Top 10 Intrusion Detection and Prevention Systems

Shot of Corridor in Working Data Center Full of Rack Servers and Supercomputers with Internet connection Visualization Projection.

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are designed to protect an organization from ongoing cyber threats. However, not all of these systems work in the same way or have the same objectives. Important distinctions between types of systems include:

Intrusion detection system (IDS) vs. intrusion prevention system (IPS)
Host-based vs. network-based systems
Signature-based vs. anomaly-based detection

Understanding the distinctions between these categories of intrusion prevention systems is important when evaluating different options and selecting the right fit for an organization.

Also consider a service like Clearnetwork’s 24/7 Managed SOC Service, which is a fully managed service with no software or hardware to manage with the security benefits of an IDS + more for a surprisingly affordable price. Another option is our Managed CrowdStrike EDR service, which brings you Gartner-leading CrowdStrike EDR managed by our US-based team of experts who respond to threats all for an affordable cost.

Intrusion Detection Systems (IDS) vs. Intrusion Prevention Systems (IPS)

The terms IDS and IPS describe the difference in how each technology responds to a detected threat. Any IPS is also an IDS, but the reverse is not typically true.

An IDS, as the name suggests, is designed to detect an intrusion on the network. This means that, if a potential cyberattack is detected, the system will raise an alert. The system itself does nothing to try to prevent the attack, leaving that responsibility to a human analyst or other technology.

An IPS, on the other hand, actively works to prevent an attack from succeeding. If an intrusion is detected, the IPS will respond based upon predefined formulas. Responses may include blocking incoming network traffic, killing a malicious process, quarantining a file, etc.

If an IPS is better at protecting the network against threats, why do IDS solutions still exist? IPS has the advantage of a faster response to detected threats, but an IPS may also incorrectly identify a threat and take action against a legitimate user, process, connection, etc.

IPS tools can also be more complex to install. IPS tools need to be installed so that they can control packet traffic and will be deployed as a separate appliance, on a firewall, or on a network router so that all network traffic will pass through the solution.

While older, IDS technology can be faster and easier to connect than IPS solutions. IDS tools do not need to intercept network packets so IDS solutions can simply be connected anywhere on a network where they can receive packet duplicates. While the IDS tool does not provide active response, it provides more control to the security team over how to engage in incident response and will not require as much tuning to be effective.

Host-Based vs. Network-Based Intrusion Detection/Prevention Systems

Intrusion detection or protection systems can also be classified based upon the focus of what it protects. IDS or IPS tools can be host-based, network-based, or both.

A host-based IDS or IPS protects a particular endpoint. It may monitor the network traffic entering and leaving the device, processes running on the system, modifications to files, etc.

A network-based solution performs monitoring of traffic on the network as a whole. These typically include a packet sniffer to collect packets from a network tap or by sniffing wireless traffic. This traffic is then analyzed for signs of malicious content and based upon the profiles of common types of attacks (such as scanning or a Distributed Denial of Service attack).

Signature-Based vs. Anomaly-Based Detection

IDS and IPS solutions identify potential threats based upon built-in rules and profiles. These rules generally will be based upon signatures or anomalies.

A signature-based algorithm compares network activity against known attacks. After a piece of malware or other malicious content has been identified and analyzed, unique features are extracted from it to create a fingerprint of that particular attack.

Signature-based detection systems compare all traffic, files, activity, etc. to a database of signatures. If a match is found, the IDS or IPS knows that the content is part of an attack.

Anomaly-based detection systems take a different approach to identifying malicious content. Instead of fingerprinting known attacks, they build a model of “normal” behavior for a particular system. After this ‘normal behavior’ model is built, the tool can look for anything that doesn’t match its model (an anomaly). If the model is well-trained, any anomalies should be attacks.

In practice, many Intrusion Detection and Prevention Systems combine both signature and anomaly detection. Anomaly-based detection can potentially catch zero-day threats but can suffer from high false positive rates since they alert on anything anomalous. Security teams could receive alerts or from benign activities such as setting up a new web server or installing new software on a machine.

Signature-based detection strategies have very low false positive detection rates but can only detect known attacks. Deploying solutions that adopt both strategies combines to make a more robust solution with better threat detection than with either approach in isolation.

The Best Intrusion Detection and Prevention System

Organizations can select from a variety of reasonably-priced and powerful IDS and IPS solutions that fit a variety of needs- from startups on a tight budget to global enterprises. Some will be standalone solutions and others will be features added to other security products.

Our guide to selecting the best solution consists of:

Important Factors in Choosing an IDS or IPS Solution
Leading IDS and IPS Solutions
Comparing IDS and IPS Solutions

Important Factors in Choosing an IDS or IPS Solution

IDS or IPS? Host-based or network-based? Standalone or integrated? The choice of what to use should be based upon an organization’s unique needs and resources. Budget, staffing, IT environment, risk tolerance, and business strategies all play a role in determining what solution provides a good fit.

It is also important to keep in mind that intrusion prevention system options are not always an “either/or” choice. Achieving comprehensive threat detection and prevention may require deploying both a host-based and a network-based Intrusion Detection and Prevention System or running multiple network-level IDS systems side-by-side to take advantage of their different strengths.

Another important consideration is the organization’s ability to cope with the output of the solution. IDS systems can be very inexpensive because they push the burden of responding to alerts off to the human talent on the security team.

IPS solutions can absorb some of that burden because many types of alerts can simply be automatically handled by the tool. However, IT security teams will still need to investigate and reverse potential false positives and investigate anomaly alerts that did not result in automated actions.

Some solutions will be highly specialized for particular purposes such as wireless networks. Other tools will be cloud-based and attempt to encompass enterprise-level environments consisting of multiple networks, cloud resources, etc. The ‘right’ IDS or IPS will be the one that fits your IT and security needs right now and in the near future.

In a practical sense, many tools combine the features of both IDS and IPS with some calling themselves IDPS (IDS and IPS) solutions or Next Generation IPS (NGIPS) tools. As the tools become more complex, we also must consider whether our organization needs outside experts to install and configure these devices properly for our environment.

Leading IDS and IPS Solutions (Unranked)

AIDE
BluVector Cortex
Check Point Quantum IPS
Cisco NGIPS
Fail2Ban
Fidelis Network
Hillstone Networks
Kismet
NSFOCUS
OpenWIPS-NG
OSSEC
Palo Alto Networks
Sagan
Samhain
Security Onion
Semperis
Snort
SolarWinds Security Event Manager (SEM) IDS/IPS
Suricata
Trellix (McAfee + FireEye)
Trend Micro
Vectra Cognito
Zeek (AKA: Bro)
ZScalar Cloud IPS

AIDE

The Advanced Intrusion Detection Environment (AIDE) is an open-source host-based intrusion detection system (HIDS) for Unix, Linux, and Mac OS. This specialized tool focuses on the very important niche of checking file integrity, but does not offer any broader malware or attack detection.

Pros:

Open source
Runs on MacOS and *nix systems
Verifies the integrity of files
Can target specific directories for monitoring or exclude certain files
Integrates with other tools

Cons:

Needs to be obtained from commercial vendor (such as Red Hat) or through a consultant for support
Less frequent updates
Very specific niche (file integrity) does not detect many types of attacks
Only protects the device upon which it is installed

BluVector

Formerly known as Cortex and now owned by Comcast, BluVector’s advanced threat detection solution uses artificial intelligence (AI) to complement an existing security stack. The AI detects fileless malware and zero-day threats and is designed to become more powerful the longer it sits in the environment.

Pros:

On premise
Collects logs
Builds off of trusted Suricata and Zeek technology
Integrates with other tools
Open platform – data is easily available
Takes in data from multiple intel feeds and sandboxes
Proprietary machine learning algorithm adds to capabilities
Broad MITRE ATT&CK coverage, does not use signature technology
Built-in tuning assistant to reduce false positives easily

Cons:

Requires local resources, not built to support the cloud
No published license costs makes it difficult to compare with other solutions

Check Point Quantum IPS

Check Point embeds their Quantum IPS into their next generation firewall (NGFW) solutions to scan packets passing through the device. This device can replace a variety of other devices (firewalls, VPNs, etc.) and provides both IDS and IPS functionality.

Pros:

Up to 15 Gbps integrated IPS performance
Detailed and customizable reports
Vulnerability detection for HTTP, POP, IMAP, SMTP, and more
Policies can be configured by vendor, product, protocol, file type, and threat year
Updates every two hours via a security gateway
Built-in antivirus, anti-bot and sandboxing
Blocks DNS tunneling, signature-less attacks, known CVEs.
Uses both signature and anomaly detection

Cons:

Sold as hardware (secure gateway) only
No support for off-site (cloud, remote) resources that are not rerouted through the gateway
Internal network traffic must be routed through the gateway for protection

Cisco NGIPS

Cisco markets their Secure IPS product as a next generation intrusion prevention system (NGIPS) with over 35,000 built-in IPS rules and broad capabilities for detecting and blocking anomalous traffic. Secure IPS can be integrated with other Cisco devices or deployed as a stand-alone IPS.

Pros:

Can deploy as hardware or in a virtual machine
Detect fileless threats
Embedded DNS, IP and URL security intelligence
Threat analysis and scoring
File sandboxing
Integrates Snort 3.0
Uses signature and anomaly detection

Cons:

Some customers complain that the interface could be more user-friendly
SSL decrypt requires a lot of memory and CPU power
Pricing varies depending upon type of product, number of licensed years, and level of support.
More expensive solution

Fail2Ban

Fail2Ban is an open-source host-based IPS designed to detect and respond to suspicious or malicious IP addresses based upon monitoring of log files. Analysts can combine “filters” (detection rules) with automated remediation actions to form a “jail”.

Pros:

Open source and available for free
Runs on *nix and MacOS systems
Log file analysis to identify suspicious events (such as repeated failed login attempts)
Automatic blocking of suspicious/malicious IP addresses
Effective against brute force and denial of service (DoS) attacks
Blocked IP tables can be fed to firewalls and other security devices

Cons:

Focuses on repeated malicious actions from a single IP address (can miss DDoS attacks)
Too tight a policy can ban legitimate users
No paid support available
No user-friendly GUI
Only blocks IP addresses, does not detect or block other types of attacks

Fidelis Network

Fidelis Cybersecurity’s Network IPS product analyzes network traffic to calculate the risk of all assets and communication in the network. The tool integrates with other Fidelis tools that protect other assets such as endpoints, cloud applications, and containers.

Pros:

Uses the MITRE ATT&CK knowledge base to identify and respond to threats
Can decrypt and analyze encrypted network traffic
Supports cloud and local network
Tracks shadow IT deployments
Integrates with other security solutions
Part of an extended detection and response (XDR) solution
Offers sandboxing capabilities
Identifies account takeover, insider threat and hacker activity
Built-in OCR scanner to scan image and PDF attachments for emails
24/7 global phone and web support
15-day free trial

Cons:

Complex configuration requirements
More expensive solution

Hillstone Networks

Hillstone Networks offers high-speed dedicated appliances for network IPS and next generation firewalls. Hillstone IPS hardware has been installed in over 20,000 customers since 2006 and offers a range of appliances to meet a flexible range of needs.

Pros:

13,000 signatures built-in, custom signatures, and anomaly detection
Sandboxing capabilities for investigation
Detection capabilities from layer 3 to layer 7
Application aware
Options for anti-spam and URL-blocking
Cloud-based management of distributed devices

Cons:

Appliance-only offerings
Appliances will need to be upgraded to accommodate growth
More expensive solution

Kismet

Kismet’s open-source solution sniffs wireless traffic and can act as a wardriving tool or a wireless IDS tool. Kismet works with most wi-fi cards, bluetooth devices and other hardware.

Pros:

Open-source free solution
Wireless network and device specialist
Supports Linux, OSX, and Windows 10 (limited)
Exposes unauthorized access points
Extended plugin support for web user interface and functionality enhancements

Cons:

Can be slow to search networks
Limited Windows support
Limited customer support
Niche offering with limited capabilities to detect or block other attacks

NSFOCUS

The Santa Clara and Beijing-based NSFOCUS provides a next generation IPS solution with a throughput of up to 20 Gbps.

Pros:

Response options include: block, pass-through, alert, quarantine, and capture
Secures against webshell, XSS, SQL injection and malicious URLs
9,000+ threat signatures and advanced anomaly detection
Categories for IPS policies and complex password policies
Traffic analysis, bandwidth management and Netflow data on inbound and outbound traffic
Protects against a variety of distributed DoS (DDoS) attacks
Can integrate with threat feeds

Cons:

Does not inspect SSL packets
Not many reviews available
Deployed mostly in Asia

OpenWIPS-NG

OpenWIPS-NG is an open-source wireless intrusion prevention system that can detect and block wireless network intrusions based upon a sensor. The sensor forwards information to a server with an analysis engine that detects intrusion patterns to issue alerts or to take actions.

Pros:

Highly flexible and free tool
Especially focused on wireless networks
Lightweight command-line interface

Cons:

Runs only on Linux
Each installation only supports one sensor
Not beginner friendly or suitable for enterprise scale needs

OSSEC

OSSEC stands for open-source host-based security (despite the lack of an H in the acronym). OSSEC and the more robust OSSEC+ solution protect hosts by analyzing the system files for signs of malicious activity. A commercial version has been released by Atomicorp.

Pros:

Open source and free
Windows registry monitoring
MacOS privilege escalation detection
Monitors log file checksums to detect tampering
Widely used – over 500,000 annual downloads

Cons:

Limited Windows support
Steep learning curve
Protection focused on system files and does not protect against other types of attack

Palo Alto Networks

Palo Alto Networks offers an IPS for large businesses looking for support that comes with a commercial solution. Their network IPS starts at $9,509.50 and can be deployed as hardware, software (virtual machines or containers), as a cloud service, or integrated into next generation firewalls.

Pros:

Constantly updated threat protection profiles
Blocks harmful sites
Multiple defensive laters combining signature and anomalous analysis
Blocks malformed packets, TCP reassembly, IP defragmentation, and C2 attacks
Can deploy Snort and Suricata rules
Cloud-native option
Integrates vulnerability protection, anti-malware, and anti-spyware detection
Can scan encrypted traffic

Cons:

More expensive option
Lack of visibility into file analysis details
Users complain that somle configurations have overly complex implementation steps
Some users complain about the level of support

Sagan

Sagan is a host-based open-source IPS that focuses on log analysis. An unusual aspect of the software is that while it can only be installed on Unix, Linux, or MacOS it can accept log data from Windows or from network IDS tools such as Snort. Sagan also integrates with firewalls to block IP addresses from detected external attackers. .

Pros:

Open source and free
Compatible with Snort, Snorby, BASE, and more.
Can ingest log files from Windows, Zeek and Suicata.
Multiple third-party integrations
Lightweight, high performance, multi-threaded architecture
Real time log analysis
IP locator feature that shows the geographical location of an IP address

Cons:

Difficult to install and properly configure
Steep learning curve (many features)

Samhain

Samhain Design Labs of Germany produces the free, host-based IDS solution that can be run on many hosts and used to feed into a central monitoring repository. Samhain is notable because it uses steganography to hide its presence on a host computer which make it likely that attackers will not be able to disable its monitoring.

Free
Runs on MacOS, Unix, and Linux systems
Looks for rootkit viruses, rogue user access rights, hidden processes
Checks log integrity
Lightweight and can obscure its presence to prevent disabling by attackers

Cons:

Does not automatically block or remediate attacks
Outdated interface, difficult to use
Smaller community than more popular open-source tools
Open source free version does not come with support
Not available for Windows

Security Onion

Security Onion is a Linux IDS that can monitor both the host and the network. The open-source solution incorporates aspects of Snort, Suricata, Zeek, and other popular open-source security tools behind a Kibana visualization dashboard.

Pros:

Open-source Linux distribution
Integrates a number of popular IDS tools
Examines host log files and network traffic
Can perform live network traffic analysis and store packets to a file
Uses both signature and anomaly analysis

Cons:

Many overlapping standalone tools
No action automation
Some interfaces are not user-friendly

Snort

Snort is probably the most well-known and popular IPS in existence. Its extremely large fan base has led to its rule formats being accepted as a widely-used standard, and many other IDS and IPS tools are built to be compatible with it.

Pros:

Open source and free
Installs on Linux, Unix, or MacOS, but will support Windows analysis
Large library of pre-built detection rules
Sniffer, packet logger, intrusion detection
Both signature and anomaly analysis
Deep visibility into network traffic
Supported by Cisco
Base rules can be downloaded, advanced access to new rules available for a fee

Cons:

Unstable updates
Reliant upon community support
Highly complex with a steep learning curve

SolarWinds SEM

SolarWinds Security Event Manager (SEM) is a paid IPS and log analysis tool built off of Snort and designed for enterprise environments. It is available as a subscription service for $2,525 and up, and lifetime licenses are available starting at $4,485.

Pros:

Runs on Windows
Supports Windows, MacOS, Unix and Linux log files
Collects and analyzes network and host data
Integrates with Snort for network analysis
Over 700 built-in rules for event correlation
File integrity monitoring
User-friendly interface
Compliance reporting and forensic analysis functions
Alerts can be managed as rules with customizable response options
Can perform as a Security Intrusion and Event Management (SIEM) solution

Cons:

Feature dense and takes time to navigate and install
A paid upgrade to a free tool (See: Snort)

Requires some manual updates and upgrades can be difficult

Suricata

Suricata is designed to be an alternative to Snort. It is compatible with Snort file formats, rules, etc. and is also a free option. It includes features not available in Snort, such as performing network traffic analysis at the application level (which enables detection of malicious content spread over multiple packets). Zeek’s creator also offers an appliance that combines Suricata and Zeek features into one appliance.

Pros:

Open source and free
Data collection at application layer
Can monitor multiple protocols such as TLS, HTTP, and SSL
Deep network traffic visibility
Integration with a number of third-party tools
Lua scripting support
User-friendly interface
Parallel processing with GPU support
Uses both signature and anomaly analysis

Cons:

Smaller support community
Built-in scripting can be difficult to use
Processor-heavy

Trellix Network Security (McAfee + FireEye)

The details regarding the Trellix network security product may change in the near future since the company’s extended detection and response (XDR) platform is being created based upon McAfee’s Network Security Platform (NSP) and FireEye’s network security products. A series of mergers of the companies, the brands, and the technologies took place in July 2021, but the original products can still be found on the individual company websites.

Pros:

Protection against bots, Distributed Denial of Service (DDoS), ransomware, and many other attacks
Blocks harmful sites and downloads
Protects cloud and on-prem devices
FireEye’s IPS was deployed as part of the network security and forensics solution
FireEye’s technology focused on anomaly detection, McAfee focused on signature detection
Run on physical or virtual appliances
Sandboxing capabilities
Detect and block malware, phishing, exploits, command and control (C2) callbacks, and botnets.

Cons:

False positives for harmful site detection
Negatively impacts network performance
Pricing will be confusing until older products discontinued

Trend Micro (IPS)

Trend Micros’ IPS solution is available as a physical or a virtual appliance to be deployed inline on local networks, private clouds, or public clouds.

Pros:

Incorporates Trend Micro’s antivirus signatures as well as machine learning.
Sandbox capability for investigation
Deploys with rules and security policies to block current and previous threats
Uses deep packet inspection, malware analysis, URL reputation, and threat reputation
Applies both signature and anomaly analysis
Scans inbound, outbound, and lateral traffic

Cons:

Does not yet integrate with other IPS or TrendMicro products (DBI, IWSVA, etc.)
Automatic application of rules can disrupt business processes
More expensive option

Vectra Cognito

Vectra’s Cognito IPS platform applies AI to analyze traffic from public clouds sources, Software-as-a-Service (SaaS), user identity information, Networks and EDR to detect and block malicious attacks.

Pros:

Delivers results in well known Zeek format
Integrates with a variety of security tools
Will pull data from a variety of endpoints
Offers strong cloud and container (Kerberos) support
Primarily uses anomaly detection

Cons:

More expensive option
Does not have flexible geographic location for processing data
Use proprietary logging format
Can generate many false positives if misconfigured or not tuned well

Zeek (AKA: Bro)

Zeek, formerly known as Bro, is an extremely powerful network-focused IDS. Zeek’s built-in scripting support enables a great deal of customization and customized automated responses to identified threats. Zeek’s creator offers pre-packaged physical or virtual Zeek appliances as Corelight with user-friendly GUIs, scripts, and extra support.

Pros:

Open source Zeek is available at no cost
Runs on MacOS and *nix systems
Deep visibility into network traffic
Integrated traffic logging
Tasks enable customized automation
Monitor SNMP traffic and track FTP, DNS, and HTTP activity
Runs analysis at the application layer for broader analysis
Applies both signature and anomaly detection

Cons:

Steep learning curve, requires deep SIEM and IDS knowledge
Open source free version does not come with support
Not available for Windows

ZScalar Cloud IPS

ZScalar’s IPS solution captures all traffic, whether the user is working on-site or remote and connecting to local data or cloud SaaS resources.

Pros:

Supports all types of resources: local data, cloud data, SaaS apps
Scalable metered solution that grows or shrinks as need
Can decrypt SSL traffic
Unlimited capacity
No hardware to buy or software to manage
Security teams can dig into IPS alerts and access the Zscaler threat library for more details.
Supports iOS, macOS, Android, Windows, some Linux.
Supports mobile devices

Cons:

Offered only as a SaaS license
May not support all OS
Can add latency to network performance
Global installation and custom app alignment can be difficult and time consuming

Comparing IDS and IPS Options

Not every Intrusion Detection and Prevention System is created equal. With many different types of systems (IDS vs. IPS, host-based (HIDS) vs. network-based (Network), signature vs. anomaly detection), it is important to understand the purpose that a particular system is designed to fulfill and how it does its job.

	IDS/IPS and Host/Network	Supported Platforms	Detection	Price
AIDE	IDS, Host	Unix, Linux, and Mac OS	File integrity check (only)	Free*
BluVector	IDS, Network	Not specified	Broad threat detection	Not available
Check Point Quantum IPS	IDS, IPS, Network	Appliance	Broad threat detection	$1,500+ / year
Cisco NGIPS	IPS, Network	Appliance, VMware	Broad threat detection	$1,280+ / year
Fail2Ban	IDS, IPS, Host	Unix, Linux, and Mac OS	Detects potentially malicious IP addresses	Free
Fidelis Network	IDS, IPS, Network	Not specified	Broad threat detection	$78,000+ / year based on GB bandwidth and days of storage
Hillstone Networks	IDS, IPS, Network	Appliance	Broad threat detection	Perpetual license based on users and functionality
Kismet	IDS, Network	Linux, OSX, Windows 10 (limited)	Wireless IDS only	Free
NSFOCUS	IDS, IPS, Network	Not specified	Broad threat detection	Not available
OpenWIPS-NG	IDS, IPS, Network	Linux	Wireless Networks	Free
OSSEC	IDS, IPS, Host	Unix, Linux, MacOS, Windows	System file monitoring	Free*
Palo Alto Networks	IDS, IPS, Network	Appliance, Container, VM	Broad threat detection	$9,509.50+
Sagan	IDS, IPS, Host	Unix, Linux, MacOS	Log file analysis, IP blocking	Free
Samhain	IDS, Host	Linux, Unix, MacOS	File integrity checking, log file analysis, rootkit detection	Free
Security Onion	IDS, Network, Host	Linux only	Broad threat detection	Free*
Snort	IDS, IPS, Network	Linux, Unix, MacOS	Broad threat detection	Free, $399+ for rules subscription
SolarWinds SEM	IDS, IPS, Network, Host	Windows, Linux, Unix, MacOS	Broad threat detection	$2,525+
Suricata	IDS, IPS, Network	Windows, Linux, Unix, MacOS	Broad threat detection	Free
Trellix (McAfee + FireEye)	IDS, IPS, Network	Appliance or software	Broad threat detection	$10,995+
Trend Micro	IDS, IPS, Network	Appliance or software	Broad threat detection	Not available
Vectra Cognito	IDS, IPS, Network, Cloud	Appliance or software	Broad threat detection	$10,000+, based on IP addresses
Zeek (AKA: Bro)	IDS, Network	Windows, Linux, Unix, MacOS	Broad threat detection	Free*
ZScalar Cloud IPS	IDS, IPS, Network, Cloud	Windows, MacOS, some Linux, Android, iOS	Broad threat detection	Offers different levels: Business, Transformation, ELA