The IT team’s requirement is automatic, real-time detection of abnormal session activity using predefined rules and traffic signatures. That description aligns most directly with an Intrusion Detection System (IDS), particularly a network IDS (NIDS) that monitors traffic, compares it to known patterns (signatures) and/or behavioral rules, and generates alerts when suspicious activity is detected. Session hijacking attempts often produce recognizable anomalies—unexpected packet sequences, suspicious flags, unusual injection patterns, resets, or protocol misuse—that IDS rules can be designed to detect across many hosts and segments without requiring an analyst to manually inspect each capture.
The scenario explicitly contrasts this desired capability with “manual analysis,” which rules out option B. Tools like packet sniffers are valuable for investigation and confirmation, but they do not provide organization-wide automated alerting by themselves. An IDS is built for continuous monitoring and alert generation, making it appropriate for detecting red-team-simulated packet injection and session manipulation attempts.
Why the other options are less suitable:
Checking for predictable session tokens (A) is an application-layer defensive review (and a good hardening practice), but it does not automatically detect packet injection behaviors occurring on the network in real time.
Monitoring for ACK storms (C) can be one specific indicator in some TCP manipulation or desynchronization scenarios, but it is too narrow and does not represent a general detection system. The requirement is broader: a monitoring system that flags suspicious session activity using rules and signatures—an IDS fits that role.
Manual packet analysis (B) is explicitly what they want to avoid.
Therefore, the correct answer is D. Use an Intrusion Detection System (IDS).
