Get this Security+ CertiGuide for your own computer.
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.4  Intrusion Detection

Previous Topic/Section
3.4  Intrusion Detection
Previous Page
Pages in Current Topic/Section
Next Page  Active Detection
Next Topic/Section

3.4.1  Network Based
(Page 1 of 2)

Network-based intrusion detection systems (NIDS) monitor network traffic, looking for “interesting” events. When examining traffic, they can detect either patterns in individual packets that indicate suspicious traffic such as known attack signatures (data streams from popular exploit tools), or violations of algorithmic rules that indicate out-of-the-ordinary traffic (often referred to as “heuristics”, such as more than 100 incoming FTP connections to a single host within 10 seconds). More advanced systems rank different events according to the level of threat they represent, and are able to correlate a variety of suspicious activities in order to determine if a more significant threat is present.

In addition to monitoring the network, some NIDS also monitor SNMP, syslog logging communications and other network-event-reporting mechanisms for interesting network-related events. Some, but not all, NIDSs allow the administrator to create custom rules and algorithms to search for traffic of local interest, which aren’t part of what the NIDS scans for “out of the box.” For example, one site has a custom rule that searches the network for SNMP traffic containing the default community strings of ‘public’ or ‘private’338.


A Network Intrusion Detection System (NIDS) monitors network traffic, looking for “interesting” events that indicate potential attacks.

It decides what traffic is “interesting” based on pattern matching with traffic signatures of known attacks or with heuristics that reveal deviations from normal network traffic patterns.

NIDS Architecture

For smaller networks, an NIDS may be completely self-contained, running on a single machine and watching the network for activity. However, this is often not sufficient for medium-to-large environments because in order for a NIDS to monitor traffic, it must have access to it – which generally means having access to the traffic on any subnet of interest. NIDS for a medium-to-large environment often consists of several components:

  • Agents deployed on hosts around the network to collect information and forward relevant information to the Director

  • A Director, which combines information from agents and analyzes it to find potential threats

  • A Notifier, which handles responding to threats identified by the Director339

Quick navigation to subsections and regular topics in this section


338. Saoutine, Greg, et. al., “Barbarians at the Gate”,

339. Memon, Nasir, “CS 392 Network Security – Module 5 Intrusion Detection”,

Previous Topic/Section
3.4  Intrusion Detection
Previous Page
Pages in Current Topic/Section
Next Page  Active Detection
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.