IDS/IPS
Definition
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are network security technologies designed to monitor network traffic for suspicious activities and potential threats. IDS passively monitors and alerts on detected anomalies, while IPS actively blocks or mitigates threats in real-time. Both systems are crucial for identifying and responding to security incidents, enhancing the overall security posture of an organization.
Secure Settings Example
# Example configuration for Snort IDS/IPS
snort:
mode: inline
rules:
- path: /etc/snort/rules/local.rules
output:
- alert_fast: stdout
preprocessors:
- stream5_tcp:
policy: windows
- http_inspect:
ports: [80, 8080]
detection:
- max_queue_events: 5
- alert_threshold: 1
Insecure Settings Example
# Example of insecure Snort IDS/IPS configuration
snort:
mode: passive
rules:
- path: /etc/snort/rules/local.rules
output:
- alert_fast: /dev/null # Alerts are not logged
preprocessors:
- stream5_tcp:
policy: none # No specific policy set
- http_inspect:
ports: [] # No ports specified for inspection
detection:
- max_queue_events: 1000 # Too high, may cause performance issues
- alert_threshold: 0 # No threshold, may lead to alert fatigue