An Intrusion Detection System (IDS) is designed to detect intrusions but a host-based IDS (HIDS) works a little differently than a network-based IDS (NIDS). Some of the points of each are:
- Installed on a host computer such as a workstation or server
- It is used primarily to monitor traffic going through the NIC of the host
- Can consume resources of the workstation
- Can monitor network traffic sent to the host or coming from the host only
- Data stored locally (on the host)
- Installed on network devices (such as firewalls, routers or switches)
- These devices are referred to as sensors or tabs
- Data centrally managed - sensors report back to a central console
- Cannot monitor encrypted traffic on individual hosts
The IDS looks for known attack patterns (similar to how anti-virus program use virus signatures)
A baseline of normal operation is created to determine normal operation. When events occur that are ‘out of the norm’ (anomalies), the system alerts
Also, both types can have either a passive or active response.
Alerts are logged and personnel are typically notified.
An active response will also take some action to modify the environment. A common active response would be to change the ACL on a router or firewall to block access from the attacker.