Hyrje
An Intrusion Detection System (IDS) passively watches network or host activity and raises alerts on suspicious patterns; an Intrusion Prevention System (IPS) can also actively block the offending traffic.
Teoria
The two main detection strategies are signature-based and anomaly-based. Signature-based detection compares traffic against a database of known attack patterns (similar to antivirus signatures). Tools like Suricata and Snort ship with thousands of community rules (Emerging Threats, Talos) that cover most commodity malware, exploit kits and known bad indicators. The drawback is that zero-day attacks and custom payloads can slip past signatures.
Anomaly-based detection builds a baseline of "normal" behavior for the network — flows, volumes, protocols, timing — and alerts when something deviates. This catches novel attacks but also generates more false positives, especially in noisy environments. Most modern IDS products combine both approaches, complemented by threat intelligence feeds that continuously update indicators of compromise.
In a typical enterprise, IDS/IPS is deployed at the perimeter (between internet and DMZ), at key internal choke points, and often on endpoints as EDR agents. The SIEM then correlates IDS alerts with logs from firewalls, endpoints and cloud APIs to separate real incidents from background noise. Tuning is a continuous effort: unreviewed alerts quickly become useless alert fatigue.
Mjetet
IDS/IPS open-source dhe komercialë:
- Suricata — IDS/IPS multi-threaded me rregulla të mëdha.
- Snort 3 — standardi klasik.
- Zeek (ish Bro) — analizë protokollesh.
- Palo Alto Threat Prevention, Cisco Firepower — zgjidhje komerciale.
Praktika
Instalim i shpejtë i Suricata në Ubuntu dhe ekzekutim në një interface:
apt install suricata -y
suricata-update
suricata -c /etc/suricata/suricata.yaml -i eth0Shembull rregulli custom që alarmon për lidhje SSH nga internet:
alert tcp any any -> $HOME_NET 22 (msg:"SSH from external"; flow:to_server,established; sid:9001001; rev:1;) Ushtrime
- Instalo Suricata në një VM dhe tërhiq trafik me
tcpreplaynga një PCAP publik (p.sh. malware-traffic-analysis.net). - Verifiko alarmet në
/var/log/suricata/fast.log.
Burime
- Suricata documentation
- Zeek documentation
- Emerging Threats rule sets (ET Open / ET Pro).
Vlerësimet dhe komentet
Kyçu për të lënë një vlerësim.
Ende pa komente. Bëhu i pari!
Diskutime
Ende pa diskutime. Hap një temë të re