Host-based intrusion detection system comparison

Last updated August 24, 2025

Comparison of host-based intrusion detection system components and systems.

Free and open-source software

As per the Unix philosophy a good HIDS is composed of multiple packages each focusing on a specific aspect.

Package	Last Update	Debian Official Repositories	AlmaLinux Official Repositories	openSUSE Official Repositories	File	Network	Logs	Config	Notes
OSSEC	2025	No^[1]	No^[2]	Yes^[3]	Yes	Yes	Yes	Yes
Wazuh	2025^[4]	No	No	?	Yes	Yes	Yes	Yes
Samhain	2023	Yes^[5]	No	Yes^[6]	Yes	No	Partial^[7]
Snort	2025^[8]	Yes^[9]	No^[10]	No	No	Yes	No
chkrootkit	2023	Yes^[11]	No	Yes	Yes	No	Partial^[12]
rkhunter	2018	Yes^[13]	Yes^[14]	Yes	Yes	No	No	Yes
unhide ^[15]	2012	Yes^[16]	Yes^[17]	Yes	No	No	No		proc ps compare
Sguil	2017	No	No	No	No	Yes	No
Logwatch ^[18]	2017	Yes^[19]	Yes^[20]	Yes	No	No	Yes
Logcheck ^[21]	2017	Yes^[22]	Yes^[23]	Yes	No	No	Yes
Epylog^[24]	2014	Yes^[25]	Yes^[26]	Yes	No	No	Yes
SWATCH ^[27]	2015	Yes^[28]	Yes^[29]	Yes	No	No	Yes
sagan	2021	Yes^[30]	No	No	No	No	Yes
aide	2025	Yes^[31]	Yes^[32]	Yes	Yes	No	No	yes	uses libs for routines
tripwire	2018	Yes^[33]	Yes^[34]	Yes	Yes	No	No
Tiger	2018	Yes^[35]	No	No	Yes	No	No	Yes	3/42 modules are Debian specific.

Proprietary software

Package	Year^[36]	Linux	Windows	File	Network	Logs	Config	Notes
Lacework	2018	Yes	No	Yes	Yes	Yes	Yes
Verisys	2018	Yes	Yes	Yes	Yes		Yes
Nessus	2017	Yes	Yes				Yes
Atomicorp	2019	Yes	Yes	Yes	Yes	Yes	Yes	Commercially enhanced version of OSSEC
Spartan	2021	No	Yes	Yes	Yes	Yes	Yes	Websocket API, IP to Country mapping, DynDNS Integration

References

↑ "Downloads OSSEC". OSSEC. Retrieved 2017-10-19. OSSEC for Debian Based systems
↑ "Downloads OSSEC". OSSEC. Retrieved 2017-10-29. OSSEC for RHEL/Fedora Based systems
↑ "ossec-hids". openSUSE OBS. Retrieved 2024-08-11. An Open Source Host-based Intrusion Detection System
↑ "Wazuh documentation Release notes" . Retrieved 2025-07-16.
↑ "Samhain". Ubuntu. Retrieved 2017-04-19. Samhain in the Ubuntu Repositories
↑ "Samhain". openSUSE OBS. Retrieved 2024-08-11. File integrity and host-based IDS
↑ Last
↑ "snort3/snort3 Releases" . Retrieved 2025-07-16.
↑ "Snort". Ubuntu. Retrieved 2017-04-19. Snort in the Ubuntu Repositories
↑ "Snort". Cisco Systems. Retrieved 2017-05-31. Snort in the CentOS Repositories
↑ "ChkRootkit". Ubuntu. Retrieved 2017-04-19. ChkRootkit in the Ubuntu Repositories
↑ lastlog, wtmp, utmp, wtmpx
↑ "RKHunter". Ubuntu. Retrieved 2017-04-19. RKHunter in the Ubuntu Repositories
↑ "RKHunter". Ubuntu. Retrieved 2017-04-19. RKHunter in the CentOS Repositories
↑ "unhide". debian. Retrieved 2017-04-17.unhide is notable because it's part of Debian and Fedora
↑ "UnHide". Ubuntu. Retrieved 2017-04-19. UnHide in the Ubuntu Repositories
↑ "UnHide". Ubuntu. Retrieved 2017-04-19. UnHide in the CentOS Repositories
↑ "Logwatch". debian. Retrieved 2017-04-17. Logwatch is notable because it's part of Debian and Fedora
↑ "LogWatch". Ubuntu. Retrieved 2017-04-19. LogWatch in the Ubuntu Repositories
↑ "LogWatch". Ubuntu. Retrieved 2017-04-19. LogWatch in the CentOS Repositories
↑ "Logcheck". debian. Retrieved 2017-04-17. Logcheck is notable because it's part of Debian and Fedora
↑ "Logcheck". Ubuntu. Retrieved 2017-04-19. Logcheck in the Ubuntu Repositories
↑ "Logcheck". Ubuntu. Retrieved 2017-04-19. Logcheck in the CentOS Repositories
↑ "Epylog". debian. Retrieved 2017-04-17. Epylog is notable because it's part of Debian and Fedora
↑ "Epylog". Ubuntu. Retrieved 2017-04-19. Epylog in the Ubuntu Repositories
↑ "Epylog". Ubuntu. Retrieved 2017-04-19. Epylog in the CentOS Repositories
↑ "SWATCH". debian. Retrieved 2017-04-17. SWATCH is notable because it's part of Debian and Fedora
↑ "SWATCH". Ubuntu. Retrieved 2017-04-19. SWATCH in the Ubuntu Repositories
↑ "SWATCH". Ubuntu. Retrieved 2017-04-19. SWATCH in the CentOS Repositories
↑ "Sagan". Ubuntu. Retrieved 2017-04-19. Sagan in the Ubuntu Repositories
↑ "AIDE". Ubuntu. Retrieved 2017-04-19. AIDE in the Ubuntu Repositories
↑ "AIDE". Ubuntu. Retrieved 2017-04-19. AIDE in the CentOS Repositories
↑ "Tripwire". Ubuntu. Retrieved 2017-04-19. Tripwire in the Ubuntu Repositories
↑ "Tripwire". Ubuntu. Retrieved 2017-04-19. Tripwire in the CentOS Repositories
↑ "Tripwire". Ubuntu. Retrieved 2017-04-19. Tripwire in the Ubuntu Repositories
↑ Last updated

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Downloads OSSEC". OSSEC. Retrieved 2017-10-19. OSSEC for Debian Based systems

[2] "Downloads OSSEC". OSSEC. Retrieved 2017-10-29. OSSEC for RHEL/Fedora Based systems

[3] "ossec-hids". openSUSE OBS. Retrieved 2024-08-11. An Open Source Host-based Intrusion Detection System

[4] "Wazuh documentation Release notes" . Retrieved 2025-07-16.

[5] "Samhain". Ubuntu. Retrieved 2017-04-19. Samhain in the Ubuntu Repositories

[6] "Samhain". openSUSE OBS. Retrieved 2024-08-11. File integrity and host-based IDS

[7] Last

[8] "snort3/snort3 Releases" . Retrieved 2025-07-16.

[9] "Snort". Ubuntu. Retrieved 2017-04-19. Snort in the Ubuntu Repositories

[10] "Snort". Cisco Systems. Retrieved 2017-05-31. Snort in the CentOS Repositories

[11] "ChkRootkit". Ubuntu. Retrieved 2017-04-19. ChkRootkit in the Ubuntu Repositories

[12] stlog, wtmp, utmp, wtmpx

[13] "RKHunter". Ubuntu. Retrieved 2017-04-19. RKHunter in the Ubuntu Repositories

[14] "RKHunter". Ubuntu. Retrieved 2017-04-19. RKHunter in the CentOS Repositories

[15] "unhide". debian. Retrieved 2017-04-17.unhide is notable because it's part of Debian and Fedora

[16] "UnHide". Ubuntu. Retrieved 2017-04-19. UnHide in the Ubuntu Repositories

[17] "UnHide". Ubuntu. Retrieved 2017-04-19. UnHide in the CentOS Repositories

[18] "Logwatch". debian. Retrieved 2017-04-17. Logwatch is notable because it's part of Debian and Fedora

[19] "LogWatch". Ubuntu. Retrieved 2017-04-19. LogWatch in the Ubuntu Repositories

[20] "LogWatch". Ubuntu. Retrieved 2017-04-19. LogWatch in the CentOS Repositories

[Logcheck-21] "Logcheck". debian. Retrieved 2017-04-17. Logcheck is notable because it's part of Debian and Fedora

[22] "Logcheck". Ubuntu. Retrieved 2017-04-19. Logcheck in the Ubuntu Repositories

[23] "Logcheck". Ubuntu. Retrieved 2017-04-19. Logcheck in the CentOS Repositories

[24] "Epylog". debian. Retrieved 2017-04-17. Epylog is notable because it's part of Debian and Fedora

[25] "Epylog". Ubuntu. Retrieved 2017-04-19. Epylog in the Ubuntu Repositories

[26] "Epylog". Ubuntu. Retrieved 2017-04-19. Epylog in the CentOS Repositories

[27] "SWATCH". debian. Retrieved 2017-04-17. SWATCH is notable because it's part of Debian and Fedora

[28] "SWATCH". Ubuntu. Retrieved 2017-04-19. SWATCH in the Ubuntu Repositories

[29] "SWATCH". Ubuntu. Retrieved 2017-04-19. SWATCH in the CentOS Repositories

[30] "Sagan". Ubuntu. Retrieved 2017-04-19. Sagan in the Ubuntu Repositories

[31] "AIDE". Ubuntu. Retrieved 2017-04-19. AIDE in the Ubuntu Repositories

[32] "AIDE". Ubuntu. Retrieved 2017-04-19. AIDE in the CentOS Repositories

[33] "Tripwire". Ubuntu. Retrieved 2017-04-19. Tripwire in the Ubuntu Repositories

[34] "Tripwire". Ubuntu. Retrieved 2017-04-19. Tripwire in the CentOS Repositories

[35] "Tripwire". Ubuntu. Retrieved 2017-04-19. Tripwire in the Ubuntu Repositories

[36] Last updated

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

[35]

[36]

Host-based intrusion detection system comparison

Contents

Free and open-source software

Proprietary software

References

External links