IDS/IPS Mastery

Learn intrusion detection and prevention systems through interactive network simulations and real-time alerts

Start Lab View Configs

What is IDS?

Intrusion Detection Systems monitor network traffic for suspicious patterns. Act as network sentinels that detect potential attacks like SQL injection, DoS, and APTs

Signature-based detection
Real-time monitoring
Multi-layered analysis

What is IPS?

Intrusion Prevention takes active steps to block threats in real time. Can stop attacks immediately using network-based rulesets and heuristics

Real-time mitigation
Policy enforcement
Attack blocking

IDS/IPS Configuration Examples

Snort Rule Example


alert tcp $EXTERNAL_NET any -> $HOME_NET 80 
 (msg:"Web - IIS Microsoft WebDAV Server 6.x Options Request";
 sid:2000003;
 priority:1;
 flow:established,from_server; 
 content "|4f5054 0d 0a|"; 
 classtype: web-application-attack;
)

Signature-based detection of dangerous PROPFIND requests in WebDAV

IPS Configuration

firewall: ip access-list 100

deny tcp any any 80

permitted-direction inout

IPS Threshold Policy

drop threshold 100 time-range 5s count: icmp 5

Rate Limiting

limit 5000pps -- HTTP requests

Command Line Interface

sudo systemctl status snort snort.service - Network Intrusion Detection Loaded: loaded (/etc/systemd/system/snort.service; enabled) Active: active (running) since Tue 2023-08-28