Security is a hot topic and it has been for quite a while. Many years ago, viruses were the only concerns of system administrators. Viruses were so common that it led the way for an astounding range of virus prevention tools. Nowadays, barely anyone would think of running an unprotected computer. However, computer intrusion, or the unauthorized access to your data by malicious users, is the “threat du jour”. Networks have become the target of numerous ill-intentioned hackers which will go to great lengths to gain access to your data. Your best defense against these types of threats is an intrusion detection–or prevention–system. Today, we’re reviewing ten of the best free intrusion detection tools.
Before we begin, we’ll first discuss the different intrusion detection methods that are in use. Just like there are many ways intruders can enter your network, there are just as many ways–perhaps even more–ways to detect them. Then, we’ll discuss the two main categories of intrusion detection system: network intrusion detection and host intrusion detection. Before we continue, we’ll then explain the differences between intrusion detection and intrusion prevention. And finally, we’ll give you a brief review of ten of the best free intrusion detection tools we could find.
Intrusion Detection Methods
There are basically two different methods used to detect intrusion attempts. It could be signature-based or anomaly-based. Let’s see how they differ. Signature-based intrusion detection works by analyzing data for specific patterns that have been associated with intrusion attempts. It’s somewhat like traditional antivirus systems that rely on virus definitions. These systems will compare data with intrusion signature patterns to identify attempts. Their main drawback is that they don’t work until the proper signature is uploaded to the software which typically happens after a certain number of machines have been attacked.
Anomaly-based intrusion detection provide a better protection against zero-day attacks, those that happen before any intrusion detection software has had a chance to acquire the proper signature file. Instead of trying to recognize known intrusion patterns, these will instead look for anomalies. For instance, they would detect that someone tried to access a system with a wrong password several times, a common sign of a brute force attack. As you might have guessed, each detection method has its advantages. This is why the best tools will often use a combination of both for the best protection.
Two Type Of Intrusion Detection Systems
Just like there are different detection methods there are also two main types of intrusion detection systems. They differ mostly in the location where the intrusion detection is performed, either at the host level or at the network level. Here again, each has its advantages and the best solution–or the most secure–is possibly to use both.
Host Intrusion Detection Systems (HIDS)
The first type of intrusion detection system operates at the host level. It could, for instance, check various log files for any sign of suspicious activity. It could also work by checking important configuration files for unauthorized changes. This is what anomaly-based HIDS would do. On the other hand, signature-based systems would look at the same log and configuration files but would be looking for specific known intrusion patterns. For instance, a particular intrusion method may be known to work by adding a certain string to a specific configuration file which the signature-based IDS would detect.
As you could have imagined, HIDS are installed directly on the device they’re meant to protect so you will need to install them on all your computers. however, most systems have a centralized console where you can control each instance of the application.
Network Intrusion Detection Systems (NIDS)
Network intrusion detection systems, or NIDS, work at your network’s border to enforce detection. They use similar methods as host intrusion detection systems. Of course, instead of looking are log and configuration files, they look ar network traffic such as connection requests. Some intrusion methods have been known to exploit vulnerabilities by sending purposely malformed packets to hosts, making them react in a particular way. Network intrusion detection systems could easily detect these.
Some would argue that NIDS are better than HIDS as they detect attacks even before they get to your computers. They are also better because they don’t require anything to be installed on each computer to effectively protect them. On the other hand, they provide little protection against insider attacks which are unfortunately not at all uncommon. This is another case where the best protection comes from using a combination of both types of tools.
Intrusion Detection Vs Prevention
There are two different genres of tools in the intrusion protection world: intrusion detection systems and intrusion prevention systems. Although they serve a different purpose, there is often some overlap between the two types of tools. As its name implies, the intrusion detection will detect intrusion attempts and suspicious activities in general. When it does, it will typically trigger some sort of alarm or notification. It is then up to the administrator to take the necessary steps to stop or block this attempt.
Intrusion prevention systems, on the other hand, work at stopping intrusions from happening altogether. Most intrusion prevention systems will include a detection component that will trigger some action whenever intrusion attempts are detected. But intrusion prevention can also be passive. The term can be used to refer to any steps that are put in place to prevent intrusions. We can think of measures like password hardening, for example.
The Best Free Intrusion Detection Tools
Intrusion detection systems can be expensive, very expensive. Fortunately, there are quite a few free alternatives available out there. we’ve searched the Internet for some of the best intrusion detection software tools. We found quite a few and we’re about to briefly review the best ten we could find.
OSSEC, which stands for Open Source Security, is by far the leading open-source host intrusion detection system. OSSEC is owned by Trend Micro, one of the leading names in IT security. The software, when installed on Unix-like operating systems, primarily focuses on log and configuration files. It creates checksums of important files and periodically validates them, alerting you if something odd happens. It will also monitor and catch any odd attempts at getting root access. On Windows, the system also keeps an eye for unauthorized registry modifications.
OSSEC, being a host intrusion detection system need to be installed on each computer you want to protect. It will, however, consolidate information from each protected computer in a single console for easier management. The software only runs on Unix-Like systems but an agent is available to protect Windows hosts. When the system detects something, an alert is displayed on the console and notifications are sent by email.
Just like OSSEC was the top open-source HIDS, Snort is the leading open-source NIDS. Snort is actually more than an intrusion detection tool. It’s also a packet sniffer and a packet logger. But what we’re interested in for now is Snort’s intrusion detection features. Somewhat like a firewall, Snort is configured using rules. Base rules can be downloaded from the Snort website and customized to your specific needs. You can also subscribe to Snort rules to ensure you always get the latest ones as they evolve as new threats are identified.
The basic Snort rules can detect a wide variety of events such as stealth port scans, buffer overflow attacks, CGI attacks, SMB probes, and OS fingerprinting. What your Snort installation detects depends solely on what rules you have installed. Some of the basic rules offered are signature-based while others are anomaly-based. Using Snort can give you the best of both worlds
Suricata advertises itself as an intrusion detection and prevention system and as a complete network security monitoring ecosystem. One of this tool’s best advantage over Snort is that it works all the way up to the application layer. This lets the tool to detect threats that could go unnoticed in other tools by being split over several packets.
But Suricata doesn’t only work at the application layer. It will also monitor lower level protocol such as TLS, ICMP, TCP, and UDP. The tool also understands protocols like HTTP, FTP or SMB and can detect intrusion attempts hidden in otherwise normal requests. There’s also a file extraction capability to allow administrators to examine suspicious files themselves.
Architecture-wise, Suricata is very well made and it will distribute its workload over several processor cores and threads for the best performance. It can even offload some of its processing to the graphics card. This is a great feature on servers as their graphics card it mostly idling.
Next on our list is a product called the Bro Network Security Monitor, another free network intrusion detection system. Bro operates in two phases: traffic logging and analysis. Like Suricata, Bro operates at the application layer, allowing for better detection of split intrusion attempts. It seems like everything comes in pairs with Bro and its analysis module is made up of two elements. The first is the event engine which tracks triggering events such as net TCP connections or HTTP requests. The events are then further analyzed by policy scripts which decide whether or not to trigger an alert and launch an action, making Bro an intrusion prevention in addition to a detection system.
Bro will let you track HTTP, DNS, and FTP activity as well as monitor SNMP traffic. This is a good thing because, while SNMP is often used for network monitoring, it is not a secure protocol. Bro also lets you watch device configuration changes and SNMP Traps. Bro can be installed on Unix, Linux, and OS X but it is not available for Windows, perhaps its main drawback.
5. Open WIPS NG
Open WIPS NG made it on our list mainly because it’s the only one that specifically targets wireless networks. Open WIPS NG–where WIPS stands for Wireless Intrusion Prevention System–is an open source tool which comprises three main components. First, there is the sensor which is a dumb device that only captures wireless traffic and sends it to the server for analysis. Next is the server. This one aggregates data from all sensors, analyzes the gathered data and respond to attacks. It is the heart of the system. Last but not least is the interface component which is the GUI that you use to manage the server and display information about threats on your wireless network.
Not everyone likes Open WIPS NG, though. The product if from the same developer as Aircrack NG a wireless packet sniffer and password cracker that is part of every WiFi hacker’s toolkit. On the other hand, given his background, we can assume that the developer knows quite a bit about Wi-Fi security.
Samhain is a free host intrusion detection system which provides file integrity checking and log file monitoring/analysis. In addition, the product also performs rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes. This tool has been designed to monitor multiple systems with various operating systems with centralized logging and maintenance. However, Samhain can also be used as a stand-alone application on a single computer. Samhain can run on POSIX systems like Unix Linux or OS X. It can also run on Windows under Cygwin although only the monitoring agent and not the server has been tested in that configuration.
One of Samhain’s most unique feature is its stealth mode which allows it to run without being detected by eventual attackers. Too often intruders kill detection processes they recognize, allowing them to go unnoticed. Samhain uses steganography to hide its processes from others. It also protects its central log files and configuration backups with a PGP key to prevent tampering.
Fail2Ban is an interesting free host intrusion detection system that also has some prevention features. This tool operates by monitoring log files for suspicious events such as failed login attempts, exploits seekings, etc. When it does detect something suspicious, it automatically updates the local firewall rules to block the source IP address of the malicious behavior. This is the tool’s default action but any other arbitrary action–such as sending email notifications–can be configured.
The system comes with various pre-built filters for some of the most common services such as Apache, Courrier, SSH, FTP, Postfix and many more. Prevention is carried out by modifying the host’s firewall tables. The tool can work with Netfilter, IPtables, or the hosts.deny table of TCP Wrapper. Each filter can be associated with one or many actions. Together, filters and actions are referred to as a jail.
AIDE is an acronym for Advanced Intrusion Detection Environment. The free host intrusion detection system mainly focuses on rootkit detection and file signature comparisons. When you initially install AIDE, it will compile a database of admin data from the system’s configuration files. This is then used as a baseline against which any change can be compared and eventually rolled back if needed.
AIDE uses both signature-based and anomaly-based analysis which is run on-demand and not scheduled or continuously running, This is actually this product’s main drawback. However, AIDE is a command-line tool and a CRON job can be created to run it at regular intervals. And if you run it very frequently–such as every minute or so–you’ll get quasi-real-time data. At its core, AIDE is nothing but a data comparison tool. External scripts must be created to make it a true HIDS.
Security Onion is an interesting beast that can save you a lot of time. This is not just an intrusion detection or prevention system. Security Onion is a complete Linux distribution with a focus on intrusion detection, enterprise security monitoring, and log management. It includes many tools, some of which we’ve just reviewed. For instance, Security Onion has Elasticsearch, Logstash, Kibana, Snort, Suricata, Bro, OSSEC, Sguil, Squert, NetworkMiner, and more. All this is bundled with an easy to use setup wizard, allowing you to protect your organization within minutes. You can think of Security Onion as the Swiss Army knife of enterprise IT security.
The most interesting thing about this tool is that you get everything in one simple install. And you get both network and host intrusion detection tools. There are tools that use a signature-based approach and some that are anomaly-based. The distribution also features a combination of text-based and GUI tools. There’s really an excellent mix of everything. The drawback, of course, is that you get so much that configuring it all can take a while. But you don’t have to use all the tools. You can pick only those that you prefer.
Sagan is actually more of a log analysis system than a true IDS but it has some IDS-like features that we thought warranted its inclusion on our list. This tool can watch the local logs of the system where it’s installed but it can also interact with other tools. It could, for instance, analyze Snort’s logs, effectively adding some NIDS functionality to what is essentially a HIDS. And it won’t just interact with Snort. It can interact with Suricata as well and it is compatible with several rule building tools like Oinkmaster or Pulled Pork.
Sagan also has script execution capabilities making it a crude intrusion prevention system. This tool might not likely be used as your sole defense against intrusion but it will be a great component of a system that can incorporate many tools by correlating events from different sources.
Intrusion detection systems are just one of the many tools available to assist network and system administrators in ensuring the optimal operation of their environment. Any of the tools discussed here are excellent but each has a slightly different purpose. The one that you’ll pick will largely depend on personal preference and specific needs.