Top Free Network-Based Intrusion Detection Systems (IDS) for the Enterprise

Posted by UpGuard

Due to the sophistication of today’s data breaches and intrusions, implementing and maintaining network security more often requires a multi-tiered approach; companies securing their networks often use a combination of technologies to combat the myriad of cyber attack, intrusion, and compromise methods available to cyber criminals today. Though a variety of tools and methodologies exists, the two common elements to all secure enterprise network configurations are the firewall and the intrusion detection/prevention system (IDS/IDPS). Firewalls control incoming and outgoing traffic based on rules and policies, and act as a barrier between secure and untrusted networks. Inside the secure network, an IDS/IDPS detects suspicious activities to/from hosts and within the traffic itself, and can take proactive measures to log and block attacks.

The focus of this discussion will be on the IDS/IDPS-- specifically, network-based IDS (NIDS) solutions. Popular host-based IDS (HIDS)  solutions will be covered in forthcoming articles.


IDS/IDPS offerings are generally categorized into two types of solutions: host-based intrusion detection systems (HIDS) and network-based intrusion detection systems (NIDS). HIDS solutions are installed on every computer on the network to analyze and monitor traffic coming to and from the node in question. An HIDS will also track and monitor local file changes and potential alterations due to an unauthorized access and/or compromise.

In contrast, an NIDS is strategically positioned at various points on the network to monitor traffic going to and from network devices. NIDS solutions offer sophisticated, real-time intrusion detection capabilities often consisting of an assembly of interoperating pieces: a standalone appliance, hardware sensors, and software components are typical components that make up an NIDS. These pieces working in concert allow for a wider range of network intrusion detection capabilities than HIDS solutions.

A comprehensive IT security model should employ both an HIDS and NIDS, since each has their advantages/disadvantages. For example, since an HIDS solution is host-installed and has access to details like registry settings, logs, and other system information, extended forensic capabilities are possible. A drawback to this, however, is that resources are drawn from the host (e.g, the computer the HIDS is installed on) to power the HIDS. Additionally, HIDS solutions are reactive in nature, and can only respond after an attack has occurred.

In contrast, an NIDS is usually a hardware appliance installed on the network itself, so it doesn’t need to tap into any underlying host system for resources. Installation of these solutions also tend to be trivial-- in most cases, they’re simply dropped into the network to begin passively monitoring for suspicious traffic. Though NIDS solutions are usually expensive and targeted at the enterprise, a decent selection of free, open source solutions are available on the market. These solutions utilizing open-source software and commodity hardware, and offer comparable levels of security and protection as commercial NIDS offerings.

But before jumping into what these free NIDS offerings are all about, yet another class distinction needs to be made-- this time concerning how different types of NIDS detect intrusions.

Free ebook: Continuous Security Monitoring

Signature-Based vs. Anomaly-Based NIDS

An NIDS may incorporate one of two (or both) types of intrusion detection in their solutions: signature-based and anomaly-based. A signature-based NIDS monitors network traffic for suspicious patterns in data packets-- “signatures” of known network intrusion patterns-- to detect and remediate attacks and compromises. By using a database of well known intrusion types and their data patterns, a signature-based NIDS can quickly identify intrusions and initiate an appropriate course of action.

An anomaly-based NIDS uses a baseline of the system in a normal operational state to track whether unusual or suspicious activity is present. Though this method takes time to set up, as baselining requires the NIDS solution to “learn” about your system usage patterns, it’s organic, heuristic approach to intrusion detection can be more flexible and powerful than a signature-based approach, which requires that a pre-existing intrusion type’s pattern is on file to pattern match against. For example, in the case of newly announced/discovered intrusion types and vulnerabilities (e.g., zero-day attacks), an anomaly-based IDS could react immediately to changes from the baseline system patterns, whereas a signature-based solution requires the existence of a previous attack pattern, or an update to the database of known intrusions methods by the vendor.

Both approaches have their merits and drawbacks. Signature-based approaches are faster, generate less false positives, and do not require time for baselining that anomaly-based approaches do. That said, because they are reactive in nature, systems entirely dependent on signature-based NIDS are completely exposed to new attacks. As their effectiveness is entirely dependent on a database of pre-existing intrusion signatures, signature-based NIDS are often crippled in the face of novel, sophisticated attacks. An anomaly-based NIDS can be difficult to set up, configure, and “train”, but can be quite effective in its ability to baseline a system at each protocol stack, and to scale accordingly. The relatively complementary strengths of the two approaches clearly illustrate the need for both in building a comprehensive IT security strategy.   

Top Free NIDS for the Enterprise

Snort is the hands-down leader in open source NIDS solutions. Though it sports no GUI or easy administration interface, the tool has gained broad acceptance as an effective NIDS solutions for a wide range of scenarios and use cases. Furthermore, various front-ends have been created by the community to address its lack of a GUI. Snort uses both signature-based intrusion detection as well as anomaly-based methods, and can rely on user-created rules or signatures sourced from databases like Emerging Threats.


Suricata is a direct competitor to Snort and employs a signature-based methodology, rule/policy driven security, and anomaly-based approach for detecting intrusions. For some, the solution is a modern alternative to the industry standard tool-- a Snort “on steroids,” so to speak, with multi-threading capabilities,  GPU acceleration, and multiple model statistical anomaly detection, among others. 

Bro IDS  uses anomaly-based intrusion detection, and is usually employed in conjunction with Snort, as the two complement each other quite nicely. Interestingly, Bro is actually a domain-specific language for networking applications in which Bro IDS is written. The technology is especially effective at traffic analysis, and is often used in forensics and related use cases.

OpenWIPS-ng, despite being logo-less and documentation-less, has created a popular open-source project for wireless security with features and functionality found in comparable solutions costing tens of thousands of dollars. It’s signature-based intrusion detection technology consists of sensors to capture wireless traffic, a server to analyze/respond to attacks, and a GUI for easy management.

Security Onion is actually an Ubuntu-based Linux distribution for IDS and network security monitoring (NSM), and consists of several of the above open-source technologies working in concert with each other. The platform offers comprehensive intrusion detection, network security monitoring, and log management by combining the best of Snort, Suricata, Bro-- as well as other tools such as Sguil, Squert, Snorby, ELSA, Xplico, among others others. For those desiring the best of the aforementioned tools in one single package, Security Onion is worth considering.





Fairly easy to install and get up and running. Vast community of users, many support resources available online.

Comes with no GUI, though community-developed add-ons exist. Packet processing can be slow.


Can use Snort’s rulesets. Has advanced features such as multi-threading capabilities and GPU acceleration.

Prone to false positives. System and network resource intensive.


Platform can be tailored for a variety of network security use cases, in addition to NIDS.

Some programming experience is required. Gaining proficiency in Bro DSL can take some effort.


Modular and plugin-based. Software and hardware required can be built by DIYers.

Primarily a wireless security solution.

Security Onion

Comprehensive security stack consisting of multiple, leading open-source solutions. Provides an easy setup tool for installing the whole stack.

As a platform made up of several technologies, Security Onion inherits the drawbacks of each constituent tool.

Securing the enterprise these days doesn’t need to be a bank-breaking ordeal. The aforementioned free open source NIDS solutions are all competent offerings that offer industrial strength protection against intrusions and compromises, with many of the tools complementing each other when used in tandem. Furthermore, offerings like Security Onion have taken the legwork out of picking/choosing the appropriate tools by combining the most popular open source security tools into one unified solution stack, freely available and easy to install.

Free DevOps and Security eBooks


More Articles

Configuration Testing in the Enterprise

Many enterprises are now adopting automation technology as a means of completing operational tasks, and of creating a more efficient environment within an IT enterprise.
Read Article >

What's In the Website Risk Grader?

The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >

Understanding Risk in the 21st Century

Puppet and Chef have both evolved significantly since we covered them last time—suffice to say, we’re long overdue in revisiting these two heavy-hitters.
Read Article >


Topics: enterprise

UpGuard customers