Recommended Host Intrusion Detection System...

pnh73 · 09-20-2004, 09:20 AM

I am looking for an reasonably easy to configure, Open Source, Host Intrusion Detection System that I can run on my server. Does anybody have any recommendations, links or information about these?

Thanks in advance

m4dj4ck · 09-20-2004, 09:27 PM

1. samhain ( http://la-samhna.de/samhain/ )

2. Osiris ( http://osiris.shmoo.com/ )

dominant · 09-21-2004, 03:13 AM

Intresting thread.

Tripwire is a IDS isn't?

m4dj4ck · 09-21-2004, 03:49 AM

no. it is not. tripwire is not an IDS. it acts like aide, another open source file intregrity checker. it checks for changes in files/binaries/etc. tripwire is older than aide. aide is the improvement/replacement for tripwire.

dominant · 09-21-2004, 04:11 AM

any reference for the aide?

m4dj4ck · 09-21-2004, 05:05 AM

www.cs.tut.fi/~rammer/aide.html

dominant · 09-21-2004, 06:25 AM

I can see very slow improvements

aide - 0.10 - November 27, 2003

pnh73 · 09-21-2004, 11:21 AM

Thanks for your replies.
Samhain looks like the best bet for me at the moment. I like the security that is inbuilt into its logs and processes.

I am also looking for a system that can temporarily block IP's that are misbehaving, such as the SSH username attack that I am getting everyday and have quite a large list of IP's that are being now being blocked by the servers firewall (iptables/ipchains).

This list grows by the day and I was wondering if there is anything that I can implement to automatically detect these attacks and port scans on a host and then block the IP for a set time or something?

Thanks again