Which of the following statements is true regarding a HIDS? (Select the best answer.)
A.
It can monitor the network for port scans.
B.
It can identify spoofing attacks.
C.
It can analyze OSspecific protocols, such as SMB.
D.
It can delay packets during reassembly.
Explanation:
A Hostbased Intrusion Detection System (HIDS) can analyze operating system (OS)specific protocols, such as
Server Message Block (SMB). Intrusion Detection Systems (IDSs) are primarily used for monitoring network
traffic and do not sit inline with traffic flow. Because IDS devices do not sit inline, they do not delay the flow of
packets during reassembly and analysis. A HIDS can be used to monitor traffic on a single host, whereas a
Networkbased IDS (NIDS) can be used to monitor all network traffic.
A hostbased solution, such as a HIDS or a Hostbased Intrusion Preventions System (HIPS), has direct access
to the host OS and can typically understand OSspecific protocols and applications based on the behavior
identified in kernellevel audit trails. By contrast, a networkbased solution, such as a NIDS or a Networkbased
IPS (NIPS), has limited information about the host OS and its applications.
The detailed information about a particular host, its applications, and its behaviors enables a HIDS to
implement policies that can be tailored to the host and that can be much more restrictive than policies
implemented by a NIDS, most of which implement policies that impact the entire network. In addition, a HIDS
can analyze traffic from encrypted sessions that are initiated by or terminated on the host.
By contrast, a NIDS does not have access to OSspecific information and cannot analyze OSspecific protocols
and applications. However, because a NIDS is not installed on a single host, it can gather intelligence about
threats such as port scans and spoofing attacks, which can affect multiple hosts throughout the network. In
addition, because a NIDS is not installed on a host, it is immune to attacks that might compromise a host and
its HIDS.SANS: SANS Institute InfoSec Reading Room: How to Choose Intrusion Detection Solution(PDF)