Intrusion Detection System or IDS is a system that gathers and analyse information that passes across the network or host. It is designed to report or stop any violation or misuse. In its core IDS is a packet sniffer with set of rules build into it.

Types of Intrusion Detection Systems

NDIS
Network Intrusion Detection system: NDIS works by sniffing network traffic in promiscuous mode. When certain conditions are triggered it can be configured to send and alert or act upon detection.
HIDS
Host based Intrusion Detection system: Unlike NDIS host based intrusion detection works by examining host itself. It will detect system inside abuses and misuse of the system. OSSEC is a great example of Host based intrusion detection system
LFM
Log file monitors: LFM will monitor network logs, search through them and identify any malicious attempts.
FICM
File integrity-checking mechanism: File integrity-checking mechanism works by checking weather files have been modified indicating intrusion or Trojan.

OSSEC is excellent tool that works as HIDS and also provides protective mechanism that works as file integrity checker.

IDS Detection Methods

Signature Detection
Compares traffic to known models , when matches found attack is reported. It is effective at detecting known attacks and poor at detecting ones not in database. It also has high rate of false positives. The signature files must be updates regularly.
Anomaly Detection
With this system any activity that does not match something in database is considered an anomaly. This type of system has to be configure properly to understand what is normal activity in other case false positives and negatives can quickly get out of control. In many cases it is good idea to install it in learning mode prior to switching to active mode.
Protocol Detection
Works by detecting anomalies to specific protocol. Uses known specifications for protocol functionality to detect anomaly. It works quite different from the other 2 and mainly does not require constant updates.

Steps for testing IDS

  • Disable trusted host
  • Attempt an insertion attack
  • Implement evasion techniques
  • Perform DoS
  • Use code obfuscation
  • Perform false-positive generation technique
  • Attempt a Unicode attack
  • Perform a fragmentation attack