While Samhain and OSSEC HIDS can be compared qualitatively where there is feature overlap, they are two different products. A decision for a product should IMHO not be made "liking" it, which is a subjective criterium, but be based on objective criteria like mandatory features (cross-platform, client-server paradigm, architecture, product maturity and maintenance, community support, scaling, performance, et cetera), usage requirements (tamper recognition and resilience, LKM detection, log anomaly detection, continuous detection coverage, signature to FP ratio, custom rules, SOX/HIPAA/PCI-DSS compliance, et cetera) and restrictions (not Python, not Lua, not Perl, not cronjob, not kernel-specific, not relying on third party tools, no install necessary, et cetera).
With all due respect, but only saying "good" or "does better jobs" leads me to believe you didn't really think about it or didn't do any research. If that's the case you best start with that, else posting what three criteria are most important in your situation is a start for properly determining what you need.
|