12 top IDS/IPS tools

An intrusion detection system (IDS) is a longtime staple of IT security; it’s a software application or physical appliance that monitors networks, hosts, or both for signs that an intruder has broken into your IT infrastructure. Many such tools integrate the capability to not only detect such attacks but automatically fight back against them, which puts them into the related category of intrusion prevention systems (IPS).

IDS/IPS has long been seen as a making up a distinct market, and many are available as standalone products. However, security vendors are increasingly eager to wrap a number of security tools into “platforms” or other similarly unified offerings. Sometimes they’ll sell products or services with an IPS at the core and other bells and whistles added on.

We’ve broken down 12 of the most popular IPS and IDS tools out there. Some stand on their own while some are just a part of a broader system, and we’ve explained where each tool falls on that divide. We’ve even included a couple of longstanding and beloved open source tools on the list, since these are still widely used at enterprises of varying sizes by IT pros who know them well.

One thing to keep in mind: As with most enterprise software, these offerings don’t have a simple price tag attached, since vendors work with VARs and often give discounts to longstanding customers. Many also come in models or tiers with a range of processing capacities. We have offered pricing guidance where such information is public, or where vendors were willing to share it with us.

1. Cisco NGIPS

Cisco’s Next Generation Intrusion Prevention System (NGIPS) is part of the networking giant’s overall security offering, which is grouped together under the Firepower brand. Cisco promises visibility into security data via the centralized Firepower Management center, and NGIPS can also integrate with other Cisco security tools. The policy rules and threat signatures NGIPS uses to detect and prevent intrusions are updated every two hours. NGIPS can run on a Cisco appliance or a VMware instance, and can be positioned flexibly within your network.

2. Corelight and Zeek

Zeek (formerly known as Bro) is an intrusion detection system first developed at Lawrence Berkeley National Lab in the ’90s. Zeek offers general in-depth analysis of network traffic with a focus on security; it works to analyze different activity flows and events and matches them to policy scripts written in Zeek’s own scripting language. Corelight, founded by Zeek creator Vern Paxson, offers Zeek prepackaged on physical or virtual appliances, with a user-friendly GUI, preloaded scripts, and support for higher throughput.

Pricing: Pricing starts at $19,000 per year for physical appliances, and lower for VM or cloud deployments, which are priced per Gbps. The hardware is priced per sensor, and varies depending on the size. In addition, there is a separate price for service subscription, which is purchased separately from the hardware. For virtual and cloud offerings, pricing is based on average daily utilization. (Zeek itself is offered under the BSD license and is free to download and use, though Corelight estimates that rolling your own optimized Zeek install can take months.)

3. Fidelis Network

Fidelis Network is the IPS component of its Elevate platform, which also includes endpoint response and technology layers. Fidelis Network analyzes traffic across ports and using multiple protocols to detect and report anomalies as well as generating metadata that can be further analyzed by other tools; it uses the MITRE ATT&CK knowledge base to assess threats. With sensors that operate directly on your network and in the cloud, Fidelis Network also maps your entire network topography, which can help you track down shadow IT deployments that may not be properly secured.

Pricing: Fidelis Network is priced based on an aggregate network bandwidth and days of stored metadata extracted by the network sensors. The annual subscription price for one gigabit of aggregate network bandwidth and 30 days of metadata, managed and stored in the cloud, starts at $78,000. Optional network sensor hardware is sold separately. On-prem management and data storage is also available.

4. FireEye Intrusion Prevention System

FireEye’s Network Security and Forensics solution, which can operate as a physical appliance or a virtual appliance in the cloud, includes an IPS as part of its onboard functionality. One of FireEye’s big security pitches is its Multi-Vector Virtual Execution (MVX) engine, which the IPS and other tools use to run potentially dangerous code in a controlled virtual environment to test it. FireEye says this is more dependable than relying on attack signatures, which can’t detect zero-day attacks, and also cuts down on time spent chasing after false positives — by 97 percent, the company claims.

5. Hillstone S-Series

Hillstone Networks’ S-Series of appliances offer an in-line network intrusion prevention system that promises wire speeds; a wide range of models are available to support different network traffic volumes. The S-Series uses both a built-in list of attack signatures and a cloud-based sandbox to investigate suspicious code; Hillstone says it can detect abnormal behavior throughout the stack, from L3 to L7. While this IPS isn’t part of an all-encompassing offering like some of the others on this list, the S-Series does offer some additional functionality, like spam-fighting and URL-blocking. It can operate in passive (IDS) or active (IPS) modes.

6. McAfee Network Security Platform

McAfee bills its Network Security Platform, which can run on physical or virtual appliances within your network, as a “next-generation intrusion prevention system.” Combining signature-based and signature-less detection engines, Network Security Platform also correlates threat activity with application usage to keep tabs on potential bad behavior. The virtual version of the appliance extends the functionality to public or private clouds. Network Security Platform can also integrate with other McAfee software, and gets constantly updated threat intelligence from McAfee as well.

Pricing: The Network Security Platform product line has a spectrum of prices based on their capacities, starting in the very low four figures and ranging up to the low six figures for a 100Gb stack.

7. OSSEC

OSSEC is a host-based IDS that is produced by a long-running open source project. It’s been widely downloaded and used — the project receives more than 500,000 downloads a year — and works on Windows, macOS, and a host of Unix-like systems, including Linux. OSSEC monitors the logs various system components generate in real time, and can detect changes to individual files, including all-important Windows registry files. While primarily an IDS, OSSEC can also respond to attacks, using both its own capacities and integration with third-party tools.

Pricing: As an open source project, OSSEC is free to download, modify, and use. Atomicorp offers an enterprise version with a dedicated management console, pre-built rules, and compliance reporting.

8. Snort 

Snort is a venerable open source project that began life as a packet sniffer (thus the name) but has evolved to include the functionality of a full-blown network-based IDS. Snort’s security features work by applying customizable rules to the network packets it analyzes, and can detect a variety of different attacks using both signature- and anomaly-based detection. The Snort community is considered very open and welcoming, though the tool itself can be somewhat tricky to use for newbies.   

Pricing: As an open source project, Snort is free to download, modify, and use, and a continuously updated Snort community ruleset is available for free under the GPL to keep Snort installs up-to-date. Paid rules subscriptions are also available that provides rulesets that are broader and updated 30 days ahead of the community ruleset: these cost $29.99 per year for individuals and $399 per year per sensor for businesses, with custom prices for system integrators. Snort is currently maintained by Cisco and some of its functionality underlies Cisco’s NGIPS, discussed above.

9. Trend Micro TippingPoint

TippingPoint was a company founded in 1999 that was passed among corporate giants (it was a division of Hewlett Packard at one point) before landing at Trend Micro in 2015. Today, it’s the brand name for Trend Micro’s IPS offerings, which are available as physical or virtual appliances. TippingPoint offers automated updates on threat signatures from Trend Micro and the Zero Day Initiative, along with machine learning systems that can spot previously unknown attacks. The appliances promise fault tolerance so they can be safely deployed inline, and the virtual version extends its functionality to public or private clouds. The tool can also be integrated into Trend Micro’s other security offerings, as well as third-party applications.

10. Vectra Cognito

Vectra bills its flagship Cognito offering as a “network detection and response” platform. Cognito heavily relies on artificial intelligence and machine learning to combat attacks, which the company claims outperforms signature-based defense methods. The platform both alerts users on threats and digests data in order to make it easier for human threat hunters to zero in on possible attacks. It presents data in the widely understood Zeek format (though it doesn’t actually use Zeek code under the hood) and can integrate with a wide variety of security tools from different vendors via APIs.

Pricing: Vectra Cognito pricing is based on concurrent IP addresses and will range from SMBs to organizations that have as many as 350,000 concurrent IPs. Customers can subscribe to the Cognito Detect, Recall, and Stream components of the platform separately or together; pricing starts as low as around $10,000 for mid-sized businesses.

[ Read CSO’s review of Vectra Cognito ]

11. BlueVector Cortex

BlueVector Cortex bills itself as an IDS beloved by analysts because it’s built out of a number of open source components that analysts already know and love: Zeek (see above), Suricata, and ClamAV, among others. Added into the mix are BlueVector’s own fileless malware detector and machine learning engine, all bundled onto a modular physical or virtual appliance. An open API that can help the platform integrate with other tools.

12. ZScalar Cloud IPS

ZScalar bills its Cloud IPS as a whole new paradigm in intrusion protection. Unlike most of the services on this list, which exist as physical or virtual appliances, ZScalar Cloud lives, as the name implies, entirely in the cloud. This allows the Cloud IPS to focus on users and their network traffic, not individual servers, and accommodates modern networks where much of an enterprise’s traffic is bound for hosted services outside of IT’s immediate control. Because the Cloud IPS is a SaaS offering, it’s constantly updated with the latest threat data. It offers SSL decryption as well.

Pricing: As a SaaS offering, Cloud IPS is metered, allowing you to add capacity as your needs expand. It also integrates with other ZScalar cloud security services, which can be toggled on as needed.