owadays, basic information security at any level should include an intrusion detection system (IDS) that gathers and later analyzes intrusion data. The primary goal of IDS software is monitoring hostile operations of all types, whether human (hackers and crackers) or programmatic (viruses, Trojan horses). An IDS can function on a particular server or in an entire segment of a network.
Although the market for IDS-related software is pretty large, finding a tool that will work for your specific case isn't always easy. That is why IDS software is categorized into three classes:
- Application-based intrusion detection system (AIDS). AIDS monitors specific applications (or services).
- Host-based intrusion detection system (HIDS). HIDS is a software cluster that consists of an auditor for the file system, log file analyzers, an operating system monitor, and a monitor for software changes. Sometimes it includes several AIDS tools as well.
- Network-based intrusion detection system (NIDS). NIDS software is used mostly for analyzing network activity: traffic and load.
In my experience, commercial solutions usually try to implement the basics of all detection systems into single products, which often end up being overpriced and too expensive for many small and medium-sized businesses. On top of that, all these functions are overkill in most cases. For these reasons, I believe that intrusion detection software should be open source. The first article in this two-part series examines the most popular non-commercial IDS solutions.
The most popular non-commercial AIDS tools are honeypots. A honeypot is network services emulation software that allows system administrators to monitor an intruder's actions. Although not actual operating systems, honeypots emulate real running operating systems to serve as a bait for potential attackers. The primary goal is to analyze attacks, but some honeypot products use internal signatures for known attacks to automatically block them as well. Honeypots usually include tools for registering the hack attempts they monitor.
The most popular honeypot software is Honeyd. You can use other IDS software (such as Snort) along with Honeyd.
For Web applications, mod_security, an open source intrusion detection and prevention engine, is very popular AIDS software. Operating as an Apache Web server module, mod_security examines HTTP queries to protect Web applications from known and sometimes unknown attacks. The practical use of mod_security will be discussed in Part 2 of this article.