaviour-based Intrusion Prevention System (Network Behaviour Analysis — NBA) — Behaviour-based systems monitor the traffic flow from various areas of the network. The aim is to protect the traffic on the entire subnet. If a signature is identified, the connection is terminated.

Network Behaviour Analysis System works similar to NIPS. The difference between NIPS and Behaviour-based is; behaviour based systems require a training period (also known as “baselining”) to learn the normal traffic and differentiate the malicious traffic and threats. This model provides more efficient results against new threats.

  • Wireless Intrusion Prevention System (WIPS) — WIPS monitors the traffic flow from of wireless network. The aim is to protect the wireless traffic and stop possible attacks launched from there. If a signature is identified, the connection is terminated.
  • Host-based Intrusion Prevention System (HIPS) — HIPS actively protects the traffic flow from a single endpoint device. The aim is to investigate the traffic on a particular device. If a signature is identified, the connection is terminated.

HIPS working mechanism is similar to HIDS. The difference between them is that while HIDS creates alerts for threats, HIPS stops the threats by terminating the connection.

❄️Detection/Prevention Techniques

Three main detection and prevention techniques used in IDS and IPS solutions:

❄️Real-world tools used as IDS an IPS:

There are mainly 3 types of tools used in industry as per requirement of company. They all are shown below with one practical scenario where they use.

Suricata 🦝

  1. High Performance: Suricata is known for its high-speed network traffic analysis, making it suitable for large-scale environments.
  2. Protocol Detection: It supports a wide range of protocols and can detect anomalies in protocol behavior.
  3. Open Source: Being open-source, it allows for customization and community-driven improvements.

Scenario: An organization detects unusual traffic patterns on their network. Using Suricata, they identify a potential Distributed Denial of Service (DDoS) attack targeting their web servers and quickly implement countermeasures.

Snort 🐷

  1. Rule-Based Detection: Snort uses a flexible rule-based language to detect threats, making it highly adaptable to different environments.
  2. Community Support: It has a large community of users and developers contributing to its rule sets and updates.
  3. Network-Based IDS/IPS: Snort can be deployed as both an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS).

Scenario: A company’s IDS alerts them to suspicious activity on their network. Using Snort, they identify a malware infection spreading across their systems and isolate the affected machines to prevent further spread.

Wazuh 🦊

  1. Comprehensive Monitoring: Wazuh provides extensive monitoring capabilities, including file integrity monitoring and log analysis.
  2. Centralized Management: It offers a centralized management console for easy configuration and monitoring of multiple agents.
  3. Integration with SIEM: Wazuh integrates well with Security Information and Event Management (SIEM) systems for enhanced threat detection and response.

Scenario: A financial institution uses Wazuh to monitor their critical systems. They detect unauthorized changes to sensitive files and quickly respond by revoking access and conducting a thorough investigation.

❄️Conclusion

I think we are now clear understanding of IPS and IDS so if you find this blog usefull do clap for me. meet you in next blog with new content!! with new spirit !!

Intrusion Detection
Intrusion Prevention
Ids Ips

--

--

Nikhil Chaudhari
Nikhil Chaudhari

Written by Nikhil Chaudhari

1 Follower
6 Following

I am (🦊) Cloud Security Researcher | | SOC Analyst | Passionate about learning & writing new technologies, tools & automations.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams