One of the main questions many people have about IDS is, what is the difference between Host based IDS (HIDS) and Network Based IDS (NIDS)?

This is a topic that can be discussed in great detail...and i don't have time at the moment to explain everything, so I am hoping people here with IDS experience can express their ideas and opinions.


The first type of IDS is the Network based IDS. This type of IDS is deployed at strategic places in the network infrstructure (sometimes outside the firewall, in the DMZ, or various places throughout the internal network) to capture traffic going across the wire, and comparing it to a database of known attack signatures. If the packets are inspected, and there is a match to the signature database. Many types of actions can be taken, including alerts to the administrator, sending a RST to the attacking host to kill the connection, or even dynamically modifying firewall rules to block the connection (although this is often very risky because of the probablility that valid traffic will be blocked from the network if a false positive is detected. NIDS can most similarly be compared to a sniffer on steroids.

Types of NIDS include Snort, Cisco NIDS, and Netprowler


HIDS is a bit different than NIDS in the aspect that it is run as a service or agent on the protected host. HIDS does not insoect traffic that is not directed at the host it is protecting!!
Instead, the HIDS agent monitors settings on the machine, like critical system files (/etc/passwd, the NT SAM file, etc), registry settings, file checksums, or just about any other parameter you define. When an attack is made to a machine, the agent will typically block the connection, log a record of the session, report it back to a central management console, and of course alert the admin of the problem. HIDS also has another distinct characteristic, it can inspect encrypted traffic, because the traffic is actually decrypted before the agent inspects it. NIDS on the other hand can't do anything about encryption.

Types of HIDS, include Tripwire, Cisco HIDS, and Symantec ESM

False Positives?
A false positive is when an attack is detected that is not really an attack, and is valid traffic on the network. All IDS's will detect false positives at one time or another. It is the admins jobs to tune out these false positives, and only alert on real attacks.

For those who want to see a good real-world application for IDS, visit the Honeynet project homepage at
Of course the Honeynet project is about much more than just IDS, but it will give you some examples of how the IDS can be used, and what information can be gathered from them.

Well there is certainly much more to come...I am out of time now......but please feel free to add to this post with any experiences you guys have had, and I will keep adding as I get time.