Host-based IDP/IPS

Created: 28.07.2022

Host-based IDS look for local system configurations and behaviour, while network-based IDS look for network connections and looks for anomalies and common signatures.

IDS and IPS as firewall’s filters. There are Control Plane (looks after the OS and routing table) and the Forwarding Plane (makes decisions on routing and discarding). If something happens to the Control Plane, the device will still forward the traffic (really???).

By default IDS only listens ๐Ÿ‘‚ the traffic. It’s usually connected to the span port on a switch. Looks for anomalies and sends alerts. Won’t take any actions by default, but can be configured in such a way. If the IDS is down, nothing is changed for the rest of the network, it’s still operating.

IPS takes actions on its own. It is not connected to the span port, but rather is a gateway. Before it inspects and allows a packet through, nothing can move forward. So, if IPS is down, everyone is down (unless there is some load balancing enabled or may be some policy for such cases). Positioned right after the router, edge device or a firewall.


Uses a mail server to send alerts. So, a mail server also has to be installed. Keeps its logs and configs in /etc/tripwire.

To install: apt-get install tripwire. Answer yes to all questions promted. /etc/tripwire/twcfg - is a config file. twpol - list of files to watch for. Determines, whether critical files have changed. tw.pol, tw.cfg - are the files produced after compilation of the previously mentioned ones.

twadmin --create-cfgfile --cfgfile tw.cfg.enc --site-keyfile site.key twcfg.txt:

  • --create-cfgfile - create config file, --cfgfile tw.cfg.enc to specify the file to create
  • --site-keyfile site.key - key to use
  • twcfg.txt file to use

Now, creating a policy:

twadmin --create-polfile --cfgfile tw.cfg.enc --polfile tw.pol.enc --site-keyfile site.key twpol.txt:

  • --create-polfile - create policy file, --cfgfile tw.cfg.enc to specify the configuration file to use,
  • --polfile tw.pol.enc - the policy file to create
  • --site-keyfile site.key - key to use
  • twpol.txt file to use

Initialize the database:

tripwire --init --cfgfile tw.cfg.enc --polfile tw.pol.enc --site-key site.key --local-keyfile local.key

To check the system for any critical files changes: tripwire --check.

All these files need to be updates everytime you make changes to the policy or the configuration. The database needs to be updated as well.


Not just integrity checking (like Tripwire), but also some additional checking. It performs logs analysis and rootkit checking + process monitoring. Consists of two parts: a server and an agent. Server can only be installed on Linux, while an agent can also be installed on Windows.

Install the server

tar -xfv ossec-hids-version.tar.gz && cd ossec-hids-version to unpack the files.

To start: /etc/init.d/ossec start.

Install the agent

cd /var/ossec/bin
> a
> some IP
> y
> e # extract the key
> 001 # agent id, copy the key

Install it on the Windows machine (for example). Now, connect to the server. On the server go to cd ../logs && less ossec.log. You can cd alerts and see the alerts.


apt install samhain && cd /etc/samhain. Open the config file.

samhain -t init -p info

vi /etc/samhain/samhainrc

In this file go to the Trusted User option and type something like the following: TrustedUser = 104. Then run samhain -t update.

To run

samhain -t check then cd /var/log/samhain and open the samhain-init.log and samhain.log.

Centralized logging

Open a syslog file. Each system might have a sligtly different name for these. For example: nano /etc/rsyslog.conf. Uncomment the line for UDP syslog reception. And for the clients now to log remotely to this machine, need to go through hell /etc/rsyslog.d/ && nano 50-default.conf. Add something like *.* @@IP:port to log everything remotely.


apt install logwatch

Reads all the logs and generates a summary.

cd /etc/logwatch, cd /usr/share/logwatch. The configs in this folder will overwrite the configs from cd /etc/logwatch.

logwatch.conf - is the general config file. Separately, there is a folder with lots of file, each for each specific log.

A network-based IDS usually monitors the network, logs it and alerts the admin if something catches its eye. Using a span port, you can run all the traffic through IDS. Another way to analyse the network is to get the network capture (for example, pcap file) and check it with an IDS offline.

  • Snort
  • Suricata
  • Bro-IDS
  • Network Captures

Endpoint protection:

  • Browser protection
  • Anti-virus ๐Ÿฆ 
  • Data loss prevention
  • E-mail ๐Ÿ“ฎ

tcpdump -s 0 -w file.pcap

  • -s 0 - grab the entire packet
  • w file.pcap - write to file.pcap
  • host <IP> - only capture particular IP address
  • -nn - donโ€™t resolve hostnames or port names.
  • -E - decrypt IPSEC traffic by providing an encryption key.
  • -tttt - give maximally human-readable timestamp output.
  • -X or e - display Ethernet header as well.

You can also use Wireshark for that. Or a Python ๐Ÿ script. Or any other PL for that matter.

Common filters

๐Ÿงบ I want to see all TCP packets that have source or destination IP address. Also, I would l like to get only those packets, that have destination port 80, assuming the web server is listening on port 80.

For tcpdump ๐ŸŒš - tcpdump src and dst port 80.

For Wireshark ๐Ÿฆˆ - ip.src== and tcp.port==80.

For Python ๐Ÿ:


sudo apt-get install snort
cat /etc/snort/dafault
# or
cat /etc/init.d/snort



IBM Coursera, Network Security & Database Vulnerabilities

[1] Understanding Intrusion Detection Systems with Ric Messier (O’Reilly website)

[2] tcmpdump tutorial

[3] About impacket