If an attack got past an IPS on a network, is there any way that it would know that certain files or settings were compromised and log details like an IDS? Would it be a good idea to also setup an HIDS or NIDS to log these attacks in addition to an IPS, or would it cause congestion or conflicts?
-
IPS/IDS Question (Network+)
-
The IPS wouldn't necessarily register what got attacked, the reason is because well it's supposed to spot an attack and prevent it.
You're on the right track though when you talk about an HIDS or NIDS to log the attacks. Most IDSes (including HIDS and NIDS) in theory wouldn't cause congestions because you're not telling it do anything but to create a log of an attack. Don't get me wrong if there are so many attacks, it could be possible. More likely at that point you're worried more about losing log information because the storage space for the logs are running low.
Presenting a "Defense in depth" is the better and clear approach rather than trying to think of a single system to defeat any and all attacks.
