
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
Principles of Intrusion Detection Systems
|
451
Principles of Intrusion Detection Systems
In practical terms, there are two main categories of IDS: host-based and network-
based. A host-based IDS, obviously enough, resides on and protects a single host. In
contrast, a network-based IDS resides on one or more hosts (any of which may be a
dedicated “network probe”) and protects all the hosts connected to its network.
Host-Based IDSes: Integrity Checkers
Dedicated host-based IDSes tend overwhelmingly to rely on integrity checking. In
theory, host-based IDSes should use a much broader category of tools. Commercial
IDS products, such as ISS RealSecure and Marcus Ranum’s Network Flight
Recorder, both of which I categorize as Network IDSes, can use sophisticated meth-
ods (such as traffic analysis) on a single host, if desired.
Integrity checking involves the creation and maintenance of a protected database of
checksums, cryptographic hashes, and other attributes of a host’s critical system files
(and anything else you don’t expect to change on that system). The integrity checker
periodically checks those files against the database: if a file has changed, an error or
alert is logged. Ideally this database should be stored on a read-only volume, or off
the system altogether, to prevent its being ...