Signature based IDS

Signature based IDS:-A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats.

• This is similar to the way most antivirus software detects malware. Until you didn’t update your signature, your IDS would be unable to detect the new threat.
• Signature detection involves searching network traffic for a series of bytes or packet sequences known to be malicious.
• A key advantage of this detection method is that signatures are easy to develop and understand if you know what network behavior you’re trying to identify.
• For example, you might use a signature that looks for particular strings within an payload to detect attacks that are attempting to t a particular buffer-overflow vulnerability.
• The events generated by signature-based IDS generate a alarm.
• Also, pattern matching can be performed very quickly on modern systems so the amount of power needed to perform these checks is minimal for a confined rule set.
• For instance, if the systems you are protecting only communicate via DNS, ICMP and SMTP, all other signatures can be removed.
• Signature engines also have their disadvantages. Because they only detect known attacks, a signature must be created for every attack and unknown attacks cannot be detected.