I wouldn’t want to sound too paranoid, although I probably do, but cyber-criminality is everywhere. Every organization can become the target of hackers trying to access their data. It is, therefore, primordial to keep an eye on things and ensure that we don’t fall victim of these ill-intentioned individuals. The very first line of defence is an Intrusion Detection System. Host-based systems apply their detection at the host level and will typically detect most intrusion attempts quickly and notify you immediately so you can remedy the situation. With so many host-based intrusion detection systems available, picking the best for your specific situation can appear to be a challenge. To help you see clearly, we’ve assembled a list of some of the best host-based intrusion detection systems.
Before we reveal the best tools, we’ll sidetrack briefly and have a look at the different types of Intrusion Detection Systems. Some are host-based while other are network-based. We’ll explain the differences. We will then discuss the different intrusion detection methods. Some tools have a signature-based approach while others are on the lookout for suspicious behaviour. The best ones use a combination of both. Before continuing, we’ll explain the differences between intrusion detection and intrusion prevention systems as it is important to understand what we are looking at. We’ll then be ready for the essence of this post, the best host-based intrusion detection systems.
Two Types Of Intrusion Detection Systems
There are essentially two types of Intrusion Detection systems. While their goal is identical—to quickly detect any intrusion attempt or suspicious activity with could lead to an intrusion attempt, they differ in the location where this detection is performed. This is a concept that is often referred to as the enforcement point. Each type has advantages and disadvantages and, generally speaking, there is no consensus as to which one is preferable. In fact, the best solution—or the most secure—is probably one which combines both.
Host Intrusion Detection Systems (HIDS)
The first type of intrusion detection system, the one we’re interested in today, operates at the host level. You might have guessed that from its name. HIDS check, for instance, various log files and journals for signs of suspicious activity. Another way they detect intrusion attempts is by checking important configuration files for unauthorized changes. They can also examine the same configuration files for specific known intrusion patterns. For example, a particular intrusion method may be known to work by adding a certain parameter to a specific configuration file. A good host-based intrusion detection system would catch that.
Most of the time HIDS are installed directly on the devices they’re meant to protect. You will need to install them on all your computers. Others will only require installing a local agent. Some even do all their work remotely. No matter how they operate, good HIDS have a centralized console where you can control the application and view its results.
Network Intrusion Detection Systems (NIDS)
Another type of intrusion detection system called Network intrusion detection systems, or NIDS, work at the network’s border to enforce detection. They use similar methods as host intrusion detection systems such as detecting suspicious activities and looking for known intrusion patterns. But instead of looking at logs and configuration files, they watch network traffic and examine every connection requests. Some intrusion methods exploit known vulnerabilities by sending purposely malformed packets to hosts, making them react in a particular way which allows them to be breached. A network intrusion detection system would easily detect this kind of attempt.
Some argue that NIDS are better than HIDS as they detect attacks even before they even get to your systems. Some prefer them because they don’t require anything to be installed on each host to effectively protect them. On the other hand, they provide little protection against insider attacks which are unfortunately not at all uncommon. To be detected, an attacker must use a path that passes through the NIDS. For these reasons, the best protection probably comes from using a combination of both types of tools.
Intrusion Detection Methods
Just like there are two types of intrusion detection tools, there are mainly two different methods used to detect intrusion attempts. Detection could be signature-based or it could be anomaly-based. Signature-based intrusion detection works by analyzing data for specific patterns that have been associated with intrusion attempts. This is similar to traditional virus protection systems which rely on virus definitions. Likewise, signature-based intrusion detection relies on intrusion signatures or patterns. They compare data with intrusion signatures to identify attempts. Their main drawback is that they don’t work until the proper signatures are uploaded into the software. Unfortunately, this typically happens only after a certain number of machines have been attacked and publishers of intrusion signatures have had time to publish new update packages. Some suppliers are quite fast while others could only react days later.
Anomaly-based intrusion detection, the other method, provides better protection against zero-day attacks, those that happen before any intrusion detection software has had a chance to acquire the proper signature file. These systems look for anomalies instead of trying to recognize known intrusion patterns. For example, they could be triggered if someone tried to access a system with a wrong password several times in a row, a common sign of a brute force attack. Any suspicious behaviour can quickly be detected. Each detection method has its advantages and disadvantages. Just like with the types of tools, the best tools are those which use a combination of signature and behaviour analysis for the best protection.
Detection Vs Prevention – An Important Distinction
We’ve been discussing Intrusion Detection Systems but many of you might have heard about Intrusion Prevention Systems. Are the two concepts identical? The easy answer is no as the two types of tool serve a different purpose. There is, however, some overlap between them. As its name implies, the intrusion detection system detects intrusion attempts and suspicious activities. When it detects something, it typically triggers some form of alert or notification. Administrators must then take the necessary steps to stop or block the intrusion attempt.
Intrusion Prevention Systems (IPS) are made to stop intrusions from happening altogether. Active IPS include a detection component that will automatically trigger some remedial action whenever an intrusion attempt is detected. Intrusion Prevention can also be passive. The term can be used to refer to anything that is done or put in place as a way of preventing intrusions. Password hardening, for example, can be thought of as an Intrusion Prevention measure.
The Best Host Intrusion Detection Tools
We’ve searched the market for the best host-based intrusion detection systems. What we have for you is a mix of true HIDS and other software which, although they don’t call themselves intrusion detection systems, have an intrusion detection component or can be used to detect intrusion attempts. Let’s review our top picks and have a look at their best features.
Our first entry is from SolarWinds, a common name in the field of network administration tools. The company has been around for about 20 years and has brought us some of the best network and system administration tools. It is also well-known its many free tools that address some specific needs of network administrators. Two great examples of these free tools are the Kiwi Syslog Server and the Advanced Subnet Calculator.
Don’t let the SolarWinds Log & Event Manager’s name fool you. It is much more than just a log and event management system. Many of the advanced features of this product put it in the Security Information and Event Management (SIEM) range. Other features qualify it as an Intrusion Detection System and even, to a certain extent, as an Intrusion Prevention System. This tool features real-time event correlation and real-time remediation, for example.
- FREE TRIAL: SolarWinds Log & Event Manager
- Official Download Link: https://www.solarwinds.com/log-event-manager-software/registration
The SolarWinds Log & Event Manager features instantaneous detection of suspicious activity (an IDS-like functionality) and automated responses (an IPS-like functionality). It can also perform security event investigation and forensics for both mitigation and compliance purposes. Thanks to its audit-proven reporting the tool can also be used to demonstrate compliance with HIPAA, PCI-DSS, and SOX, among others. The tool also has file integrity monitoring and USB device monitoring, making it much more of an integrated security platform than just a log and event management system.
Pricing for the SolarWinds Log & Event Manager starts at $4,585 for up to 30 monitored nodes. Licenses for up to 2500 nodes can be purchased making the product highly scalable. If you want to take the product for a test run and see for yourself if it’s right for you, a free full-featured 30-day trial is available.
Open Source Security, or OSSEC, is by far the leading open-source host-based intrusion detection system. The product is owned by Trend Micro, one of the leading names in IT security and maker of one of the best virus protection suites. When installed on Unix-like operating systems, the software primarily focuses on log and configuration files. It creates checksums of important files and periodically validates them, alerting you whenever something odd happens. It will also monitor and alert on any abnormal attempt at getting root access. On Windows hosts, the system also keeps an eye for unauthorized registry modifications which could be a tell-tale sign of malicious activity.
By virtue of being a host-based intrusion detection system, OSSEC needs to be installed on each computer you want to protect. However, a centralized console does consolidate information from each protected computer for easier management. While the OSSEC console only runs on Unix-Like operating systems, an agent is available to protect Windows hosts. Any detection will trigger an alert which will be displayed on the centralized console while notifications will also be sent by email.
Samhain is another well-known free host intrusion detection system. Its main features, from an IDS standpoint, are file integrity checking and log file monitoring/analysis. It does way more than that, though. The product will perform rootkit detection, port monitoring, detection of rogue SUID executables, and of hidden processes. The tool was designed to monitor multiple hosts running various operating systems while providing centralized logging and maintenance. However, Samhain can also be used as a stand-alone application on a single computer. The software primarily runs on POSIX systems like Unix, Linux or OS X. It can also run on Windows under Cygwin, a package that allows running POSIX applications on Windows, although only the monitoring agent has been tested in that configuration.
One of Samhain’s most unique feature is its stealth mode which allows it to run without being detected by potential attackers. Intruders have been known to quickly kill detection processes they recognize as soon as they enter a system before being detected, allowing them to go unnoticed. Samhain uses steganographic techniques to hide its processes from others. It also protects its central log files and configuration backups with a PGP key to prevent tampering.
Fail2Ban is a free and open-source host intrusion detection system that also features some intrusion prevention capabilities. The software tool monitors log files for suspicious activities and events such as failed login attempts, exploit seeking, etc. The tool’s default action, whenever it does detect something suspicious, is to automatically update the local firewall rules to block the source IP address of the malicious behaviour. In reality, this is not true intrusion prevention but rather an intrusion detection system with auto remediation features. What we just described is the tool’s default action but any other arbitrary action—such as sending email notifications—can also be configured, making it behave like a more “classic” intrusion detection system.
Fail2Ban is offered with various pre-built filters for some of the most common services such as Apache, SSH, FTP, Postfix and many more. Prevention, as we explained, is carried out by modifying the host’s firewall tables. The tool can work with Netfilter, IPtables, or the hosts.deny table of TCP Wrapper. Each filter can be associated with one or many actions.
The Advanced Intrusion Detection Environment, or AIDE, is another free host intrusion detection system This one mainly focuses on rootkit detection and file signature comparisons. When you initially install it, the tool will compile sort of a database of admin data from the system’s configuration files. This database can then be used as a baseline against which any change can be compared and eventually rolled back if needed.
AIDE makes use of both signature-based and anomaly-based detection schemes. This is a tool which is run on-demand and not scheduled or continuously running. In fact, this is the product’s main drawback. However, since it is a command-line tool rather than being GUI-based, a cron job can be created to run it at regular intervals. If you choose to run the tool frequently—such as once every minute—you’ll almost get real-time data and you’ll have time to react before any intrusion attempt has gone too far an caused much damage.
At its core, AIDE is just a data comparison tool but with the help of a few external scheduled scripts, it can be turned into a true HIDS. Keep in mind that this is essentially a local tool, though. It has no centralized management and no fancy GUI.
Last on our list is Sagan, which is actually more of a log analysis system than a true IDS. It has, however, some IDS-like features which is why it deserves a place on our list. The tool locally watches the log files of the system where it’s installed but it can also interact with other tools. It could, for instance, analyze Snort’s logs, effectively adding the NIDS functionality of Snort to what is essentially a HIDS. It won’t just interact with Snort. Sagan can interact with Suricata as well and it is compatible with several rule building tools like Oinkmaster or Pulled Pork.
Sagan also has script execution capabilities which can make it a crude intrusion prevention system, provided that you develop some remediation scripts. Although this tool might not likely be used as your sole defence against intrusion, it can be a great component of a system that can incorporate many tools by correlating events from different sources.