Home > SOC Analysis

IDS/IPS Alerts

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) monitor network traffic for malicious signatures, behaviors, anomalies, and exploitation patterns.
IDS detects and alerts, while IPS detects and blocks.
Both produce alerts that SOC analysts must review, analyze, correlate, and prioritize.
This chapter explains IDS/IPS alerts in full-scale SOC depth, including alert structure, interpretation, validation, correlation, tuning, and investigation workflows.

What IDS/IPS Alerts Represent

An IDS/IPS alert is triggered when network traffic matches:

  • A known malicious pattern

  • Suspicious behavior

  • Anomaly in traffic flow

  • Specific attack signature

  • C2 beaconing pattern

  • Exploit attempt on a service

  • Malware communication

  • Policy violations

IDS/IPS alerts provide network-level visibility that complements endpoint, firewall, and SIEM telemetry.

Alert Structure (SOC-Focused Breakdown)

Most IDS/IPS alerts follow this structure:

Signature ID (SID)

Unique identifier for rule:

SID: 2023431

Alert Classification

Example:

ET MALWARE Cobalt Strike Beacon

Severity

Low / Medium / High / Critical.

Source & Destination

SRC=185.22.10.44  
DST=10.0.0.21:443

Protocol

TCP/UDP/ICMP/HTTP/HTTPS/DNS.

Payload Snippet

Small piece of packet data that triggered signature.

Metadata

Categories:

  • Attack type

  • Reference URLs

  • CVE numbers

  • MITRE ATT&CK mapping

SOC relies heavily on these fields.

Types of IDS/IPS Alerts

1. Signature-Based Alerts

Triggered by known malicious patterns.

Examples:

  • Cobalt Strike beacon

  • EternalBlue exploit

  • Mimikatz over SMB

  • Ransomware extensions

  • SQL injection patterns

2. Anomaly-Based Alerts

Triggered by unusual behavior.

Examples:

  • Abnormal DNS queries

  • Unusual bandwidth usage

  • Repeated failed connections

3. Policy-Based Alerts

Triggered by violating rules.

Examples:

  • Using forbidden protocols

  • Traffic to blocked countries

  • Unauthorized outbound ports

Common IDS/IPS Alert Categories

Exploit Attempts

ET EXPLOIT Apache Struts RCE
ET EXPLOIT CVE-2017-0144 SMBv1

Malware C2

ET MALWARE Cobalt Strike HTTP Beacon
ET C2 Zeus Botnet

Reconnaissance

ET SCAN Nmap Scan Detected
ET SCAN Masscan Activity

Web Attacks

ET WEB_SERVER SQL Injection Attempt
ET WEB_SERVER XSS Attempt

DNS Abuse

ET DNS Long TXT Query — Possible DNS Tunneling
ET DNS Query for DGA Domain

Policy Violations

ET POLICY Executable Download
ET POLICY TOR Exit Node Traffic

Malware Delivery

ET MALWARE Emotet Payload Transfer

How SOC Analysts Validate IDS/IPS Alerts

1. Check Signature Accuracy

Some signatures are noisy.

2. Validate Source Reputation

Run OSINT checks:

  • VirusTotal

  • GreyNoise

  • OTX

  • Talos

  • Passive DNS

Example:

185.12.44.33 = Known botnet scanner

3. Validate Destination Host

Identify:

  • Is the host internal or external?

  • Is it a critical server?

  • Is it user workstation?

4. Inspect Full Packet (if needed)

Use PCAP:

  • verify payload

  • confirm exploit activity

  • detect embedded malware

5. Correlate With Other Logs

Check:

  • Firewall

  • DNS

  • Proxy

  • EDR

  • Sysmon

If multiple logs confirm malicious behavior → escalate.

6. Check For Event Sequences

Example:

Exploit → reverse shell → C2 beacon

This confirms active intrusion.

SOC Workflow for Investigating IDS/IPS Alerts

Step 1 — Read Alert Details

Extract:

  • signature

  • src/dst

  • payload

  • timestamps

Step 2 — Verify If Alert Is Legitimate

Check:

  • Does traffic match the exploit?

  • Is signature broad or precise?

Step 3 — Run OSINT Reputation Checks

Identify maliciousness of IP/domain.

Step 4 — Correlate With Internal Logs

Check SIEM:

index=sysmon (process_name:*cmd* OR *powershell*)
index=auth failed logins
index=dns suspicious queries

Step 5 — Identify Impacted Assets

Determine:

  • infected host

  • targeted host

  • vulnerable service

Step 6 — Determine Severity

If exploitation succeeded → escalate to L2/L3.

Step 7 — Take Containment Actions

  • Block source IP

  • Isolate host

  • Patch vulnerability

  • Apply firewall rules

Step 8 — Document Findings

Record:

  • IOC

  • behavior

  • impact

  • recommendations

Practical IDS/IPS Alert Examples

Example 1 — Cobalt Strike Beacon

ET MALWARE Cobalt Strike Beacon HTTP Request
SRC=10.0.0.7 → DST=91.22.113.10:443

Action:

  • isolate host

  • investigate process tree

  • check persistence

Example 2 — SQL Injection Attempt

ET WEB_SERVER SQL Injection Attempt
URL=/login.php?id=1' OR '1'='1

Action:

  • verify if web server exploited

  • check logs for anomalies

  • review WAF logs

Example 3 — DNS Tunneling

ET DNS Long TXT Query — Possible Tunneling
TXT="w94j9xjasd9qwjxadz..."

Action:

  • check frequency

  • investigate originating host

  • review process connections

Example 4 — Exploit Attempt

ET EXPLOIT CVE-2017-0144 SMBv1

Action:

  • check SMB logs

  • verify success (authenticated connections?)

  • patch all SMBv1 systems

Example 5 — TOR Traffic

ET POLICY TOR Exit Node

Action:

  • check if user intentionally uses TOR

  • if not → escalate

  • block TOR exit nodes

Intel Dump

  • IDS detects attacks; IPS can detect + block them.

  • Alerts include signatures, severity, payload, IPs, and metadata.

  • SOC validates alerts using OSINT, packet inspection, and internal log correlation.

  • Common IDS categories include malware C2, exploits, scanning, DNS abuse, and policy violations.

  • Investigation workflow: read alert → validate → enrich → correlate → analyze impact → contain → document.

HOME LEARN COMMUNITY DASHBOARD