Intrusion Detection System and Network Intrusion Detection Systems

Question

IDS (Intrusion Detection System), NIDS (Network Intrusion Detection System)

What's the difference between IDS and NIDS?

Can I use more than one IDS and NIDS at the same time? Or both IDS and NIDS together?

Is anti-malware just like IDS but it scans the pc not the network? And what's YOUR favorite IDS or NIDS (I couldn't find ANY NIDS).

PS: Where do you install NIDS? On the router?

Answer 1

Whats the difference between IDS and NIDS?

The concept of IDS can be divided to Two classes, this are Host IDS and Network IDS or HIDS and NIDS.

                           IDS
                        /       \
                     HIDS       NIDS
           Host IDS                 Network IDS
      Inspecting Host             Inspecting Network

For example:

• Network IDS:

  1. Snort
  2. Suricata

• Host IDS:

  1. AIDE
  2. Tiger
  3. SAMHAIN
  4. Osiris
  5. Tripwire

There are 7 IDS. Two of its are NIDS and Five of its are HIDS.

Of-course, IDS can be designed as hybrid of NIDS and HIDS.

Can i use more than one IDS and NIDS at the same time?

As you wish.

And what's YOUR favorite IDS or NIDS (I couldn't find ANY NIDS).

My favorite NIDS - is Suricata, because it can block connection in real time with iptables.

On HIDS, I like mtree way ( OpenBSD ). You can read man mtree

PS: Where do you install NIDS? On the router?

There are many ways to use NIDS. Inside DMOZ or outside. For example, one NIDS can be installed on the front of network, with active filtering of connections. Thereafter other NIDS can be installed right on the server / work-station.

The easiest solution, that I'm using is installing Suricata right on my work-station with active dropping of any packets that match any of rules.

Suricata User Guide » Suricata Rules

Means, I'm taking latest set of rules and replacing alert to drop everywhere.

Users of Ubuntu could easy setup Suricata by one command:

$ sudo apt-get install -y suricata