Intrusion Detection System can be categorized into two types: Network Intrusion Detection System (Network IDS, NIDS) and Host Intrusion Detection System (Host IDS, HIDS). NIDS focuses on network security monitoring, while HIDS observes system activities on the host. This article will introduce popular open-source tools for Network Security Monitoring, widely used in the open-source community and by leading security companies. I have personally worked with and studied tools like Suricata, Snort, Zeek/Bro, OSSEC, and Security Onion, conducting security analysis and source code reviews. The next article will cover open-source intrusion detection systems for hosts. Additionally, I will explain how to apply these tools in real-world projects and explore their principles through source code analysis.
1. What is an Intrusion Detection System in Network Security Monitoring?
An Intrusion Detection System (IDS) is a security tool used to monitor abnormal activities and attack behaviors in computer networks and systems. IDS can be divided into two types: Network Intrusion Detection System ( Network IDS, NIDS) and Host Intrusion Detection System (Host IDS, HIDS). NIDS monitors network traffic, while HIDS monitors system activities on the host.
2. The Role of Intrusion Detection Systems in Network Security Monitoring
The role of an Intrusion Detection System is to help security teams promptly detect and respond to security incidents in networks and systems, including malware, attacker intrusions, data breaches, etc. IDS can detect abnormal activities in networks and systems, such as port scanning, malware propagation, brute force attacks, etc., to take timely measures to protect the organization’s security.
3. The Principle of Intrusion Detection Systems
The principle of an Intrusion Detection System is to detect abnormal activities and attack behaviors by monitoring network traffic or system activities on the host. IDS uses a series of rules and algorithms to analyze network traffic and system activities to promptly detect and respond to security incidents.
Here are some useful open-source network intrusion detection systems:
3. 1. Suricata
Suricata (NIDS) is an open-source, fast, highly stable, high-performance network intrusion detection system developed by the Open Information Security Foundation. The Suricata engine can be used to monitor network traffic, detect malicious activities, and provide real-time intrusion detection, inline intrusion prevention, and network security monitoring. Suricata consists of several modules, such as capture, collection, decoding, detection, and output. It captures traffic in a stream before decoding, which is highly optimized. Unlike Snort, it configures separate processes after capturing and specifying how the flow will be separated between processors.
Suricata is based on rules and signatures and can detect various network attacks, including port scanning, vulnerability exploitation, malware propagation, etc. Suricata also supports custom rules and scripts to meet specific security needs.
Suricata supports IP blacklists and whitelists to filter out traffic that does not need to be detected.
The principle of Suricata is to detect malicious activities by monitoring network traffic and using rules and signatures. Suricata uses a multi-threaded and scalable architecture to handle high-speed network traffic.
Advantages
Processes network traffic at the seventh layer of the OSI model, enhancing the ability to detect malicious software activities.
Automatically detects and analyzes protocols like IP, TCP, UDP, ICMP, HTTP, TLS, FTP, SMB, and FTP, making it suitable for all protocols.
High performance, advanced features including multi-threading, GPU acceleration, and scalable architecture.
Supports custom rules and scripts, offering high flexibility.
Supports IP blacklists and whitelists to filter out traffic that does not need to be detected.
Disadvantages
Complex operation (configuration and usage), requires more system resources to complete functions, and requires a certain level of technical expertise;
High consumption of CPU and memory resources.
Official website: https://suricata.io/
GitHub address: https://github.com/OISF/suricata
3. 2. Snort
Snort (NIDS) is a free, open-source network intrusion detection and prevention tool (firewall system). It was created by Martin Roesch in 1998. The main advantage of using Snort is the ability to perform real-time traffic analysis and packet logging on the network to monitor network traffic and detect malicious activities. With protocol analysis, content searching, and various preprocessors, Snort is widely accepted as a tool for detecting various worms, attacks, stealth port scans, buffer overflows, CGI attacks, SMB probes, OS fingerprint attempts, and other malicious threat detections. It is supported by many hardware platforms and operating systems, such as Linux, OpenBSD, FreeBSD, Solaris, HP-UX, MacOS, Windows, etc.
It can be configured in three main modes – sniffer, packet logger, and network intrusion detection. In sniffer mode, the program will only read packets and display information on the console. In packet logger mode, packets will be logged to disk. In intrusion detection mode, the program will monitor real-time traffic and compare it with user-defined rules.
Snort is based on rules and signatures and can detect various network attacks, including port scanning, vulnerability exploitation, malware propagation, etc. Snort also supports custom rules and scripts to meet specific security needs.
The principle of Snort is to detect malicious activities by monitoring network traffic and using rules and signatures. Snort uses a multi-threaded and scalable architecture to handle high-speed network traffic. Snort also supports IP blacklists and whitelists to filter out traffic that does not need to be detected.
Advantages
Highly flexible and dynamic in deployment.
Good community support for problem-solving, rapidly developing.
Mature and stable, widely used.
Supports custom rules and scripts, offering high flexibility, easy to write intrusion detection rules.
Supports IP blacklists and whitelists to filter out traffic that does not need to be detected.
Disadvantages
Processing network packets is a bit slow.
Cannot detect signatures split across multiple TCP packets, which occurs when packets are configured in inline mode.
High consumption of CPU and memory resources.
Official website: www.snort.org
GitHub address: https://github.com/snort3/snort3
Snort 3 is the next-generation Snort IPS (Intrusion Prevention System)
3. 3. Zeek/Bro
Zeek (formerly known as Bro) is a passive, open-source network traffic monitoring tool developed by Vern Paxson. It can be used to monitor network traffic and generate detailed logs and reports. Zeek can analyze network traffic and detect malicious activities, such as network scanning, vulnerability exploitation, etc. Zeek includes a set of log files to record network activities, such as HTTP sessions, including URI, key headers, MIME types, server responses, DNS requests, SSL certificates, SMTP sessions, etc. Additionally, it provides complex functions for analyzing and detecting threats, extracting files from HTTP sessions, complex malware detection, software vulnerabilities, SSH brute force attacks, and verifying SSL certificate chains. Zeek also supports custom scripts to meet specific security needs.
The principle of Zeek is to detect malicious behavior by monitoring network traffic and analyzing network activities. Zeek uses custom scripts and plugins to extend its functionality. Zeek can also generate detailed logs and reports to help security teams promptly detect and respond to security incidents.
Zeek is divided into two layers
Bro Event Engine: When an anomaly occurs on the network, it executes events using C++ to analyze real-time or recorded network traffic packets.
Bro Policy Scripts: These policies analyze events to create action policies, using policy scripts to handle events, such as sending emails, issuing alerts, executing system commands, or even calling emergency numbers.
Difference between security tools Zeek and Bro
Zeek (formerly Bro) and Bro are the same tool, renamed to Zeek in 2018. Zeek is a network security monitoring tool that can be used to monitor network traffic and generate detailed logs and reports. Zeek can analyze network traffic and detect malicious activities, such as network scanning, vulnerability exploitation, etc.
Bro is an open-source network security monitoring tool that can be used to monitor network traffic, analyze network activities, and detect malicious behavior. Bro can generate detailed logs and reports to help security teams promptly detect and respond to security incidents.
Advantages
Supports custom scripts and plugins, offering high flexibility, using scripting language to allow users to set monitoring rules for each protected object.
Efficiently works in networks with large traffic and handles large network projects.
Capable of deep traffic analysis and supports analyzers for multiple protocols.
Can generate detailed logs and reports, facilitating security team analysis.
Low consumption of CPU and memory resources.
Disadvantages
Core Features
Full packet capture.Network-based and host-based intrusion detection systems (IDS).Powerful analysis tools.Full packet capture: Achieved using netsniff-ng, this feature captures all network traffic visible to Security Onion and can store it like a storage solution. It acts like a real-time network camera, providing evidence of threats and malicious activities occurring on the network.Network-based and host-based IDS: Analyzes network or host systems and provides log and alert data for detected events and activities. Security Onion offers multiple IDS options, such as rule-driven IDS, analysis-driven IDS, and HIDS.Analysis tools: In addition to network data capture, Security Onion includes various tools like Sguil, Squert, and ELSA to assist administrators in analysis.AdvantagesProvides users with a highly flexible environment to adjust network security as needed.Integrates multiple open-source security tools, offering robust functionality with pre-installed sensor management tools, traffic analyzers, and packet sniffers, eliminating the need for additional IDS/IPS software.Supports real-time alerts and notifications, enabling timely detection and response to security events.Supports custom rules and scripts, offering high flexibility.
Disadvantages
Cannot function as an IPS after installation; it can only be used as an IDS.Administrators need to learn various tools to effectively use the Security Onion distribution.Configuration files, except for rules, cannot be automatically backed up.Configuration and usage can be complex, requiring a certain level of technical expertise.
Official Website: https://securityonion.net/
GitHub Repository: https://github.com/Security-Onion-Solutions/securityonion
4. Summary
Network Security Monitoring tools like Suricata, Snort, and Zeek are network security monitoring solutions that can monitor network traffic and detect malicious activities. Their principle is based on monitoring network traffic and using rules and signatures to identify malicious activities. They all support custom rules and scripts to meet specific security requirements. Each has its own advantages and disadvantages, and the choice of tool should depend on the specific use case and requirements.