Being alerted when something nefarious happens on your network is critical, and a good Network Intrusion Detection System (NIDS) will do just that. We’ve tested out the seven best network intrusion detection systems to help keep your network secure, and your day headache-free.
Here is our list of the top seven best network intrusion detection systems:
- SolarWinds Security Event Manager (FREE TRIAL) Combines the rich NIDS features inside an intuitive dashboard. The ideal tool of medium-sized business and MSPs.
- Snort – Open source tool with a large community that shares their configurations and platform knowledge.
- Zeek – Features real-time threat remediation and in-depth forensic logging.
- IBM QRadar – Cloud-based NIDS that utilizes both pattern recognition and signature detection.
- OpenWIGS-ng – Free IDS built around detecting threats over wireless networks.
- Suricata – Resource-efficient NIDS with Lua script capabilities.
- Sagan – Performs deep packet analysis and provides location data for IP addresses.
The Best Network Intrusion Detection Systems
SolarWind Security Event Manager (SEM) is a combination tool that monitors network intrusions from logs files, as well as from real-time data based on events it detects on the network. This holistic approach to security, plus its vast amount of security features place it number one on our list.
In conjunction with threat detection, Security Event Manager can be configured to automatically take action on a threat or suspicious activity based on how you configure it. This could include running a script, disabling an account, or sending an alert to the user.
While most tools focus either on NIDS or HIDS (host-based intrusion detection systems) Security Event Manager utilizes both technologies to get the most complete picture of an attempted attack while still maintaining the speed of a NIDS based technology.
All security-related events are logged into a single dashboard where you can easily search or filter to narrow down your results. All of this data can instantly be visualized within the same dashboard via an intuitive color-coded graph. While this makes reports look nice, it also helps patterns and anomalous behaviors stand out to administrators for further investigation.
SEMs search and logging capabilities allow for both a live and historical view of events and activities. This makes performing audits or an in-depth forensic investigation a task that can be completed all from one dashboard.
On the proactive side, SEM provides built-in active response actions that can be paired with any number of different rules or thresholds you configure. Out of the box, there are dozens of pre-made templates you can choose to get started with or choose to customize your own.
Security Event Manager uses a number of real-time technologies such as file integrity monitoring, and pattern recognition to stop threats before they gain a foothold in your network.
In addition to configurable rules, SolarWinds Threat Feed Intelligence helps detect the latest types of threats, ransomware, and bad actors through a constantly updating library of data that can be used by SEM to protect your network.
While SolarWinds Security Event Manager encompasses many more features than a standard NIDS, it’s still worth mentioning, and definitely has earned its place at the top of our list.
You can test out Security Event Manager completely free for a full 30-days.
Despite its quirky name, Snort acts as a powerful open source NIDS that any organization can deploy. Snort has a large dedicated community of members who work to improve the NIDS, as well as additional methods to detect new and emerging threats. The community forum is also a great place to find and exchange NIDS policies and rules that you can either implement right away or customize to your liking.
Snort has led the way as an open-source security product for years, and many different tools rely on Snort’s API and output to run their applications and software. While Snort has many different configurations, the most common configuration is for intrusion detection. This NIDS utilizes ‘base policies” which act as a set of rules which the detection algorithm uses to make decisions. These base policies are commonly traded and shared on the Snort forum.
Even with these base policies in place, you’ll find you still need to tune and modify the rules to eliminate false positives. While Snort is completely free, you do have the option to enroll in ‘rule subscriptions.’ This subscription gives you access to the latest Snort ruleset 30 days ahead of everyone else and gives you the ability to submit false positives/negatives to the Snort team. Snort subscriptions start at $29.99 (£23.25) a year for personal and $399.00 (£309.33) for business.
Snort is a powerful NIDS with plenty of features and a powerful community that makes it a great option if you have the time to learn the platform. Outside of the community, there is no formal support that might slow down companies who need to implement and fix NIDS issues quickly.
The Zeek NIDS formerly known as Bro is an application layer based system that is widely used by computer scientists and security professionals alike. Zeek utilizes a mix of signature-based detection and anomaly detection to give you the best coverage in both spaces.
Zeek is really built in a way that’s for researchers and analysts to have the most amount of information available to them, so there is more of a learning curve with Zeek than similar products. Features like automated threat response and real-time analysis make Zeek a powerful real-time detection tool.
A historical event view of traffic and logging analysis is also kept by the Zeek platform to allow for pattern detection and manual forensic investigations of events on the network. Setting up automated remediation was a bit more difficult than SolarWinds WAN Killer, but was still a viable feature.
It’s recommended that you run Zeek on a physical box rather than a virtual machine. This might be off-putting to companies who enjoy the benefits of virtualization. While Zeek does have a large and active community, you’ll still be on your own to find support and get any questions answered.
The Zeek NIDS is completely free and open-source. The software is available for Linux, macOS, and Unix.
QRadar by IBM is a combination of HIDS and NIDS that operates as a cloud-based service. Similar to WAN Killer, QRadar has an intuitive interface that can be customized to display real-time data or specific events.
The real-time threat detection works out of the box and automatically analyzes and prioritizes alerts as a threat progresses through the network. This is a nice default feature as many NIDS alerting templates overwhelm security teams with false positives and redundant alerts. All of these settings can be customized to your specific needs.
QRadar can monitor multiple different network environments including on-premises, SaaS, and IaaS architectures which is ideal for larger networks that might have a more diverse environment. An interesting feature that caught my eye was the Attack Modeling Utility. This tool leverages IBM’s artificial intelligence to run a virtual team style attack on your own network.
While QRadar was built for cloud use, you can request an on-premises Windows-based version to be made available. You can test out QRadar NIDS free for 14 days.
OpenWIGS-NG is a free open source tool primarily built for monitoring wireless networks. This command-line tool was developed by the same group who made Aircrack-NG, the infamous blackhat wireless hacking tool.
OpenWIGS-NG will feel familiar if you’re a Linux user, or if you’re comfortable with command-line based tools. Despite being so powerful, the tool has three main components, sensors, servers, and interfaces. Sensors sit out on your network to capture wireless traffic and send it to the server. Sensors are also responsible for responding to attacks as well.
The server component collects all the data from the sensors, analyzes it, and then deploys the correct remediation if necessary. The server can also be configured to collect logs and send out alerts if an attack is detected.
Lastly, the interface is a simple GUI where you can both manage the server as well as view information about threats that were discovered on the wireless network. While OpenWIGS-NG is a fascinating and free tool, it does have some drawbacks.
Currently, there is very little documentation for the software and the community around it isn’t nearly as large as Snort or SolarWinds. As a network intrusion detection system it can be a powerful tool, but only after configuring it as there is no out of the box solution. Unless you’re a security researcher or hobbyist, OpenWIPS-NG might not be the best tool for you.
Suricata is a free open source NIDS that could be compared to Zeek, as there are a good amount of similarities between the two. Suricata operates on the application layer but pulls its data directly from packet headers.
This NIDS can also detect and alert to threats based on anomalous activity as well as compare samples to known bad signatures from a definition based database. While some NIDS systems would collapse under a heavy load, Suricate leverages multi-thread processing to handle large volumes of data and traffic. All of this gives Suricata ample coverage and protection against old and evolving threats.
One often overlooked feature is just how well a NIDS can properly identify and accurately recognize traffic. Suricata uses agnostic based protocol detection, meaning it can more accurately identify more common protocols such as TLS, SSL, DNS, when they are communicating over non-standard ports. Bad actors rarely make it easy for their attacks to be discovered, so knowing that Suricata can accurately recognize this traffic is a big plus.
While Suricata is far from plug-and-play, it does have hooks for the Lua scripting language which makes creating complex signature detection and custom logic a lot easier to integrate. While there isn’t as much of a learning curve with this product as compared to OpenWIGS, you’ll likely still find yourself running into issues without much support outside of the tool’s documentation.
Sagan is another completely open-source NIDS that offers real-time logging, and automatic threat remediation. Where Sagan really shines is its ability to run incredibly lightweight on resources while still performing optimally and handling bulk amounts of traffic.
Much of the rules and instructions function in a similar manner to Snort and Suricata that leverage rule-based management based on what threat is detected. One of Sagan’s unique features is IP detection, which correlates an IP address to physical space on a map. While most sophisticated attackers would be spoofing their location with botnets or VPNs this is still an interesting tool to use to get a real-world representation of a virtual threat.
Sagan monitors traffic on the packet level and postpones performing an analysis until all packets are assembled to prevent mischaracterization. While scanning Sagan does more than just check the packet headers, it analyzes DNS calls, HTTP requests, and combs over the entire structure of the packets as they are reassembled.
The dashboard is surprisingly easy to use for an open-source security program and can display a number of real-time data points such as recent events, HTTP status codes, and the number of attempted attacks.
While there’s no doubt Sagan is a worthy network intrusion detection system, you’ll be left to face a steep learning curve on your own. Sagan does have a respectable community and documentation, but this won’t help if your NIDS experience serious problems that need to be fixed quickly.
We’ve narrowed down the seven best network intrusion detection systems for 2020, but which one is right for you?
SolarWinds Security Event Manager proved to be the most user-friendly, feature-rich, and versatile NIDS/HIDS for a business environment. What really makes Security Event Manager stand out is its unique ability to be intuitive and still come with all of the features you’d find in higher-level security tools like OPENWIGS-NG.
If you’re a business that needs to implement a NIDS without the hassle of learning a new product, SEM is worth testing out. Setting up SEM is fast, and usually can be done in under 15 minutes. You can try out the full version of SEM completely free for 30 days.
Do you think it’s important to have a NIDS for security? Let us know in the comments below.