Hyrje në IDS/IPS

Mesatar 15 min Siguria e Rrjetit

Hyrje

An Intrusion Detection System (IDS) passively watches network or host activity and raises alerts on suspicious patterns; an Intrusion Prevention System (IPS) can also actively block the offending traffic.

Teoria

The two main detection strategies are signature-based and anomaly-based. Signature-based detection compares traffic against a database of known attack patterns (similar to antivirus signatures). Tools like Suricata and Snort ship with thousands of community rules (Emerging Threats, Talos) that cover most commodity malware, exploit kits and known bad indicators. The drawback is that zero-day attacks and custom payloads can slip past signatures. Anomaly-based detection builds a baseline of "normal" behavior for the network — flows, volumes, protocols, timing — and alerts when something deviates. This catches novel attacks but also generates more false positives, especially in noisy environments. Most modern IDS products combine both approaches, complemented by threat intelligence feeds that continuously update indicators of compromise. In a typical enterprise, IDS/IPS is deployed at the perimeter (between internet and DMZ), at key internal choke points, and often on endpoints as EDR agents. The SIEM then correlates IDS alerts with logs from firewalls, endpoints and cloud APIs to separate real incidents from background noise. Tuning is a continuous effort: unreviewed alerts quickly become useless alert fatigue.

Mjetet

IDS/IPS open-source dhe komercialë:

  • Suricata — IDS/IPS multi-threaded me rregulla të mëdha.
  • Snort 3 — standardi klasik.
  • Zeek (ish Bro) — analizë protokollesh.
  • Palo Alto Threat Prevention, Cisco Firepower — zgjidhje komerciale.

Praktika

Instalim i shpejtë i Suricata në Ubuntu dhe ekzekutim në një interface:

apt install suricata -y
suricata-update
suricata -c /etc/suricata/suricata.yaml -i eth0

Shembull rregulli custom që alarmon për lidhje SSH nga internet:

alert tcp any any -> $HOME_NET 22 (msg:"SSH from external"; flow:to_server,established; sid:9001001; rev:1;)

Ushtrime

  1. Instalo Suricata në një VM dhe tërhiq trafik me tcpreplay nga një PCAP publik (p.sh. malware-traffic-analysis.net).
  2. Verifiko alarmet në /var/log/suricata/fast.log.

Burime

Vlerësimet dhe komentet

Kyçu për të lënë një vlerësim.

Ende pa komente. Bëhu i pari!

Diskutime

Ende pa diskutime. Hap një temë të re