Home To Know Networking IDS (Intrusion Detection System)

IDS (Intrusion Detection System)

IDS (Intrusion detection system)

An IDS (Intrusion Detection System) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) Intrusion Detection Systems. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system.

IDS (Intrusion Detection System)
IDS (Intrusion Detection System)

An IDS (Intrusion Detection System) is designed to monitor all inbound and outbound network activity and identify any suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. IDS is considered to be a passive-monitoring system, since the main function of an IDS product is to warn you of suspicious activity taking place − not prevent them.

An IDS specifically looks for suspicious activity and events that might be the result of a virus, worm or hacker. This is done by looking for known intrusion signatures or attack signatures that characterize different worms or viruses and by tracking general variances which differ from regular system activity. The IDS is able to provide notification of only known attacks.

The network administrator can configure the IDS system to choose the appropriate response to various threats. When packets in a session match a signature, the IDS system can be configured to take these actions:

  • Send an alarm to a syslog server or a Cisco Secure IDS Director (centralized management interface)
  • Drop the packet
  • Reset the TCP connection

The information provided by the IDS will help the security and network management teams uncover, as a start:

  • Security policy violations, such as systems or users who are running applications against policy.
  • Infections, such as viruses or Trojan horses that have partial or full control of internal systems, using them to spread infection and attack other systems.
  • Information leakage, such as running spyware and key loggers, as well as accidental information leakage by valid users.
  • Configuration errors, such as applications or systems with incorrect security settings or performance-killing network misconfiguration, as well as misconfigured firewalls where the rule set does not match policy.
  • Unauthorized clients and servers including network-threatening server applications such as DHCP or DNS service, along with unauthorized applications such as network scanning tools or unsecured remote desktop.

Network IDS (Intrusion Detection System)

Network Intrusion Detection Systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. It performs an analysis of passing traffic on the entire subnet, works in a promiscuous mode, and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. An example of an NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall. Ideally one would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network. OPNET and NetSim are commonly used tools for simulation network Intrusion Detection Systems.

Host IDS (Intrusion Detection System)

Host Intrusion Detection Systems (HIDS) run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected. It takes a snapshot of existing system files and matches it to the previous snapshot. If the critical system files were modified or deleted, an alert is sent to the administrator to investigate. An example of HIDS usage can be seen on mission critical machines, which are not expected to change their configurations.

Intrusion Detection Systems can also be system-specific using custom tools and honeypots.

Misuse Detection vs. Anomaly Detection

In misuse detection, the IDS analyzes the information it gathers and compares it to large databases of attack signatures. Essentially, the IDS looks for a specific attack that has already been documented. Like a virus detection system, detection software is only as good as the database of intrusion signatures that it uses to compare packets against. In anomaly detection, the system administrator defines the baseline, or normal, state of the network’s traffic load, breakdown, protocol, and typical packet size. The anomaly detector monitors network segments to compare their state to the normal baseline and look for anomalies.

Passive Vs. Reactive Systems

In a passive system, the IDS detects a potential security breach, logs the information and signals an alert. In a reactive system, the IDS responds to the suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source.

False Positive and Negatives

The term false positive itself refers to security systems incorrectly seeing legitimate requests as spam or security breaches. Basically, the IDS will detect something it is not supposed to. Alternatively, IDS is prone to false negatives where the system fails to detect something it should. Both of these problematic problems are associated with IDS, but are issues vendors spend a lot of time working on, and as a result, it is not believed that IDS detects a high percentage of false positive or false negatives. Still, it is a topic worth consideration when looking at different IDS solutions.

IDS Detection Techniques

HIDS and NIDS can come in a number of types of intrusion systems as well. All Intrusion Detection Systems use one of three detection techniques:

  • Statistical anomaly-based IDS

An IDS which is anomaly based will monitor network traffic and compare it against an established baseline. The baseline will identify what is “normal” for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous, or significantly different, than the baseline. The issue is that it may raise a False Positive alarm for a legitimate use of bandwidth if the baselines are not intelligently configured.

  • Signature-based IDS

A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. This is similar to the way most antivirus software detects malware. The issue is that there will be a lag between a new threat being discovered in the wild and the signature for detecting that threat being applied to your IDS. During that lag time your IDS would be unable to detect the new threat.

  • Rule based

Rule based systems are more advanced and cleverly built systems. A knowledge base programmed as rules will decide the output alongside an inference engine. If the defined rules for example all match, a certain assumption can be determined in which an action may take place. This assumption is the power of the inference engine. The inference engine can assume an attack may be occurring because of so many factors; this is unique and is very much behaving like the human mind. In normal computing assumptions cannot be made, its either yes or no, but the inference engine adds a different level of thinking; it also adds the “Probably” to the list, like humans. If it rains and is warm, we can assume it may thunder. If more traffic was leaving the company than usual, as well as coming from a certain server, the inference engine may assume, the server could be compromised by a hacker.

Cisco IOS Firewall IDS Signature List

The following is a complete list of Cisco IOS Firewall IDS signatures. A signature detects patterns of misuse in network traffic. In Cisco IOS Firewall IDS, signatures are categorized into four types:

  • Info Atomic
  • Info Compound
  • Attack Atomic
  • Attack Compound

An info signature detects information-gathering activity, such as a port sweep.

An attack signature detects attacks attempted into the protected network, such as denial-of-service attempts or the execution of illegal commands during an FTP session.

Info and attack signatures can be either atomic or compound signatures. Atomic signatures can detect patterns as simple as an attempt to access a specific port on a specific host. Compound signatures can detect complex patterns, such as a sequence of operations distributed across multiple hosts over an arbitrary period of time.

The intrusion-detection signatures included in the Cisco IOS Firewall were chosen from a broad cross-section of intrusion-detection signatures as representative of the most common network attacks and information-gathering scans that are not commonly found in an operational network.

The following signatures are listed in numerical order by their signature number in the Cisco Secure IDS Network Security Database. After each signature’s name is an indication of the type of signature (info or attack, atomic or compound).

Cisco Secure IDS Components

The Cisco Secure IDS consists of three components:

  • Sensor
  • Director
  • Post Office

Cisco Secure IDS Sensors, which are high-speed network appliances, analyze the content and context of individual packets to determine if traffic is authorized. If a network’s data stream exhibits unauthorized or suspicious activity, such as a SATAN attack, a ping sweep, or the transmission of a secret research project code word, Cisco Secure IDS Sensors can detect the policy violation in real time, forward alarms to a Cisco Secure IDS Director management console, and remove the offender from the network.

The Cisco Secure IDS Director is a high-performance, software-based management system that centrally monitors the activity of multiple Cisco Secure IDS Sensors located on local or remote network segments.

The Cisco Secure IDS Post Office is the communication backbone that allows Cisco Secure IDS services and hosts to communicate with each other. All communication is supported by a proprietary, connection-based protocol that can switch between alternate routes to maintain point-to-point connections.


  • Noise can severely limit an Intrusion Detection System’s effectiveness. Bad packets generated from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high false-alarm rate.
  • It is not uncommon for the number of real attacks to be far below the number of false-alarms. Number of real attacks is often so far below the number of false-alarms that the real attacks are often missed and ignored.
  • Many attacks are geared for specific versions of software that are usually outdated. A constantly changing library of signatures is needed to mitigate threats. Outdated signature databases can leave the IDS vulnerable to newer strategies.
  • For signature-based IDSes there will be lag between a new threat discovery and its signature being applied to the IDS. During this lag time the IDS will be unable to identify the threat.
  • It can not compensate for a weak identification and authentication mechanisms or for weaknesses in network protocols. When an attacker gains access due to weak authentication mechanism then IDS can not prevent the adversary from any malpractise.
  • Encrypted packets are not processed by the intrusion detection software. Therefore, the encrypted packet can allow an intrusion to the network that is undiscovered until more significant network intrusions have occurred.
  • Intrusion detection software provides information based on the network address that is associated with the IP packet that is sent into the network. This is beneficial if the network address contained in the IP packet is accurate. However, the address that is contained in the IP packet could be faked or scrambled.
  • Due to the nature of NIDS systems, and the need for them to analyse protocols as they are captured, NIDS systems can be susceptible to same protocol based attacks that network hosts may be vulnerable. Invalid data and TCP/IP stack attacks may cause an NIDS to crash.

Evasion Techniques

There are a number of techniques which attackers are using, the following are considered ‘simple’ measures which can be taken to evade IDS:

  • Fragmentation: by sending fragmented packets, the attacker will be under the radar and can easily bypass the detection system’s ability to detect the attack signature.
  • Avoiding Defaults: The TCP port utilised by a protocol does not always provide an indication to the protocol which is being transported. For example, an IDS may expect to detect a trojan on port 12345. If an attacker had reconfigured it to use a different port the IDS may not be able to detect the presence of the trojan.
  • Coordinated, Low-Bandwidth Attacks: coordinating a scan among numerous attackers (or agents) and allocating different ports or hosts to different attackers makes it difficult for the IDS to correlate the captured packets and deduce that a network scan is in progress.
  • Address Spoofing/Proxying: attackers can increase the difficulty of the ability of Security Administrators to determine the source of the attack by using poorly secured or incorrectly configured proxy servers to bounce an attack. If the source is spoofed and bounced by a server then it makes it very difficult for IDS to detect the origin of the attack.
  • Pattern Change Evasion: IDS generally rely on ‘pattern matching’ to detect an attack. By changing the data used in the attack slightly, it may be possible to evade detection. For example, an IMAP server may be vulnerable to a buffer overflow, and an IDS is able to detect the attack signature of 10 common attack tools. By modifying the payload sent by the tool, so that it does not resemble the data that the IDS expects, it may be possible to evade detection.

Free Intrusion Detection Systems

  • ACARM-ng
  • AIDE
  • Bro NIDS
  • Fail2ban
  • Prelude Hybrid IDS
  • Samhain
  • Snort
  • Suricata

Cisco IOS Firewall Intrusion Detection System Commands

(Note: 12.0(5)T- These commands were introduced.)

  • clear ip audit configuration

To disable Cisco IOS Firewall IDS, remove all intrusion detection configuration entries, and release dynamic resources, use the clear ip audit configuration EXEC command.

  • clear ip audit statistics

To reset statistics on packets analyzed and alarms sent, use the clear ip audit statistics EXEC command.

  • ip audit

To apply an audit specification created with the ip audit command to a specific interface and for a specific direction, use the ip audit interface configuration command. To disable auditing of the interface for the specified direction, use the no version of this command.

ip audit audit-name {in | out}
no ip audit audit-name {in | out}

  • ip audit attack

To specify the default actions for attack signatures, use the ip audit attack global configuration command. To set the default action for attack signatures, use the no form of this command.

ip audit attack {action [alarm] [drop] [reset]}
no ip audit attack

  • ip audit info

To specify the default actions for info signatures, use the ip audit info global configuration command. To set the default action for info signatures, use the no form of this command.

ip audit info {action [alarm] [drop] [reset]}
no ip audit info

  • ip audit name

To create audit rules for info and attack signature types, use the ip audit name global configuration command. To delete an audit rule, use the no form of this command.

ip audit name audit-name {info | attack} [list standard-acl] [action [alarm] [drop] [reset]]
no ip audit name audit-name {info | attack}

  • ip audit notify

To specify the method of event notification, use the ip audit notify global configuration command. To disable event notifications, use the no form of this command.

ip audit notify {nr-director | log}
no ip audit notify {nr-director | log}

  • ip audit po local

To specify the local Post Office parameters used when sending event notifications to the NetRanger Director, use the ip audit po local global configuration command. To set the local Post Office parameters to their default settings, use the no form of this command.

ip audit po local hostid id-number orgid id-number
no ip audit po local [hostid id-number orgid id-number]

  • ip audit po max-events

To specify the maximum number of event notifications that are placed in the router’s event queue, use the ip audit po max-events global configuration command. To set the number of recipients to the default setting, use the no version of this command.

ip audit po max-events number-of-events
no ip audit po max-events

  • ip audit po protected

To specify whether an address is on a protected network, use the ip audit po protected global configuration command. To remove network addresses from the protected network list, use the no form of this command. If you specify an IP address for removal, that address is removed from the list. If you do not specify an address, then all IP addresses are removed from the list.

ip audit po protected ip-addr [to ip-addr]
no ip audit po protected [ip-addr]

  • ip audit po remote

To specify one or more set of Post Office parameters for NetRanger Directors receiving event notifications from the router, use the ip audit po remote global configuration command. To remove a NetRanger Director’s Post Office parameters as defined by host ID, organization ID, and IP address, use the no form of this command.

ip audit po remote hostid host-id orgid org-id rmtaddress ip-address localaddress ip-address [port port-number] [preference preference-number] [timeout seconds] [application {director | logger}]
no ip audit po remote hostid host-id orgid org-id rmtaddress ip-address

  • ip audit signature

To attach a policy to a signature, use the ip audit signature global configuration command. You can set two policies: disable a signature or qualify the audit of a signature with an access list. To remove the policy, use the no form of this command. If the policy disabled a signature, then the no form of this command reenables the signature. If the policy attached an access list to the signature, the no form of this command removes the access list.

ip audit signature signature-id {disable | list acl-list}
no ip audit signature signature-id

  • ip audit smtp

To specify the number of recipients in a mail message over which a spam attack is suspected, use the ip audit smtp global configuration command. To set the number of recipients to the default setting, use the no form of this command.

ip audit smtp spam number-of-recipients
no ip audit smtp spam

  • show ip audit configuration

To display additional configuration information, including default values that may not be displayed using the show run command, use the show ip audit configuration EXEC command.

show ip audit configuration

  • show ip audit interface

To display the interface configuration, use the show ip audit interface EXEC command.

show ip audit interface

  • show ip audit statistics

To display the number of packets audited and the number of alarms sent, among other information, use the show ip audit statistics EXEC command.

show ip audit statistics


  1. Its such as you read my thoughts! You appear to know so much about this, such as you wrote the guide in it or something. I think that you simply can do with some to power the message house a bit, but instead of that, that is magnificent blog. A fantastic read. I will definitely be back.

Leave a Reply