Logical Architecture of IDS is shown in above figure.
It consist
Event Generator
Analyzer
Response Module
The collection of Information policy is determined by the event generator policy that defines the filtering mode of event notification information.
The event generator (operating system, network, application) produces a policy-set of events that may be a log (or audit) of system events, or network packets.
This, set along with the policy information can be stored either in the protected system or outside.
An intrusion detection system always has its core element – a sensor that is responsible for detecting intrusions. This sensor contains decision-making mechanisms regarding intrusions.
Sensors receive raw data from three major information sources as shown in above figure: own IDS knowledge base, syslog and audit trails.
This information creates the basis for a further decision-making process.
Response Module will fire alarm if any threat or intrusion or violation of policy is detected by sensors.
