Create a new article
Write your page title here:
We currently have 12 articles on NixSec. Type your article name above or click on one of the titles below and start writing!

    Revision as of 09:31, 8 July 2021 by DJ-ArcAngel (talk | contribs)

    The very first line of defence is an Intrusion Detection System. Host-based systems apply their detection at the host level and will typically detect most intrusion attempts quickly and notify you immediately so you can remedy the situation.


    Open Source Security, or OSSEC, is by far the leading open-source host-based intrusion detection system. The product is owned by Trend Micro, one of the leading names in IT security and maker of one of the best virus protection suites. When installed on Unix-like operating systems, the software primarily focuses on log and configuration files. It creates checksums of important files and periodically validates them, alerting you whenever something odd happens. It will also monitor and alert on any abnormal attempt at getting root access. On Windows hosts, the system also keeps an eye for unauthorized registry modifications which could be a tell-tale sign of malicious activity.


    Samhain is another well-known free host intrusion detection system. Its main features, from an IDS standpoint, are file integrity checking and log file monitoring/analysis. It does way more than that, though. The product will perform rootkit detection, port monitoring, detection of rogue SUID executables, and of hidden processes. The tool was designed to monitor multiple hosts running various operating systems while providing centralized logging and maintenance. However, Samhain can also be used as a stand-alone application on a single computer. The software primarily runs on POSIX systems like Unix, Linux or OS X. It can also run on Windows under Cygwin, a package that allows running POSIX applications on Windows, although only the monitoring agent has been tested in that configuration.


    Sagan, which is actually more of a log analysis system than a true IDS. It has, however, some IDS-like features which is why it deserves a place on our list. The tool locally watches the log files of the system where it’s installed but it can also interact with other tools. It could, for instance, analyze Snort’s logs, effectively adding the NIDS functionality of Snort to what is essentially a HIDS. It won’t just interact with Snort. Sagan can interact with Suricata as well and it is compatible with several rule building tools like Oinkmaster or Pulled Pork.