Freeware Intrusion Detection Tools

Ido Dubrawsky

Firewalls and access control lists were once thought to be the ultimate solutions in preventing network intrusion. Unfortunately, neither tool provides the capability to respond to or provide real-time detection of an intrusion attempt. This is the gap that an Intrusion Detection System (IDS) fills. An IDS provides continual real-time or near-real-time monitoring of a host or a network.

Intrusion detection systems can be divided into two primary categories: network-based and host-based. Network-based IDS tools monitor network traffic on the local LAN, analyzing traffic that "fits" a known signature for a given exploit, and then notifies the proper contacts of its findings. Host-based IDS tools provide detection of an intrusion on a system within the network. Although the ideal case would be to prevent a system intrusion from happening, the fact is that even with a network IDS in place, it is still possible for an attacker to find ways around it. If that happens, a host-based IDS may be able to determine whether the attacker has succeeded in penetrating a given system.

Network-based IDS tools come in two forms: real-time and near-real-time. Real-time network-based IDS report suspicious traffic as soon as it is detected on the wire. Near-real-time IDS work by gathering network traffic and then at a predetermined time interval (such as once an hour) provide an analysis of the previous interval’s data. One of the benefits of real-time IDS is the capability to respond to an attack as it is happening. Near-real-time IDS also provide sufficient notification of an attack in progress.

Host-based IDS monitor system files (such as wtmp/utmp on UNIX systems) and log files as well as check the integrity of system binaries to determine whether an intrusion has occurred.