_Task -1: What is an IDS
_A firewall is usually the first line of defense in a network. It sits at the boundary and checks traffic that is coming in or going out. If the traffic matches the allowed rules, it lets it pass. If it violates the rules, it blocks it. Simple.
But here’s the catch.
What if an attacker sends traffic that looks completely normal? The firewall sees nothing suspicious and allows it. Now the attacker is inside the network.
Once inside, the attacker might start scanning systems, trying passwords, or accessing sensitive data. At this point, the firewall has already done its job. It allowed the connection. It doesn’t monitor what happens afterward.
This is where an Intrusion Detection System (IDS) comes in.
Think of it like building security. The firewall is the security guard at the gate. The IDS is the CCTV camera inside the building. Even if someone manages to enter through the gate, the cameras are still watching. If that person starts doing something suspicious, the cameras alert the authorities.
An IDS works the same way. It monitors network traffic from inside the network and looks for abnormal or malicious behavior. When it detects something suspicious, it generates an alert for the security team.
One important thing to remember: an IDS does not block attacks. It only detects and alerts. It acts like an early warning system.
*Task -1 : Question
*
Can an intrusion detection system (IDS) prevent the threat after it detects it? Yea/Nay
Answer : Nay
Task -2 Types of IDS
Types of IDS — How They Are Categorized
IDS systems can be classified in two main ways. One is based on where they are deployed. The other is based on how they detect attacks. Let’s understand both in a simple way.
Deployment Modes
The first category depends on where the IDS is placed.
A Host Intrusion Detection System (HIDS) is installed directly on a single machine. Think of it like having a personal security guard inside every room of a building. That guard watches only that specific room and reports suspicious activity happening there. Because it focuses on one system, it provides very detailed visibility. However, if you have 500 rooms, you need 500 guards. Managing them becomes difficult and resource-heavy.
On the other hand, a Network Intrusion Detection System (NIDS) monitors the entire network traffic. Instead of placing a guard in every room, imagine placing cameras in the building’s main hallway. From there, you can observe everyone moving around. NIDS watches traffic flowing across the whole network and provides a centralized view of suspicious activity. It doesn’t focus on one specific host — it monitors everything passing through the network.
In simple terms, HIDS watches one device closely, while NIDS watches the overall network traffic.
Detection Modes
Now let’s talk about how IDS detects attacks.
A Signature-Based IDS works like antivirus software. It keeps a database of known attack patterns, called signatures. When traffic matches a known pattern, it raises an alert. Think of it like a police system that has a database of known criminals. If someone’s face matches a record, they get flagged immediately. It’s fast and accurate for known threats. But if a completely new attacker appears — someone not in the database — it won’t recognize them. That’s why signature-based IDS cannot detect zero-day attacks.
An Anomaly-Based IDS works differently. Instead of relying on known patterns, it first learns what “normal” behavior looks like. This normal behavior is called a baseline. If something behaves unusually compared to that baseline, it generates an alert. Imagine a teacher who knows how students normally behave in class. If a usually quiet student suddenly starts shouting, the teacher immediately notices something is wrong. Because it detects unusual behavior, anomaly-based IDS can detect zero-day attacks. However, sometimes normal behavior may look unusual, and it may raise false alarms. These are called false positives. Fine-tuning the system can reduce such mistakes.
A Hybrid IDS combines both methods. It uses signature detection for known threats and anomaly detection for unknown ones. Think of it like having both a criminal database and smart surveillance cameras working together. This approach increases detection capability but may require more processing power.
Signature-based systems are fast and efficient for known attacks, especially in smaller environments. However, modern threats are evolving quickly. Zero-day attacks are increasing every day, and anomaly-based or hybrid systems are better suited to detect these advanced threats.
*Task 2 — Question:
*
Which type of IDS is deployed to detect threats throughout the network?
Answer: Network Intrusion Detection System
**Task 3 — IDS Example Snort
**Understanding Snort
Snort is one of the most popular open-source IDS tools, created in 1998. Over the years, it has become a widely trusted solution for detecting malicious network traffic.
At its core, Snort works using rules. These rules contain patterns of known attacks. When network traffic matches one of those patterns, Snort generates an alert.
Think of Snort like a security system that has a list of “wanted behaviors.” If it sees traffic that matches something on that list, it immediately raises a warning.
Snort comes with many built-in rule files. These already contain signatures of common attacks, so it can detect a wide range of threats right after installation. But every network is different. So if the default rules don’t cover your specific needs, you can write your own custom rules.
This is what makes Snort powerful. You are not limited to its default database. You can create rules to detect specific traffic patterns in your own environment. You can even disable built-in rules if they generate unnecessary alerts and replace them with better-suited custom rules.
In short, Snort is flexible, customizable, and widely used in real-world security environments.
Modes of Snort
Snort can work in three different modes. Each mode serves a different purpose.
Packet Sniffer Mode
In this mode, Snort simply reads and displays network packets. It does not analyze them for attacks.
Imagine standing near a highway and just observing the cars passing by. You’re not stopping anyone or checking for criminals. You’re just watching traffic flow.
Packet sniffer mode is useful for troubleshooting and monitoring. For example, if a network team notices performance issues, they might use this mode to understand how traffic is moving across the network.
It helps in visibility, not detection.
Packet Logging Mode
In packet logging mode, Snort captures and saves network traffic into a file, usually in PCAP format.
Think of this like recording CCTV footage. You may not analyze everything immediately, but you store it so you can review it later.
This mode is especially useful for forensic investigations. If a cyberattack happens, security teams can go back to the saved traffic logs and perform root cause analysis. It helps answer questions like: How did the attack start? What systems were affected?
It’s about recording evidence.
NIDS Mode (Network Intrusion Detection System Mode)
This is the main mode of Snort.
In NIDS mode, Snort monitors network traffic in real time and compares it against its rule files. If traffic matches a known attack pattern, it immediately generates an alert.
Going back to our analogy, this is like having security cameras that not only record but also automatically alert you when suspicious activity is detected.
This mode provides the actual intrusion detection functionality. It is what makes Snort a true IDS solution.
Although Snort can operate in all three modes, its most important and commonly used mode is NIDS mode. That’s where it actively protects the network by detecting potential threats as they happen.
*Answer the questions below
*
Which mode of Snort helps us to log the network traffic in a PCAP file?
Packet logging mode
What is the primary mode of Snort called?
Become a Medium member
Network Intrusion Detection System Mode
**Task 4 — Snort Usage
**Snort — Simple and Clear
Snort is one of the most widely used open-source IDS tools, created in 1998. It detects attacks using rules. These rules contain patterns of malicious traffic. When traffic matches a rule, Snort generates an alert.
Think of Snort like a smart security system. It has a list of “suspicious behaviors.” If it sees something matching that list, it immediately warns you.
Snort already comes with built-in rule files stored inside /etc/snort. These rules detect many common attacks. But the real power of Snort is customization. You can write your own rules if you want to detect specific traffic in your environment. You can also disable rules that are not relevant to your network.
This flexibility makes Snort practical in real-world security setups.
Snort Rule Structure (Simple Understanding)
A Snort rule has a fixed format. For example:
alert icmp any any -> 127.0.0.1 any (msg:"Loopback Ping Detected"; sid:10003; rev:1;)
Let’s break it down simply.
alert → What action to take (generate an alert)
icmp → Protocol (used in ping)
any any → Traffic from any IP and any port
-> → Direction of traffic
127.0.0.1 any → Destination IP and port
msg → Message shown when triggered
sid → Unique rule ID
rev → Rule version number
Think of a rule like giving instructions to a security guard:
“If you see ICMP traffic going to this address, raise an alert.”
That’s it.
Running Snort — Understanding the Commands
When we run Snort in detection mode, we use a command like this:
sudo snort -q -l /var/log/snort -i lo -A console -c /etc/snort/snort.conf
Let’s understand the important flags.
sudo → Run with admin privileges (required)
-q → Quiet mode (reduces unnecessary output)
-l /var/log/snort → Log directory (where alerts and logs will be saved)
-i lo → Interface to monitor (lo means loopback interface)
-A console → Show alerts directly on the console
-c /etc/snort/snort.conf → Use this configuration file
Think of this command like telling Snort:
“Monitor this network interface, use these rules, show alerts on screen, and save logs here.”
Analyzing PCAP Files
Sometimes, instead of monitoring live traffic, you may want to analyze a previously captured traffic file (PCAP). For that, we use:
sudo snort -q -l /var/log/snort -r Task.pcap -A console -c /etc/snort/snort.conf
Here the important flag is:
-r Task.pcap → Read packets from a saved PCAP file instead of live traffic.
Think of this like replaying CCTV footage instead of watching live camera feed.
This is very useful for forensic investigation and root cause analysis.
Snort Modes — Quick Clear Difference
Snort can work in three modes:
Packet Sniffer Mode → Just reads traffic (no detection). Like watching cars on a highway.
Packet Logging Mode → Saves traffic for later. Like recording CCTV.
NIDS Mode → Detects attacks using rules and alerts you. Like security cameras that trigger alarms.
The most important one for IDS functionality is NIDS mode.
Answer the questions below
Where is the main directory of Snort that stores its files?
/etc/snort
Which field in the Snort rule indicates the revision number of the rule?
rev
Which protocol is defined in the sample rule created in the task?
icmp
What is the file name that contains custom rules for Snort?
local.rules
**Task 5 — practical lab
**Answer the questions below
What is the IP address of the machine that tried to connect to the subject machine using SSH?
10.11.90.211
What other rule message besides the SSH message is detected in the PCAP file?
Ping Detected
What is the sid of the rule that detects SSH?
1000002
Top comments (0)