
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
450
Chapter 13
CHAPTER 13
Simple Intrusion
Detection Techniques
Last night someone came into my house and replaced
everything with an exact duplicate.
—Steven Wright
Comprehensive logging, preferably with automated monitoring and notification, can
help keep you abreast of system security status (besides being invaluable in picking
up the pieces after a crash or a security incident). But as a security tool, logging only
goes so far: it’s no more sophisticated than the operating-system processes and appli-
cations that write those log messages. Events not anticipated by those processes and
applications may be logged with a generic message or, worse still, not at all. And
what if the processes, applications, or their respective logs are tampered with?
That’s where Intrusion Detection Systems (IDS) come in. A simple host-based IDS
can alert you to unexpected changes in important system files based on stored check-
sums. A network IDS (NIDS) can alert you to a potential attack in progress, based on
a database of known attack signatures or even on differences between your net-
work’s current state and what the IDS considers its normal state. Some of these
attacks (especially those at the application level, such as web exploits) might breeze
through your firewalls. Multiple layers of defense