The network IDS (Intrusion Detection System) is based on signature-based detection.
It analyzes network traffic to detect abnormal activity and intrusion attempts.
It is designed to monitor network traffic and detect various types of network threats and anomalies.
It is primarily used for network security monitoring and provides real-time analysis of network traffic to identify potential security issues.
In order to monitor all the devices on your network, the IDS must be able to analyze all the traffic.
Of course the Artica server can be the main gateway and analyze all traffic passing through it but this option requires resources and can slow down the network if the power is miscalculated.
To do this, the port mirroring method ensures the duplication of network packets and avoids this problem.
In this case, the network IDS will be in passive mode.
This is made possible by using a manageable switch that supports port mirroring, which duplicates the traffic of all devices and sends it to the IDS.
The IDS must be able to analyze the frames coming from all the devices on your network.
To do this, all your devices must be connected to the switch, which uses the port mirroring function to transmit all frames received from the mirrored port to the analysis port.
The Artica server on which the IDS is installed is of course connected to this "analysis port".
Starting from v4.50 with HotFix 20230719-14 or Service Pack 1, the IDS supports automatic remediation with CrowdSec
Your Artica server must have 2 network interfaces, the first one is a simple network interface to access to the machine and the second network interface will be the dedicated network interface for the mirroring.
Then you can now turn the mirroring port on you switch or firewall ( example how to setup SPAN (Port Mirroring) on Fortigate )
The IDS service hooks into the system kernel to retrieve all network packets.
To ensure that the IDS service is compatible, update to the latest version if one exists.
The IDS service feature can be enable using the “Features" section.
Now it's time to specify the network interface that will be monitored by the detection engine.