0

IDS (Intrusion Detection System), NIDS (Network Intrusion Detection System)

What's the difference between IDS and NIDS?

Can I use more than one IDS and NIDS at the same time? Or both IDS and NIDS together?

Is anti-malware just like IDS but it scans the pc not the network? And what's YOUR favorite IDS or NIDS (I couldn't find ANY NIDS).

PS: Where do you install NIDS? On the router?

techraf
  • 9,141
  • 11
  • 44
  • 62
Mark
  • 67
  • 8
  • @gowenfawr gave a link that in turn links to [Can Snort be configured as HIDS?](https://security.stackexchange.com/a/85257/39623), which identifies Snort as an IDS that is network only, i.e. a NIDS. Suricata is similar; don't expect vendors to use the same specific set of acronyms you use, and don't expect then to choose the same one of a set that you would. Look at actual features and limitations, not at what specific acronym they say they are. โ€“ Anti-weakpasswords Jun 21 '15 at 00:18

1 Answers1

6

Whats the difference between IDS and NIDS?

The concept of IDS can be divided to Two classes, this are Host IDS and Network IDS or HIDS and NIDS.

                           IDS
                        /       \
                     HIDS       NIDS
           Host IDS                 Network IDS
      Inspecting Host             Inspecting Network

For example:

There are 7 IDS. Two of its are NIDS and Five of its are HIDS.

Of-course, IDS can be designed as hybrid of NIDS and HIDS.

Can i use more than one IDS and NIDS at the same time?

As you wish.

And what's YOUR favorite IDS or NIDS (I couldn't find ANY NIDS).

My favorite NIDS - is Suricata, because it can block connection in real time with iptables.

On HIDS, I like mtree way ( OpenBSD ). You can read man mtree

PS: Where do you install NIDS? On the router?

There are many ways to use NIDS. Inside DMOZ or outside. For example, one NIDS can be installed on the front of network, with active filtering of connections. Thereafter other NIDS can be installed right on the server / work-station.

The easiest solution, that I'm using is installing Suricata right on my work-station with active dropping of any packets that match any of rules.

Suricata User Guide ยป Suricata Rules

Means, I'm taking latest set of rules and replacing alert to drop everywhere.

Users of Ubuntu could easy setup Suricata by one command:

$ sudo apt-get install -y suricata
techraf
  • 9,141
  • 11
  • 44
  • 62