What IDS do
Reconfiguration of external devices (firewall or ACL on routers): it is a command sent by N-IDS to an external device (with a packet filter or firewall) so that it can be reconfigured immediately and can block an intrusion. This reconfiguration is possible by sending data that explains the alert (in the package header).
Sending an SNMP trap to an external supervisor (SNMP trap): sending an alert (and details of the data involved) in the form of an SNMP datagram to an external console such as HP OpenView Tivoli, Cabletron, Spectrum etc.
Sending an e-mail to one or more users: sending an e-mail to one or more mailboxes to report a serious intrusion.
Attack log: it is the backup of the details of the alert in a central database, including information such as the recording of the date, the IP address of the intruder, the IP address of the destination, the protocol used and the payload.
Suspicious packet storage: store all captured original packets and / or packets that triggered the alert.
Opening an application: launching an external program to perform a specific action (sending an SMS message, issuing an audible alert, etc.).
Sending a ResetKill: it is the construction of a TCP alert packet to force the end of a connection (valid only for intrusion techniques that use the TCP protocol).
Visual notification of an alert: is the display of the alert on one or more management consoles.
What are the challenges and characteristics of IDS
Editors and the specialized press increasingly emphasize the importance of replacing traditional IDS with IPS (intrusion prevention system) or at least making a distinction between them.
In fact, the intrusion prevention system is a system of prevention and protection against intrusions and not just a system of recognition and alerts, like most IDS. The difference between an IDS (network) and an IPS (network) lies mainly in two characteristics: the IPS is located on a line within the IPS network and does not passively listen to the network as an IDS (traditionally placed as a port tracker) network) and an IPS has the ability to immediately block intrusions, without worrying about the type of transport protocol used and without reconfiguring an external device. IPS can filter and block packets in native mode, using techniques such as dropping offensive packets or blocking an intruder (drop connection, drop offending packets, block intruder, etc.).
Sending an SNMP trap to an external supervisor (SNMP trap): sending an alert (and details of the data involved) in the form of an SNMP datagram to an external console such as HP OpenView Tivoli, Cabletron, Spectrum etc.
Sending an e-mail to one or more users: sending an e-mail to one or more mailboxes to report a serious intrusion.
Attack log: it is the backup of the details of the alert in a central database, including information such as the recording of the date, the IP address of the intruder, the IP address of the destination, the protocol used and the payload.
Suspicious packet storage: store all captured original packets and / or packets that triggered the alert.
Opening an application: launching an external program to perform a specific action (sending an SMS message, issuing an audible alert, etc.).
Sending a ResetKill: it is the construction of a TCP alert packet to force the end of a connection (valid only for intrusion techniques that use the TCP protocol).
Visual notification of an alert: is the display of the alert on one or more management consoles.
What are the challenges and characteristics of IDS
Editors and the specialized press increasingly emphasize the importance of replacing traditional IDS with IPS (intrusion prevention system) or at least making a distinction between them.
In fact, the intrusion prevention system is a system of prevention and protection against intrusions and not just a system of recognition and alerts, like most IDS. The difference between an IDS (network) and an IPS (network) lies mainly in two characteristics: the IPS is located on a line within the IPS network and does not passively listen to the network as an IDS (traditionally placed as a port tracker) network) and an IPS has the ability to immediately block intrusions, without worrying about the type of transport protocol used and without reconfiguring an external device. IPS can filter and block packets in native mode, using techniques such as dropping offensive packets or blocking an intruder (drop connection, drop offending packets, block intruder, etc.).
Comments
Post a Comment