Home > SOC Analysis

IDS/IPS Logs

IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) logs provide signature-based, behavior-based, and anomaly-based visibility into hostile activity at the network layer.
These logs reveal port scans, exploit attempts, C2 communication, brute force, malware signatures, protocol violations, payload anomalies, and active exploitation attempts.
For SOC analysts, IDS/IPS telemetry is essential for detecting network-side attacks that endpoint logs may never see.

This chapter presents IDS/IPS logs in full-scale, ultra-practical SOC depth with raw event samples, Snort/Suricata rule analysis, field interpretation, SIEM queries, and complete attack timelines.

What IDS/IPS Logs Provide

IDS/IPS logs detect:

  • Port scanning

  • Exploitation attempts

  • Malware signatures

  • Web application attacks

  • Buffer overflows

  • Shellcode detection

  • C2 communication

  • Suspicious DNS activity

  • Protocol anomalies

  • Lateral movement traffic

  • Reconnaissance patterns

IPS can additionally block malicious traffic if configured to do so.

Common IDS/IPS Platforms

Most SOC environments use:

  • Suricata

  • Snort

  • Zeek (behavioral/network metadata)

  • Palo Alto Threat Prevention

  • FortiGate IPS

  • Cisco FirePOWER

  • Wazuh IDS

They all log events into SIEM via syslog/agents.

IDS/IPS Log Format (Raw Examples)

Below are realistic raw IDS/IPS events exactly how analysts see them.

1. Suricata Alert — External Port Scan

{"timestamp":"2025-01-10T02:21:03.422Z","event_type":"alert",
 "src_ip":"185.33.11.44","dest_ip":"10.0.0.5","src_port":58622,
 "dest_port":22,"proto":"TCP",
 "alert":{"signature_id":2100498,"signature":"ET SCAN Nmap Scripting Engine User-Agent Detected"}}

Interpretation:

  • External attacker running Nmap scan

  • High severity if targeting critical servers

2. Snort Alert — SQL Injection Attempt

[**] [1:2010935:3] SQL Injection Attempt UNION SELECT [**]
[Priority: 1] {TCP} 185.33.10.22:51133 -> 10.0.0.50:80

Interpretation:

  • Web app attack

  • Likely automated exploitation

3. Suricata — Command and Control (C2) Traffic

alert: "ET C2 Known Malware Host"
src_ip: 10.0.0.5
dest_ip: 91.22.113.10

Interpretation:

  • Internal machine beaconing to known malicious IP

  • Indicates active infection

4. IPS Block Event — Exploit Prevented

action=blocked 
msg="ET EXPLOIT Apache Struts Remote Code Execution Attempt"
src=185.44.22.11 dst=10.0.0.50 sport=52211 dport=8080

Interpretation:

  • IPS blocked an exploit

  • Critical security event

5. DNS Tunneling Detection

"ET DNS Excessive DNS TXT Requests Possible DNS Tunneling"
src_ip=10.0.0.25 dst_ip=8.8.8.8

Interpretation:

  • Data exfiltration via DNS

  • Very stealthy attack technique

6. Lateral Movement — SMB Exploit Attempt

"ET EXPLOIT EternalBlue MS17-010"
src_ip=10.0.0.20 dest_ip=10.0.0.22 dport=445

Interpretation:

  • Internal host attacking another

  • Indicates worm or compromised machine

IDS/IPS Event Fields (How Analysts Interpret Them)

Key fields to analyze:

1. signature / rule name

Tells what attack was attempted.

2. signature_id

Useful for rule tuning and correlation.

3. src_ip / dest_ip

Origin and target of attack.

4. src_port / dest_port

Ports reveal attack type:

  • 445 → SMB exploits

  • 80/443 → web attacks

  • 53 → DNS tunneling

  • High ports → malware callbacks

5. protocol

TCP/UDP/ICMP.

6. action

  • alert

  • block (IPS)

  • drop

  • allow (for detection mode)

7. payload / payload_printable

Raw bytes of attack payload (if logged).

8. app_proto

HTTP, TLS, SMB, DNS, SSH, etc.

9. flow_id

Useful for correlating multi-packet attacks.

How IDS/IPS Detects Attacks

Detection methods include:

1. Signature-Based

Example Snort rule:

alert tcp any any -> any 80 (content:"UNION SELECT"; msg:"SQLi Attempt";)

2. Behavior-Based

Suricata detects DNS tunneling by volume.

3. Anomaly-Based

Zeek flags unusual TLS handshakes.

4. Reputation-Based

Detection triggered by known malicious IP/domain.

Attacks Visible in IDS/IPS Logs

1. Brute Force / Credential Attacks

ET SCAN SSH Connection Attempts

2. Web Application Attacks

  • SQL Injection

  • XSS

  • Path Traversal

  • LFI/RFI

  • Remote Code Execution

3. Exploit Attempts

  • EternalBlue

  • Log4j JNDI

  • Struts RCE

  • Shellshock

  • Heartbleed

4. Malware Beaconing

C2 signatures matched from threat feeds.

5. Scanning & Recon

Nmap, Masscan, Zmap, Nikto.

6. Lateral Movement

SMB/WinRM exploitation attempts.

7. DNS/ICMP Tunneling

Data exfiltration via abnormal protocols.

SIEM Detection Queries (Practical)

Detect exploit attempts

alert.signature:*EXPLOIT*

Detect port scanning

alert.signature:*SCAN* AND src_ip:<same_ip> count>20 in 1min

Detect C2 callback

alert.signature:*C2* AND dest_ip NOT IN whitelist

Detect DNS tunneling

alert.signature:*DNS* AND alert.signature:*Tunneling*

Detect internal exploitation

src_ip:10.* AND dest_ip:10.* AND alert.signature:*EXPLOIT*

Detect high-priority IPS blocks

action:block AND priority:1

Full Attack Timeline Using IDS/IPS Logs

Step 1 — External Recon

ET SCAN Nmap Scripting Engine

Step 2 — Exploit Attempt

ET EXPLOIT Apache Struts RCE

Step 3 — Successful Exploit

(no IPS block → proceed to next logs)

Step 4 — Malware Download

Firewall logs show outbound to malicious IP.

Step 5 — C2 Communication

ET C2 Malware Beacon

Step 6 — Lateral Movement

ET EXPLOIT EternalBlue

Step 7 — DNS Tunneling / Data Exfiltration

ET DNS Excessive TXT Requests

This entire chain is visible because IDS logs show every attack attempt and technique.

Analyst Workflow With IDS/IPS Logs

  1. Validate signature accuracy

  2. Determine if traffic was blocked or allowed

  3. Identify attacker IP and reputation

  4. Correlate with firewall logs

  5. Check if system logs show compromise

  6. Determine if exploit was successful

  7. Look for lateral movement after exploit

  8. Validate with endpoint logs (Sysmon, EDR)

  9. Build a timeline

  10. Escalate incident if compromise confirmed

Intel Dump

  • IDS/IPS logs detect exploits, network attacks, malware callbacks, C2, scanning, and tunneling.

  • Raw logs contain signature names, IDs, IPs, ports, protocol, action, and payload.

  • IDS = detection only, IPS = detection + prevention.

  • SOC analysts use IDS logs to identify exploitation attempts, C2 traffic, and lateral movement.

  • SIEM queries detect scanning, exploit attempts, C2 callbacks, DNS tunneling, and internal attacks.

  • IDS/IPS logs reveal full kill chains from recon → exploit → C2 → lateral movement → exfiltration.

HOME LEARN COMMUNITY DASHBOARD