NIDS are divided into three categories: port scan detectors (PSD), sniffers, and firewalls. The most typical NIDS software is the common packet filter or firewall (ipf and ipfw in FreeBSD, iptables in Linux, pf in OpenBSD, etc.), which has the option of logging to analyze the network traffic that comes through the router or a server.
PortSentry is PSD-related software designed to detect and respond to port scans against a target host in real-time. It runs on TCP and UDP sockets and works on most UNIX systems. Advanced stealth detection modes, which detect SYN, FIN, NULL, XMAS, and Oddball packet scans, are available only under the Linux OS. All modes support real-time alerting and blocking.
scanlogd also is a port scan detector from Solar Designer. It is a TCP port scan detection tool originally designed to present the various attacks with which an IDS developer has to contend. Now part of the OpenWall project, scanlogd recognizes all of the latest nmap scans.
A sniffer is software designed to listen for network traffic. The most popular are tcpdump, ethereal, and Sniffit. Although not IDS, you can parse their results and use that data to protect your system against intrusions and attacks.
Snort is the best known open source network intrusion detection system. Based on the libpcap library, it can analyze protocols as well as signatures. Using its numerous extenders, you can control firewalls to block the unwanted traffic (for example, you can use the fwsnort application, which allows you to control iptables rules in Linux). You also can interconnect Snort with the SQL Server, MySQL, or PostgreSQL and with the PHP console acid, one of the most advanced NIDS today.
Prelude is an innovative Hybrid Intrusion Detection (HID) system designed to be modular, distributed, and fast. Prelude can find traces of malicious activity from different sensors (Snort, Honeyd, Nessus Vulnerability Scanner, Samhain, over 30 types of systems logs, and many others) to better verify an attack, and it makes automatic correlations between the various events.
The Evolution of IDS
As you can see, IDS is not just a simple system to keep your servers safe. Nowadays, it has become a popular term that encompasses various kinds of systems, and every shop requires its own IDS solution.
IDS systems already are morphing into IPS (intrusion prevention systems). In today's fast-paced Internet time, people often aren't fast enough to protect themselves—even with powerful monitors and detectors. That's why certain projects are trying to enable the IDS to analyze data and also make changes in real time. As previously mentioned, Snort already has modules to communicate with firewalls.