[ Thanks to LinuxSecurity Contributors for
this link. ]
“Intrusion detection systems (IDS) seem to be one of the fastest
growing technologies within the security space. Together with
firewalls and vulnerability scanners, intrusion detection forms one
of the cornerstones of modern computer security. In the commonly
mentioned prevention-detection-response philosophy, IDSs take an
honorable place for [sometimes] effective detection of threats let
through by prevention technologies such as firewalls.“However, there are attempts to position IDS products as the
technology that can stop or prevent network attacks. It is easy to
forget that ‘D’ stands for detection and not for deterrent or
deflection. This article will investigate those attempts in the
Linux world.“On the technical level, most network IDS are set to send alerts
upon seeing a known pattern (signature-based IDS) or some traffic
anomaly (anomaly-based IDS) indicating an attack. While some
programs can look only at packet level data (such as attack string
present in one packet), many others are TCP connection-aware, are
able to look at TCP streams and also can reassemble fragmented IP
packets…”