IDS (Intrusion Detection Systems)

Hello all,
for those of you that have familiar with IDS (Intrusion Detection Systems), I know the concept but I was wondering if any of you know a site or tuotiral of how to progam a basic IDS software. Or any open source project!

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

look at snort. It is one of the first and still open projects:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Everything you ever wanted to know about Intrustion Detection but were afraid to ask:
Also worth having a look at tripwire:)
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Basically an IDS is a pattern matching engine:
you capture data from the interface (promiscuously)
and then run the data through a pattern matching algorithm.
limitations to this approach are usually around complex rules and these systems unless very well written can be fooled by obscuring data (using unicode for example).

Open Source utililies such as Snort are very good.

There are a number of others such as prelude.

If you want to see how these work, or get an insight into the process of detection play with some open source sniffers like Analyzer or Ethereal, set some capture rules - and voila - you have the ability to produce rather crude (but educational) rules.

If you are uninterested in the history and want to do something similar on a WINTEL platform - get snort and IDScenter (windows front-end)

I hope this helps - good luck.
To append to festive's comment- it is important to note that not all IDSs rely on network data.  Some IDSs analyze audit logs or compare observed user behavior (perhaps including network data) to profiles of normal user behavior looking for suspicious activity.

Also, some on-the-fly network based IDSs do more than "packet grepping" for malicious strings.  Often times they search for anomalies such as an outgoing TCP connection from a machine that should never need to do such a thing.

As for projects to look into, as mentioned earlier is definitely a good place to check out.  Also, take a look at this page of ID papers compiled (and in some cases written) by a grad student at RPI:

There are also honeypot ('decoy servers') and hybrid host/network IDS approaches available.

Question asked and answered
points to lrmoore

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.