What is an Intrusion Detection System (IDS)?
An Intrusion Detection System (IDS) monitors network traffic for unusual or suspicious activity and sends an alert to the administrator. Detection of anomalous activity and reporting it to the network administrator is the primary function; however, some IDS software can take action based on rules when malicious activity is detected, for example blocking certain incoming traffic.
Here’s our list of the Best Intrusion Detection System Software and Tools:
- SolarWinds Security Event Manager EDITOR’S CHOICE Analyzes logs from Windows, Unix, Linux, and Mac OS systems. It manages data collected by Snort, including real-time data. SEM is also an intrusion prevention system, shipping with over 700 rules to shut down malicious activity. An essential tool for improving security, responding to events and achieving compliance.
- CrowdStrike Falcon (FREE TRIAL) A cloud-based endpoint protection platform that includes threat hunting.
- ManageEngine EventLog Analyzer (FREE TRIAL) A log file analyzer that searches for evidence of intrusion.
- Snort Provided by Cisco Systems and free to use, leading network-based intrusion detection system software.
- OSSEC Excellent host-based intrusion detection system that is free to use.
- Suricata Network-based intrusion detection system software that operates at the application layer for greater visibility.
- Zeek Network monitor and network-based intrusion prevention system.
- Sagan Log analysis tool that can integrate reports generated on snort data, so it is a HIDS with a bit of NIDS.
- Security Onion Network monitoring and security tool made up of elements pulled in from other free tools.
- AIDE The Advanced Intrusion Detection Environment is a HIDS for Unix, Linux, and Mac OS
- OpenWIPS-NG Wireless NIDS and intrusion prevention system from the makers of Aircrack-NG.
- Samhain Straightforward host-based intrusion detection system for Unix, Linux, and Mac OS.
- Fail2Ban Lightweight host-based intrusion detection software system for Unix, Linux, and Mac OS.
Types of Intrusion Detection Systems
There are two main types of intrusion detection systems (both are explained in more detail later in this guide):
- Host-based Intrusion Detection System (HIDS) – this system will examine events on a computer on your network rather than the traffic that passes around the system.
- Network-based Intrusion Detection System (NIDS) – this system will examine the traffic on your network.
Network intrusion detection software and systems are now essential for network security. Fortunately, these systems are very easy to use and most of the best IDSs on the market are free to use. In this review, you will read about the ten best intrusion detection system software that you can install now to start protecting your network from attack. We cover tools for Windows, Linux, and Mac.
- What is an Intrusion Detection System (IDS)?
- Types of Intrusion Detection Systems
- Host-based Intrusion Detection Systems (HIDS)
- Network-based Intrusion Detection Systems (NIDS)
- HIDS or NIDS?
- Detection methods: Signature-based or Anomaly-based IDS
- Defend the network with an IPS
- Intrusion detection systems by type and operating system
- Intrusion Detection Systems for Unix
- Intrusion Detection Systems for Linux
- Intrusion Detection Systems for Windows
- Intrusion Detection Systems for Mac OS
- The best intrusion detection systems software and tools
- Intrusion Detection Systems FAQs
- Further Reading
Host-based Intrusion Detection Systems (HIDS)
Host-based intrusion detection systems, also known as host intrusion detection systems or host-based IDS, examine events on a computer on your network rather than the traffic that passes around the system. This type of intrusion detection system is abbreviated to HIDS and it mainly operates by looking at data in admin files on the computer that it protects. Those files include log files and config files.
A HIDS will back up your config files so you can restore settings should a malicious virus loosen the security of your system by changing the setup of the computer. Another critical element that you want to guard against is root access on Unix-like platforms or registry alterations on Windows systems. A HIDS won’t be able to block these changes, but it should be able to alert you if any such access occurs.
Each host the HIDS monitors must have some software installed on it. You can just get your HIDS to monitor one computer. However, it is more typical to install the HIDS on every device on your network. This is because you don’t want to overlook config changes on any piece of equipment. Naturally, if you have more than one HIDS host on your network, you don’t want to have to login to each one to get feedback. So, a distributed HIDS system needs to include a centralized control module. Look for a system that encrypts communications between host agents and the central monitor.
See also: The Best HIDS
Network-based Intrusion Detection Systems (NIDS)
Network-based intrusion detection, also known as a network intrusion detection system or network IDS, examines the traffic on your network. As such, a typical NIDS has to include a packet sniffer to gather network traffic for analysis.
The analysis engine of a NIDS is typically rule-based and can be modified by adding your own rules. With many NIDS, the provider of the system, or the user community, will make rules available to you and you can just import those into your implementation. Once you become familiar with the rule syntax of your chosen NIDS, you will be able to create your own rules.
Chaining back to traffic collection, you don’t want to dump all of your traffic into files or run the whole lot through a dashboard because you just wouldn’t be able to analyze all of that data. So, the rules that drive analysis in a NIDS also create selective data capture. For example, if you have a rule for a type of worrisome HTTP traffic, your NIDS should only pick up and store HTTP packets that display those characteristics.
Typically, a NIDS is installed on a dedicated piece of hardware. High-end paid-for enterprise solutions come as a piece of network kit with the software pre-loaded onto it. However, you don’t have to pay out big bucks for the specialist hardware. A NIDS does require a sensor module to pick up traffic, so you may be able to load it onto a LAN analyzer, or you may choose to allocate a computer to run the task. However, make sure the piece of equipment that you choose for the task has enough clock speed not to slow down your network.
Related post: Best NIDS Software
HIDS or NIDS?
The short answer is both. A NIDS will give you a lot more monitoring power than a HIDS. You can intercept attacks as they happen with a NIDS. In contrast, a HIDS only notices anything is wrong once a file or a setting on a device has already changed. However, just because HIDS don’t have as much activity as NIDSs doesn’t mean that they are less important.
The fact that the NIDS is usually installed on a stand-alone piece of equipment means that it doesn’t drag down the processors of your servers. However, the activity of HIDS is not as aggressive as that of NIDS. A HIDS function can be fulfilled by a lightweight daemon on the computer and shouldn’t burn up too much CPU. Neither system generates extra network traffic.
Detection methods: Signature-based or Anomaly-based IDS
Whether you are looking for a host intrusion detection system or a network intrusion detection system, all IDSs use two modes of operation — some may only use one or the other, but most use both.
- Signature-based IDS
- Anomaly-based IDS
The signature-based method looks at checksums and message authentication. Signature-based detection methods can be applied just as well by NIDS as by HIDS. A HIDS will look at log and config files for any unexpected rewrites, whereas a NIDS will look at the checksums in captured packets and message authentication integrity of systems such as SHA1.
The NIDS may include a database of signatures that packets known to be sources of malicious activities carry. Fortunately, hackers don’t sit at their computers typing like fury to crack a password or access the root user. Instead, they use automated procedures supplied by well-known hacker tools. These tools tend to generate the same traffic signatures every time because computer programs repeat the same instructions over and over again rather than introducing random variations.
Anomaly-based detection looks for unexpected or unusual patterns of activities. This category can also be implemented by both host and network-based intrusion detection systems. In the case of HIDS, an anomaly might be repeated failed login attempts or unusual activity on the ports of a device that signify port scanning.
In the case of NIDS, the anomaly approach requires establishing a baseline of behavior to create a standard situation against which ongoing traffic patterns can be compared. A range of traffic patterns are considered acceptable, and when current real-time traffic moves out of that range, an anomaly alert is provoked.
Choosing an IDS method
Sophisticated NIDSs can build up a record of standard behavior and adjust their boundaries as their service life progresses. Overall, both signature and anomaly analysis is much simpler in operation and easier to set up with HIDS software than with NIDS.
Signature-based methods are much faster than anomaly-based detection. A fully comprehensive anomaly engine touches on the methodologies of AI and can cost a lot of money to develop. However, signature-based methods boil down to the comparison of values. Indeed, in the case of HIDS, pattern matching with file versions can be a very straightforward task that anyone could perform themselves using command-line utilities with regular expressions. So, they don’t cost as much to develop and are more likely to be implemented in free intrusion detection systems.
A comprehensive intrusion detection system needs both signature-based methods and anomaly-based procedures.
Defend the network with an IPS
Now we need to consider intrusion prevention systems (IPSs). IPS software and IDSs are branches of the same technology because you can’t have prevention without detection. Another way to express the difference between these two branches of intrusion tools is to call them passive or active. A straightforward intrusion monitoring and alerting system is sometimes called a “passive” IDS. A system that not only spots an intrusion but takes action to remediate any damage and block further intrusion attempts from a detected source, is also known as a “reactive” IDS.
Reactive IDSs, or IPSs, usually don’t implement solutions directly. Instead, they interact with firewalls and software applications by adjusting settings. A reactive HIDS can interact with a number of networking aides to restore settings on a device, such as SNMP or an installed configuration manager. Attacks on the root user, or admin user in Windows, usually aren’t dealt with automatically as the blocking of an admin user or changing the system password would result in locking the system administrator out of the network and servers.
Many users of IDSs report a flood of false positives when they first install their defense systems, just as IPSs automatically implement defense strategy on detection of an alert condition. Incorrectly calibrated IPSs can cause havoc and bring your legitimate network activity to a standstill.
To minimize the network disruption that can be caused by false alarms, you should introduce your intrusion detection and prevention system in stages. Triggers can be tailored and you can combine warning conditions to create custom alerts. The statement of actions that need to be performed on the detection of potential threats is termed a policy. The interaction of intrusion detection and prevention procedures with firewalls should be particularly fine-tuned to prevent your business’s genuine users from being locked out by over-tight policies.
Intrusion detection systems by type and operating system
The producers of IDS software focus on Unix-like operating systems. Some produce their code according to the POSIX standard. In all of these cases, that means that Windows is excluded. As the Mac OS operating systems of Mac OS X and macOS are based on Unix, these operating systems are much better catered to in the IDS world than in other software categories. The table below explains which IDSs are host-based, which are network-based, and which operating systems each can be installed on.
You may read some reviews that claim that Security Onion can be run on Windows. It can if you first install a virtual machine and run it through that. However, for the definitions in this table, we only count software as being compatible with an operating system if it can be installed directly.
Top Intrusion Detection Software & Tools
|SolarWinds Security Event Manager EDITOR'S CHOICE||Both||No||No||Yes||No|
|CrowdStrike Falcon (FREE TRIAL)||HIDS||Yes||Yes||Yes||Yes|
|ManageEngine EventLog Analyzer||HIDS||Yes||Yes||Yes||Yes|
Intrusion Detection Systems for Unix
To restate the information in the table above into a Unix-specific list, here are the HIDS and NIDS you can use on the Unix platform.
Host intrusion detection systems:
- CrowdStrike Falcon
- EventLog Analyzer
Network intrusion detection systems:
Intrusion Detection Systems for Linux
Here are lists of the host intrusion detection systems and network intrusion systems that you can run on the Linux platform.
Host intrusion detection systems:
- CrowdStrike Falcon
- EventLog Analyzer
- Security Onion
Network intrusion detection systems:
- Security Onion
- Open WIPS-NG
Intrusion Detection Systems for Windows
Despite the popularity of Windows Server, the developers of intrusion detection systems don’t seem to be very interested in producing software for the Windows operating system. Here are the few IDSs that run on Windows.
Host intrusion detection systems:
- SolarWinds Security Event Manager
- EventLog Analyzer
Network intrusion detection systems:
- SolarWinds Security Event Manager
Intrusion Detection Systems for Mac OS
Mac owners benefit from the fact that Mac OS X and macOS are both based on Unix and so there are far more intrusion detection system options for Mac owners than those who have computers running the Windows operating system.
Host intrusion detection systems:
- CrowdStrike Falcon
- EventLog Analyzer
Network intrusion detection systems:
The best intrusion detection systems software and tools
What should you look for in intrusion detection system software?
We reviewed the market for IDS tools and analyzed the options based on the following criteria:
- A competent log gathering and management service
- A log analysis system with pre-written tools for intruder detection
- A live network monitor that looks for anomalous activity
- Threat hunting capabilities that alert when suspicious activity is detected
- Triage processes that focus detection processing on well-known combinations of intruder actions
- A free trial or money-back guarantee for a risk-free assessment
- Value for money represented by a good price for the tools provided
Now you have seen a quick rundown of host-based intrusion detection systems and network-based intrusion detection systems by operating system, in this list, we go deeper into the details of each of the best IDS.
The SolarWinds Security Event Manager (SEM) runs on Windows Server, but it can log messages generated by Unix, Linux, and Mac OS computers as well as Windows PCs.
As a log manager, this is a host-based intrusion detection system because it is concerned with managing files on the system. However, it also manages data collected by Snort, which makes it part of a network-based intrusion detection system.
- Analyzes log files
- Can process live data
- Compatible with Snort
- Automatic remediation
Snort is a widely-used packet sniffer created by Cisco Systems (see below). It has a specific data format, which other IDS tool producers integrate into their products. This is the case with the SolarWinds Security Event Manager. Network intrusion detection systems examine traffic data as it circulates on the network. To deploy the NIDS capabilities of the Security Event Manager, you would need to use Snort as a packet capture tool and funnel captured data through to the Security Event Manager for analysis. Although LEM acts as a HIDS tool when it deals with log file creation and integrity, it is capable of receiving real-time network data through Snort, which is a NIDS activity.
The SolarWinds product can act as an intrusion prevention system as well because it can trigger actions on the detection of intrusion. The package ships with more than 700 event correlation rules, which enables it to spot suspicious activities and automatically implement remediation activities. These actions are called Active Responses.
These Active Responses include:
- Incident alerts via SNMP, screen messages, or email
- USB device isolation
- User account suspension or user expulsion
- IP address blocking
- Processes killing
- System shutdown or restart
- Service shutdown
- Service triggering
The Snort message processing capabilities of the Security Event Manager make it a very comprehensive network security monitor. Malicious activity can be shut down almost instantly thanks to the tool’s ability to combine Snort data with other events on the system. The risk of disrupting the service through the detection of false positives is greatly reduced thanks to the finely-tuned event correlation rules.
- Built with enterprise in mind, can monitor Windows, Linux, Unix, and Mac operating systems
- Supports tools such as Snort, allowing SEM to be part of a larger NIDS strategy
- Over 700 pre-configured alerts, correlation rules, and detection templates provide instant insights upon install
- Threat response rules are easy to build and use intelligent reporting to reduce false positives
- Built-in reporting and dashboard features help reduce the number of ancillary tools you need for your IDS
- Feature dense – requires time to fully explore all features
You can access this network security system on a 30-day free trial.
Security Event Manager is an essential tool for improving security, responding to events and achieving compliance. Great for collecting, consolidating and visualizing log events including real-time threat detection and pattern recognition. It can respond automatically to suspicious activities on the network, even down to the device and user level.
Get 30 Day Free Trial: solarwinds.com/security-event-manager
OS: Microsoft Hyper-V Server 2016, 2012 R2, or 2012
The CrowdStrike Falcon system is an endpoint protection platform (EPP). This is a HIDS because it monitors activity on individual endpoints rather than network activity. However, unlike a typical HIDS, the system doesn’t focus on the log files on the monitored devices but looks at the processes running on each computer, which is typically a NIDS strategy.
- Endpoint protection platform
- Examines log files
- Processes data in the cloud
- Cloud-based console
The Falcon platform is a bundle of modules. The HIDS functionality is provided by the Falcon Insight unit. This is an endpoint detection and response (EDR) system. The core module of the EPP is called Falcon Prevent, which is a next-gen AV system. This also uses HIDS methodologies to detect malicious behavior. The difference between the methods of these two modules is slight as both methods monitor for anomalous behavior. However, the identifying characteristic of Falcon Prevent is that it is searching for malicious software, while Falcon Insight is specifically looking for intrusions.
Falcon Insight records the events on a protected computer, which need to be stored in a log file, so the research and detection element of the tool use pure HIDS strategies once those events are written. The event gathering element of the EPP is an agent, which has to be installed on the protected device. The agent communicates with the central processing system of the EPP, which is cloud-resident. The human administrator of the protected endpoints accesses the Falcon dashboard through any standard browser.
The advantage of the hybrid on-premises/cloud architecture of the CrowdStrike Falcon software is that the system is very lightweight on your equipment. All of the processing power for threat analysis is provided in with the analysis software on the CrowdStrike servers. This means that installing this security service won’t slow down computers, keeping them free to perform the tasks for which they were provided. However, the agent also acts as the threat remediation implementer, so it keeps working even if the internet connection becomes unavailable.
- Doesn’t rely on only log files to threat detection, uses process scanning to find threats right away
- Acts as a HIDS and endpoint protection tool all in one
- Can track and alert anomalous behavior over time, improves the longer it monitors the network
- Can install either on-premise or directly into a cloud-based architecture
- Lightweight agents won’t slow down servers or end-user devices
- Would benefit from a longer trial period
CrowdStrike Falcon is available in four editions: Pro, Enterprise, Premium, and Complete. Falcon Insight is included with the Premium and Enterprise editions. The Complete Edition is a managed service, which is customized by negotiation. CrowdStrike offers a 15-day free trial of the Falcon EPP.
ManageEngine is a leading producer of IT network infrastructure monitoring and management solutions. EventLog Analyzer is part of the company’s security products. This is a HIDS that focuses on managing and analyzing log files generated by standard applications and operating systems. The tool installs on Windows Server or Linux. It gathers data from those operating systems and also from Mac OS, IBM AIX, HP UX, and Solaris systems. The logs from Windows systems include sources from Windows Server Windows Vista and above and the Windows DHCP Server.
- Manages and analyzes log files
- Auditing for data protection standards compliance
Apart from operating systems, the service gathers and consolidates logs from Microsoft SQL Server and Oracle databases. It is also able to channel alerts from a number of antivirus systems, including Microsoft Anti-malware, ESET, Sophos, Norton, Kaspersky, FireEye, Malwarebytes, McAfee, and Symantec. It will gather logs from web servers, firewalls, hypervisors, routers, switches, and network vulnerability scanners.
EventLog Analyzer gathers log messages and operates as a log file server, organizing messages into files and directories by message source and date. Urgent warnings are also forwarded to the EventLog Analyzer dashboard and can be fed through to Help Desk systems as tickets to provoke immediate attention from technicians. The decision over what events constitute a potential security breach is driven by a threat intelligence module that is built into the package.
The service includes automatic log searches and event correlation to compile regular security reports. Among those reports is a format for Privileged User Monitoring and Auditing (PUMA) and a variety of formats needed to demonstrate compliance with PCI DSS, FISMA, ISO 27001, GLBA, HIPAA, SOX, and GDPR.
- Can install on either Windows or Linux, giving sysadmin more flexibility
- Supports alert forwarding from major antivirus brands such as ESET, Malwarebytes, and Norton.
- Supports dozens of different brand hardware switches, routers, firewalls, and access points
- Can monitor user permissions for compliance standards like HIPAA, PCI, and FISMA
- Highly detailed platform, best suited for larger networks and enterprises
The ManageEngine EventLog Analyzer is available in three editions. The first of these is Free. However, the Free edition is limited to monitoring log messages from five sources, which isn’t really sufficient for any modern business beyond very small enterprises. The two paid editions are Premium and Distributed. The Distributed plan is significantly more expensive than the Premium plan. The Premium system should be sufficient for most single-site enterprises, while the distributed version will cover multiple sites and an unlimited number of log record sources. You can try out the system with a 30-day free trial that has a limit of 2,000 log message sources.
Snort is the industry leader in NIDS, but it is still free to use. This is one of the few IDSs around that can be installed on Windows. It was created by Cisco. The system can be run in three different modes and can implement defense strategies, so it is an intrusion prevention system as well as an intrusion detection system.
The three modes of Snort are:
- Sniffer mode
- Packet logger
- Intrusion detection
You can use snort just as a packet sniffer without turning on its intrusion detection capabilities. In this mode, you get a live readout of packets passing along the network. In packet logging mode, those packet details are written to a file.
- Industry leading NIDS
- Supported by Cisco Systems
When you access the intrusion detection functions of Snort, you invoke an analysis module that applies a set of rules to the traffic as it passes by. These rules are called “base policies,” and if you don’t know which rules you need, you can download them from the Snort website. However, once you become confident in the methodologies of Snort, it is possible to write your own. There is a large community base for this IDS and they are very active online on the community pages of the Snort website. You can get tips and help from other users and also download rules that experienced Snort users have developed.
The rules will detect events such as stealth port scans, buffer overflow attacks, CGI attacks, SMB probes, and OS fingerprinting. The detection methods depend on the specific rules being used and they include both signature-based methods and anomaly-based systems.
- Completely free and open-source
- Large community shares new rule sets and configurations for sysadmins to deploy in their environment
- Supports packet sniffing for live traffic analysis in conjunction with log scanning
- Highly complex, even with preconfigured rules deep knowledge is required
- Reliant on the community for support
- Has a steep learning curve than other products with dedicated support
Snort’s fame has attracted followers in the software developer industry. Several applications that other software houses have created can perform a deeper analysis of the data collected by Snort. These include Snorby, BASE, Squil, and Anaval. Those companion applications help you make up for the fact that the interface for Snort isn’t very user-friendly.
OSSEC stands for Open Source HIDS Security. It is the leading HIDS available and it is entirely free to use. As a host-based intrusion detection system, the program focuses on the log files on the computer where you install it. It monitors the checksum signatures of all your log files to detect possible interference. On Windows, it will keep tabs on any alterations to the registry. On Unix-like systems, it will monitor any attempts to get to the root account. Although OSSEC is an open-source project, it is actually owned by Trend Micro, a prominent security software producer.
- Log file analyzer
- Free policies
- Alerting system
The main monitoring application can cover one computer or several hosts, consolidating data in one console. Although there is a Windows agent that allows Windows computers to be monitored, the main application can only be installed on a Unix-like system, which means Unix, Linux or Mac OS. There is an interface for OSSEC for the main program, but this is installed separately and is no longer supported. Regular users of OSSEC have discovered other applications that work well as a front-end to the data gathering tool: include Splunk, Kibana, and Graylog.
The log files covered by OSSEC include FTP, mail, and web server data. It also monitors operating system event logs, firewall and antivirus logs and tables, and traffic logs. The behavior of OSSEC is controlled by the policies that you install on it. These can be acquired as add-ons from the large user community that is active for this product. A policy defines an alert condition. Those alerts can be displayed on the console or sent as notifications via email.
- Completely free and open-source
- Utilizes checksums to verify log and file integrity
- Supports root account monitor on Unix/Linux systems
- Strong community support offering new templates and scanning profiles
- Reliant on the community for support – although additional paid support is available
- Could use better reporting and visualization features
Trend Micro offers support for OSSEC for a fee.
Suricata is probably the main alternative to Snort. There is a crucial advantage that Suricata has over Snort, which is that it collects data at the application layer. This overcomes blindness that Snort has to signatures split over several TCP packets. Suricata waits until all of the data in packets is assembled before it moves the information into analysis.
- Application Layer operations
- Operates on live data
Although the system works at the application layer, it can monitor protocol activity at lower levels, such as IP, TLS, ICMP, TCP, and UDP. It examines real-time traffic for different network applications including FTP, HTTP, and SMB. The monitor doesn’t just look at packet structure. It can examine TLS certificates and focus on HTTP requests and DNS calls. A file extraction facility lets you examine and isolate suspicious files with virus infection characteristics.
Suricata is compatible with Snort and you can use the same VRT rules written for that NIDS leader. Those third-party tools, such as Snorby, BASE, Squil, and Anaval that integrate with Snort can also bolt on to Suricata. So, accessing the Snort community for tips and free rules can be a big benefit for Suricata users. A built-in scripting module allows you to combine rules and get a more precise detection profile than Snort can give you. Suricata uses both signature and anomaly detection methodologies.
Suricata has a clever processing architecture that enables hardware acceleration by using many different processors for simultaneous, multi-threaded activity. It can even run partly on your graphics card. This distribution of tasks keeps the load from bearing down on just one host. That’s good because one problem with this NIDS is that it is quite heavy on processing.
- Collects data at the application layers, giving it unique visibility where products like Snort can’t see
- Analyzes and reassembles protocol packets very efficiently
- Can monitor multiple protocols and check the integrity of certificates in TLS, HTTP, and SSL
- Is compatible with other tools that use the VRT rule format
- Built-in scripting could be easier to use
- Is free, but doesn’t have as large of a community as tools like Snort or Zeek
- Could use better-looking visualizations on the live dashboard
Suricata has a very slick-looking dashboard that incorporates graphics to make analysis and problem recognition a lot easier. Despite this expensive-looking front-end, Suricata is free of charge.
Zeek (formerly Bro) is a free NIDS that goes beyond intrusion detection and can provide you with other network monitoring functions as well. The user community of Zeek includes many academic and scientific research institutions.
The Zeek intrusion detection function is fulfilled in two phases: traffic logging and analysis. As with Suricata, Zeek has a major advantage over Snort in that its analysis operates at the application layer. This gives you visibility across packets to get a broader analysis of network protocol activity.
- Signature detection
- Anomaly analysis
The analysis module of Zeek has two elements that both work on signature detection and anomaly analysis. The first of these analysis tools is the Zeek event engine. This tracks for triggering events, such as a new TCP connection or an HTTP request. Each event is logged, so this part of the system is policy-neutral — it just provides a list of events in which analysis may reveal repetition of actions or suspiciously diverse activity generated by the same user account.
The mining of that event data is performed by policy scripts. An alert condition will provoke an action, so Zeek is an intrusion prevention system as well as a network traffic analyzer. The policy scripts can be customized but they generally run along a standard framework that involves signature matching, anomaly detection, and connection analysis.
You can track HTTP, DNS, and FTP activity with Zeek and also monitor SNMP traffic, enables you to check on device configuration changes and SNMP Trap conditions. Each policy is a set of rules and you are not limited to the number of active policies or the protocol stack additional layers that you can examine. At lower levels, you can watch out for DDoS syn flood attacks and detect port scanning.
- Highly customizable, designed for security professionals
- Supports application layer traffic analysis as well as log-based scanning
- Utilizes signature detection and anomalous behavior scanning to detect known and unknown threats
- Supports automation through scripting, allowing admins to script different actions easily
- Only available for Unix, Linux, and Mac
- Not user friendly, requires deep knowledge of SIEMs, NIDS, IDS, etc
- Better suited for researchers and specialists
Zeek can be installed on Unix, Linux, and Mac OS.
Sagan is a host-based intrusion detection system, so this is an alternative to OSSEC and it is also free to use. Despite being a HIDS, the program is compatible with data gathered by Snort, which is a NIDS system. This compatibility also extends to the other tools that can be used in conjunction with Snort, such as Snorby, BASE, Squil, and Anaval. Data sources from Zeek and Suricata can also feed into Sagan. This tool can be installed on Unix, Linux, and Mac OS. Although you can’t run Sagan on Windows, you can feed windows event logs into it.
- Log analysis
- Network traffic analysis
Strictly speaking, Sagan is a log analysis tool. The element that it lacks to make it a stand-alone NIDS is a packet sniffer module. However, on the plus side, this means that Sagan doesn’t require dedicated hardware and it has the flexibility to analyze both host logs and network traffic data. This tool would have to be a companion to other data gathering systems to create a full intrusion detection system.
Some nice features of Sagan include an IP locator, which enables you to see the geographical location of the IP addresses that are detected as having suspicious activities. This will enable you to aggregate the actions of IP addresses that seem to be working in concert to form an attack. Sagan can distribute its processing over several devices, lightening the load on the CPU of your key server.
This system includes script execution, which means that it will generate alerts and perform actions on the detection of intrusion scenarios. It can interact with firewall tables to implement IP bans in the event of suspicious activity from a specific source. So, this is an intrusion prevention system. The analysis module works with both signature and anomaly detection methodologies.
- Free log analysis tool
- Is compatible with other open-source tools like Zeek and Snort
- Features an IP address locator which can give geopolitical information on addresses
- Cannot install Windows operating systems
- Is more of a HIDS tool than a traditional IDS
- Has a fairly sharp learning curve for new users
Sagan doesn’t make it onto everyone’s list of the best IDSs because it doesn’t truly qualify as an IDS, being a log file analyzer. However, its HIDS with a splash of NIDS concept makes it an interesting proposition as a hybrid IDS analysis tool component.
For a blend of IDS solutions, you could try the free Security Onion system. Most of the IDS tools in this list are open source projects. That means that anyone can download the source code and change it.
That’s exactly what the developer of Security Onion did. He took elements from the source code of Snort, Suricata, OSSEC, and Zeek and stitched them together to make this free Linux-based NIDS/HIDS hybrid. Security Onion is written to run on Ubuntu and it also integrates elements from front-end systems and analysis tools including Snorby, Sguil, Squert, Kibana, ELSA, Xplico, and NetworkMiner.
- HIDS/NIDS hybrid
- Log file tamper alerts
Although Security Onion is classified as a NIDS, it does include HIDS functions as well. It will monitor your log and config files for suspicious activities and check on the checksums of those files for any unexpected changes. One downside of the Security Onion’s comprehensive approach to network infrastructure monitoring is its complexity. It has several different operating structures and there isn’t really sufficient learning material online or bundled in to help the network administrator get to grips with the full capabilities of the tool.
Network analysis is conducted by a packet sniffer, which can display passing data on a screen and also write to a file. The analysis engine of Security Onion is where things get complicated because there are so many different tools with different operating procedures that you may well end up ignoring most of them. The interface of Kibana provides the dashboard for Security Onion and it does include some nice graphs and charts to ease status recognition.
- Free open-source software
- Designed for security professionals
- Features built-in packet sniffer for live traffic analysis
- Only available for Linux
- Uses Kibana for visualization which can be complicated for newer users
- Interface is complicated and not user friendly
Both signature-based and anomaly-based alert rules are included in this system. You get information on device status as well as traffic patterns. All of this could really do with some action automation, which Security Onion lacks.
“Advanced Intrusion Detection Environment” is a lot to write, so the developers of this IDS software decided to abbreviate its name to AIDE. This is a free HIDS that focuses on rootkit detection and file signature comparisons for Unix and Unix-like operating systems, so it will work on Mac OS and Linux as well.
- Creates configuration baseline
- Rolls back unauthorized changes
If you have considered Tripwire, you would be better off looking at AIDE instead, because this is a free replacement for that handy tool. Tripwire has a free version, but a lot of the key functions that most people need from an IDS are only available with the paid-for Tripwire, so you get a lot more functionality for free with AIDE.
The system compiles a database of admin data from config files when it is first installed. That creates a baseline and then any changes to configurations can be rolled back whenever changes to system settings are detected. The tool includes both signature and anomaly monitoring methods. System checks are issued on demand and do not run continuously, which is a bit of a shortfall with this HIDS. As this is a command-line function, though, you can schedule it to run periodically with an operating method, such as cron. If you want near real-time data, you could just schedule it to run very frequently.
- Free open-source software
- Designed for security professionals
- Extremely lightweight deployment
- Only available for Linux and Unix operating systems
- Not beginner-friendly
- Utilizes command-line interface for most actions
- Lack many features found in other NID tools
AIDE is really just a data comparison tool and it doesn’t include any scripting language, you would have to rely on your shell scripting skills to get data searching and rule implementation functions into this HIDS. Maybe AIDE should be considered more as a configuration management tool rather than as an intrusion detection system.
If you have heard about Aircrack-NG, then you might be a little cautious of this network-based IDS because it was developed by the same entrepreneur. Aircrack-NG is a wireless network packet sniffer and password cracker that has become part of every wifi network hacker’s toolkit.
In WIPS-NG we see a case of poacher-turned-gamekeeper. This free software is designed to defend wireless networks. Although Aircrack-NG can run on a range of operating systems, Open WIPS-NG only runs on Linux. The name “WIPS” stands for “wireless intrusion prevention system,” so this NIDS both detects and blocks intrusions.
The system includes three elements:
- Sensor module
There are plans to allow a WIPS-NG installation to monitor multiple sensors. However, at the moment, each installation can only include one sensor. That shouldn’t be too much of a problem because you can achieve multiple tasks with just the one sensor. The sensor is a packet sniffer, which also has the ability to manipulate wireless transmissions in mid-flow. So the sensor acts as the transceiver for the system.
The information gathered by the sensor is forwarded to the server, which is where the magic happens. The server program suite contains the analysis engine that will detect intrusion patterns. Intervention policies to block detected intrusions are also produced at the server. The actions required to protect the network are sent as instructions to the sensor.
- Highly flexible tool, developed by the hacking community
- Lightweight command-line interface
- Easy to memorize syntax
- Not beginner-friendly
- Designed primarily for security specialists
- Relies on other tools to expand functionality
The interface module of the system is a dashboard that displays events and alerts to the systems administrator. This is also where settings can be tweaked and defensive actions can be adjusted or overridden.
Samhain, produced by Samhain Design Labs in Germany, is a host-based intrusion detection system software that is free to use. It can be run on one single computer or many hosts, offering centralized data gathering on the events detected by the agents running on each machine.
The tasks performed by each agent include file integrity checking, log file monitoring, and port monitoring. The processes look for rootkit viruses, rogue SUIDs (user access rights), and hidden processes. The system applies encryption to communications between agents and a central controller in multi-host implementations. Connections for the delivery of log file data include authentication requirements, which prevent intruders from hijacking or replacing the monitoring process.
The data gathered by Samhain enables analysis of activities on the network and will highlight warning signs of intrusion. However, it will not block intrusion or clear out rogue processes. You will need to keep backups of your configuration files and user identities to resolve the problems that the Samhain monitor reveals.
One problem with hacker and virus intrusion is that the intruder will take steps to hide. This includes killing off monitoring processes. Samhain deploys a stealth technology to keep its processes hidden, thus preventing intruders from manipulating or killing the IDS. This stealth method is called “steganography.”
Central log files and configuration backups are signed with a PGP key to prevent tampering by intruders.
- Free open-source tool
- Can detect rouge processes as well as intrusions from log files
- Can monitor user access rights to detect privilege escalation and insider threats
- No paid support options
- Not available for Windows operating systems
- Interface feels outdated and not easy to use
- Lacks robust community found in more popular open-source NID tools
Samhain is an open-source network intrusion detection system that can be downloaded for free. It was designed along POSIX guidelines to make it compatible with Unix, Linux, and Mac OS. The central monitor will aggregate data from disparate operating systems.
Fail2Ban is a free host-based intrusion detection system that focuses on detecting worrisome events recorded in log files, such as excessive failed login attempts. The system sets blocks on IP addresses that display suspicious behavior. These bans usually only last a few minutes, but that can be enough to disrupt a standard automated brute force password cracking scenario. This security policy can also be effective against DoS attacks. The actual length of the IP address ban can be adjusted by an administrator.
Fail2Ban is actually an intrusion prevention system because it can take action when suspicious activity is detected and doesn’t just record and highlight possible suspected intrusions.
Therefore, the system administrator has to be careful about access policies when setting up the software because a prevention strategy that is too tight could easily lock out bona fide users. A problem with Fail2Ban is that it focuses on repeated actions from one address. This doesn’t give it the ability to cope with distributed password cracking campaigns or DDoS attacks.
Fail2Ban is written in Python and it is able to write to system tables to block out suspicious addresses. These automatic lockouts occur in Netfilter, iptables, PF firewall rules, and the hosts.deny table of TCP Wrapper.
The attack monitoring scope of the system is defined by a series of filters that instruct the IPS on which services to monitor. These include Postfix, Apache, Courier Mail Server, Lighttpd, sshd, vsftpd, and qmail. Each filter is combined with an action to perform in the event of an alert condition being detected. The combination of a filter and an action is called a “jail.”
- Completely free tool
- Automatically bans attacking IP addresses
- Acts as a combination IDS and HIDS
- No paid support
- Command-line interface is not as user friendly as other options
- Available for Unix, Linux, and Mac only
This system is written to the POSIX standard, so it can be installed on Unix, Linux, and Mac OS operating systems.
How to select IDS software for your network
The hardware requirement of network-based IDS solution may put you off and push you towards a host-based system, which is a lot easier to get up and running. However, don’t overlook the fact that you don’t need specialized hardware for these systems, just a dedicated host.
In truth, you should be looking at getting both a HIDS and a NIDS for your network. This is because you need to watch out for configuration changes and root access on your computers as well as looking at unusual activities in the traffic flows on your network.
The good news is that all of the systems on our list are free of charge or have free trials, so that you could try out a few of them. The user community aspect of these systems may draw you towards one in particular if you already have a colleague that has experience with it. The ability to get tips from other network administrators is a definitive draw to these systems. It makes them even more appealing than paid-for solutions with professional Help Desk support.
If your company is in a sector that requires standard security compliance, such as a PCI, then you really are going to need an IDS solution in place. Also, if you hold personal information on members of the public, your data protection procedures need to be up to scratch to prevent your company from being sued for data leakage.
Although it probably takes all of your working day just to keep on top of your network admin in-tray, don’t put off the decision to install an intrusion detection system. Hopefully, this guide has given you a push in the right direction. If you have any recommendations on your favorite IDS and if you have experience with any of the software mentioned in this guide, leave a note in the comments section below and share your thoughts with the community.
Intrusion Detection Systems FAQs
What is an IDS and IPS?
An IDS is an intrusion detection system and an IPS is an intrusion prevention system. While an IDS works to detect unauthorized access to network and host resources, an IPS does all of that plus implements automated responses to lock the intruder out and protect systems from hijacking or data from theft. An IPS is an IDS with built-in workflows that are triggered by a detected intrusion event.
Explain Snort vs OSSEC
Both Snort and OSSEC are open source IDSs. Snort is a network-based intrusion detection system (NIDS) and OSSEC is a host-based intrusion detection system (HIDS). The key difference between the approaches of Snort and OSSEC is that the NIDS methods of Snort work on data as it passes through the network. The HIDS system of OSSEC examines the log files on computers around the network to look for unexpected events. Both Snort and OSSEC are leading IDSs.
How do host-based intrusion detection systems work?
Host-based Intrusion Detection Systems (HIDS) examine log files to identify unauthorized access or inappropriate use of system resources and data. The main sources for host-based intrusion detection systems are logs generated by Syslog and Windows Events. While some host-based intrusion detection systems expect the log files to be gathered and managed by a separate log server, others have their own log file consolidators built-in and also gather other information, such as network traffic packet captures.
What are active and passive IDS?
Intrusion Detection Systems (IDS) only need to identify unauthorized access to a network or data in order to qualify for the title. A passive IDS will record an intrusion event and generate an alert to draw an operator’s attention. The passive IDS can also store information on each detected intrusion and support analysis. An active IDS is also known as an Intrusion Prevention System (IPS) or an Intrusion Detection and Prevention System (IDPS) because as well as spotting an intrusion, it implements automated actions to block out the intruder and protect resources.
How does the IDS define normal use?
There are two methods that an IDS can use to define normal use – some IDS tools use both. One is to compare events to a database of attack strategies, so the definition of normal use is any activity that does not trigger recognition of an attack. The other method is to use AI-based machine learning to record regular activity. The AI method can take a while to build up its definition of normal use.
What are the best intrusion detection and prevention systems?
Our research ranks the best intrusion detection and prevention systems as SolarWinds Security Event Manager, Snort, OSSEC, and ManageEngine EventLog Analyzer are the leading systems as outlined in this article.
Comparitech networking guides
- Top LAN monitoring tools
- The definitive guide to DHCP
- The definitive guide to SNMP
- The ultimate guide to mobile device management (MDM)
- The ultimate guide to BYOD
- Top server management & monitoring tools
- The best free NetFlow analyzers and collectors for Windows
- Best free network vulnerability scanners and how to use them
- Best packet sniffers and network analyzers
- Best free bandwidth monitoring software and tools to analyze network traffic usage