Summary
In this chapter, we discussed several methods of detecting and preventing intrusion events. We started by discussing where in our architecture these various technologies would best fit, then went into specific solutions. We discussed classic network-based IPS solutions, namely Snort and Suricata. We also briefly touched on web-specific IPSes – in particular, WAF and RASP solutions.
In our examples, we went through how an IPS (Suricata) might be used to find and prevent security issues, to the point of creating a custom rule to detect or prevent telnet sessions. Passively collecting traffic for hardware and software inventories, as well as security issues, was illustrated using P0f. Finally, we used Zeek to take our collected data, and both collect and compute metadata to make that data more meaningful. Zeek in particular is extremely useful for drilling into network traffic to find those unusual situations that might indicate a security event or an operational problem...
