Goals of IDS System
The first and foremost goal of an intrusion detection system should be to alert a network security analyst for a potential break in.
The goals of an organization widely change how they implement their network monitoring systems. For example, an organization focused on detecting targeted threats is going to have a different focus than a Financial Institution.
Overview of Suricata
Suricata came out of the OISF, which was originally funded by the U.S. Department of Homeland Security's HOST program. This engine was brought out as an alternative to Snort with goals of being able to monitor 10 gigabit links on commodity hardware, which were achieved early on.
Suricatas development has been lead by Victor Julien, who also developed the Snort_Inline IPS project. Suricata built upon many of the mistakes of previous IDS engines and in many ways validated the concept that having competition spurs innovation.
Overview of Snort
Snort is by far the largest IDS system out there, on the website they boast that they have over 4 million downloads and over 500k registered users. This is typically what people associate with open source Intrusion Detection Systems. Snort has an active development team and is continually releasing updates.
Overview of Bro
Bro Network Security Monitor is a great engine and takes a radically different approach than Snort and Suricata. Rather than creating a model of users relying on rules that are provided by the Snort or Emerging Threats community, Bro bills itself as more of an analysis framework.
This framework is great at extracting events and metadata about things that are happening around the network and empowering security analysts to create definitions of what are suspicious to them, especially in their environment. Bro also has an extraordinary amount of builtin functionality for logging and really complements a traditional signature based IDS.
Overview of Moloch
Moloch is a full packet capture engine. This system provides an excellent system to perform in-depth analysis of network flows and dig into network traffic. The goal is to index packets/sessions and provide an interface for users to search and easily pivot during their investigations.
Additionally, IDS systems fit in very nicely with Moloch, since you can tag IDS events with moloch and have a way to associate a session with an IDS alert.
Placement of IDS Systems
Typically, it is good to place the IDS systems prior to egress. Things that are especially important to think about is proxies, firewalls and where the users are in relation to the monitoring point of the IDS. For example, you would not typically want to put your IDS system behind your proxy, as you are interested in seeing which user would have visited the malicious site. Likewise, you would not want to put it on the perimeter of your firewall, since you will be inundated by false positives, or things that would have never reached the network.
Caveats of IDS Systems
One of the big problems that many folks run into is "Alert Fatigue", when turning on IDS systems for the first time it can be a daunting task and quickly fill an analysts plate combing through false positives trying to find that one good alert.
At the end of the day, I believe there are 3 major places that organizations can fail at network intrusion detection:
- Administrators fail to keep alerts relevant
- IDS is seen as a system with a ton of false positives
- No maintenance is devoted towards managing it, can be spotty coverage
- Rules are not up to date
- Analysts fail to understand rules
- Don't have proper training on how to validate rules
- Are not kept in the loop on specific rules that are of high importance
- Organization can't respond to problems generated by IDS
- Response policies are not in place
- System administrators don't know where to look for issues
- Security organization isn't empowered to respond to issues