Integrity checkers can serve as burglar alarms. But as such, they aren’t nearly as useful during an attack as they are afterwards: usually by the time the bad guys start changing files on a system, the attack has succeeded. This is because integrity checking is limited to the local system: it involves local files, not network packets. For more proactive intrusion detection (“intrusion in progress” or “attempted intrusion” detection), we need to monitor attempted and pending attacks while they’re still on the wire -- before they make landfall on our systems.
The undisputed champion Open Source NIDS is Snort. Snort is a
marvelous, versatile thing. First, as a
packet sniffer (or, if you prefer the more
formal term, “protocol analyzer”),
Snort is to
tcpdump what Homo sapiens is to Homo
habilus: same basic genetic material, better brain. As a packet
sniffer, Snort is extraordinarily fast, thorough, and user friendly
(or at least geek friendly).
Second, Snort is a packet logger. Snort can preserve complete audit trails of network traffic, trails that name names and encase evidence in (figurative) acrylic blocks.
Third, Snort is a 100% customizable network Intrusion Detection System with both a library of contributed attack signatures (“rules”) and a user-configurable rule engine. Snort not only holds its own with, but in some cases is better and faster than expensive commercial IDSes. In this regard, Snort is the GIMP, Apache, and Nessus of IDSes.
Unlike some commercial IDSes, it’s ...