Host-based intrusion detection system comparison

Last updated

Comparison of host-based intrusion detection system components and systems.

Contents

Free and open-source software

As per the Unix philosophy a good HIDS is composed of multiple packages each focusing on a specific aspect.

PackageUpdatedUbuntu Official RepositoriesCentOS Official RepositoriesFileNetworkLogs Config Notes
OSSEC 2022No [1] No [2] YesYesYesYes
Wazuh2022NoNoYesYesYesYes
Samhain 2021Yes [3] NoYesNoPartial [4]
Snort 2018Yes [5] No [6] NoYesNo
chkrootkit 2023Yes [7] NoYesNoPartial [8]
rkhunter 2018Yes [9] Yes [10] YesNoNoYes
unhide [11] 2012Yes [12] Yes [13] NoNoNoproc ps compare
Sguil 2017NoNoNoYesNo
Logwatch [14] 2017Yes [15] Yes [16] NoNoYes
Logcheck [17] 2017Yes [18] Yes [19] NoNoYes
Epylog [20] 2014Yes [21] Yes [22] NoNoYes
SWATCH [23] 2015Yes [24] Yes [25] NoNoYes
sagan 2021Yes [26] NoNoNoYes
aide 2023Yes [27] Yes [28] YesNoNo
tripwire 2018Yes [29] Yes [30] YesNoNo
Tiger 2018Yes [31] NoYesNoNoYes3/42 modules are Debian specific.

Proprietary software

PackageYear [32] LinuxWindowsFileNetworkLogsConfigNotes
Lacework 2018YesNoYesYesYesYes
Verisys2018YesYesYesYesYes
Nessus 2017YesYesYes
Atomicorp 2019YesYesYesYesYesYesCommercially enhanced version of OSSEC
Spartan 2021NoYesYesYesYesYesWebsocket API, IP to Country mapping, DynDNS Integration

Related Research Articles

<span class="mw-page-title-main">Linux distribution</span> Operating system based on the Linux kernel

A Linux distribution is an operating system made from a software collection that includes the Linux kernel and often a package management system. Linux users usually obtain their operating system by downloading one of the Linux distributions, which are available for a wide variety of systems ranging from embedded devices and personal computers to powerful supercomputers.

<span class="mw-page-title-main">Ubuntu</span> Linux distribution developed by Canonical

Ubuntu is a Linux distribution based on Debian and composed mostly of free and open-source software. Ubuntu is officially released in multiple editions: Desktop, Server, and Core for Internet of things devices and robots. The operating system is developed by the British company Canonical, and a community of other developers, under a meritocratic governance model. As of October 2023, the most-recent release is 23.10, and the current long-term support release is 22.04.

Technical variations of Linux distributions include support for different hardware devices and systems or software package configurations. Organizational differences may be motivated by historical reasons. Other criteria include security, including how quickly security upgrades are available; ease of package management; and number of packages available.

CPython is the reference implementation of the Python programming language. Written in C and Python, CPython is the default and most widely used implementation of the Python language.

rkhunter

rkhunter is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories, wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. rkhunter is notable due to its inclusion in popular operating systems

<span class="mw-page-title-main">Compiz</span> Compositing window manager for the X Window System

Compiz is a compositing window manager for the X Window System, using 3D graphics hardware to create fast compositing desktop effects for window management. Effects, such as a minimization animation or a cube workspace, are implemented as loadable plugins. Because it conforms to the ICCCM conventions, Compiz can be used as a substitute for the default Mutter or Metacity, when using GNOME Panel, or KWin in KDE Plasma Workspaces. Internally Compiz uses the OpenGL library as the interface to the graphics hardware.

Upstart is a discontinued event-based replacement for the traditional init daemon—the method by which several Unix-like computer operating systems perform tasks when the computer is started. It was written by Scott James Remnant, a former employee of Canonical Ltd. In 2014, Upstart was placed in maintenance mode, and other init daemons, such as systemd, were recommended in place of Upstart. Ubuntu moved away from Upstart with the release of version 15.04 in favor of migrating to systemd. As of March 2023, there have been no updates released for Upstart since September 2014.

The Advanced Intrusion Detection Environment (AIDE) was initially developed as a free replacement for Tripwire licensed under the terms of the GNU General Public License (GPL).

<span class="mw-page-title-main">Plymouth (software)</span> Graphical boot software for Linux

Plymouth is an application which provides a graphical boot experience for Linux. Plymouth supports animations using Direct Rendering Manager (DRM) and the KMS driver. Plymouth is bundled with an initial ramdisk which allows it to run before the file system is mounted. Some sources claim that Plymouth is named after Plymouth Rock, symbolizing the program's role as the first thing a user sees, but this has not been confirmed in any official capacity.

Tiger is a security software for Unix-like computer operating systems. It can be used both as a security audit tool and a host-based intrusion detection system and supports multiple UNIX platforms. Tiger is free under the GPL license and unlike other tools, it needs only of POSIX tools, and is written entirely in shell language.

A delta update is a software update that requires the user to download only those parts of the software's code that are new, or have been changed from their previous state, in contrast to having to download the entire program. The use of delta updates can save significant amounts of time and computing bandwidth. The name "delta" derives from the mathematical science use of the Greek letter delta, Δ or δ to denote change.

<span class="mw-page-title-main">Zim (software)</span> Personal wiki software written in Python

Zim is a graphical text editor designed to maintain a collection of locally stored wiki-pages, a personal wiki. It works as a personal knowledge base and note-taking software application that operates on text files using markdown. Each wiki-page can contain things like text with simple formatting, links to other pages, attachments, and images. Additional plugins, such as an equation editor and spell-checker, are also available. The wiki-pages are stored in a folder structure in plain text files with wiki formatting. Zim can be used with the Getting Things Done method.

dracut (software) Software to automate the Linux boot process

Dracut is a set of tools that provide enhanced functionality for automating the Linux boot process. The tool named dracut is used to create a Linux boot image (initramfs) by copying tools and files from an installed system and combining it with the Dracut framework, which is usually found in /usr/lib/dracut/modules.d.

Long-term support (LTS) is a product lifecycle management policy in which a stable release of computer software is maintained for a longer period of time than the standard edition. The term is typically reserved for open-source software, where it describes a software edition that is supported for months or years longer than the software's standard edition.

X2Go is open source remote desktop software for Linux that uses a modified NX 3 protocol. X2Go gives remote access to a Linux system's graphical user interface. It can also be used to access Windows systems through a proxy.

firewalld is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the Linux kernel's netfilter framework. firewalld's current default backend is nftables. Prior to v0.6.0, iptables was the default backend. Through its abstractions, firewalld acts as an alternative to nft and iptables command line programs. The name firewalld adheres to the Unix convention of naming system daemons by appending the letter "d".

Zstandard is a lossless data compression algorithm developed by Yann Collet at Facebook. Zstd is the corresponding reference implementation in C, released as open-source software on 31 August 2016.

vnStat Free network utility for the Linux operating system

vnStat is a network utility for the Linux operating system. It uses a command line interface. vnStat command is a console-based network traffic monitor. It keeps a log of hourly, daily and monthly network traffic for the selected interface(s) but is not a packet sniffer. The traffic information is analyzed from the proc filesystem. That way vnStat can be used even without root permissions.

The Linux kernel can run on a variety of devices made by Apple, including devices where the unlocking of the bootloader is not possible with an official procedure, such as iPhones and iPads.

References

  1. "Downloads OSSEC". OSSEC. Retrieved 2017-10-19. OSSEC for Debian Based systems
  2. "Downloads OSSEC". OSSEC. Retrieved 2017-10-29. OSSEC for RHEL/Fedora Based systems
  3. "Samhain". Ubuntu. Retrieved 2017-04-19. Samhain in the Ubuntu Repositories
  4. Last
  5. "Snort". Ubuntu. Retrieved 2017-04-19. Snort in the Ubuntu Repositories
  6. "Snort". Cisco Systems. Retrieved 2017-05-31. Snort in the CentOS Repositories
  7. "ChkRootkit". Ubuntu. Retrieved 2017-04-19. ChkRootkit in the Ubuntu Repositories
  8. lastlog, wtmp, utmp, wtmpx
  9. "RKHunter". Ubuntu. Retrieved 2017-04-19. RKHunter in the Ubuntu Repositories
  10. "RKHunter". Ubuntu. Retrieved 2017-04-19. RKHunter in the CentOS Repositories
  11. "unhide". debian. Retrieved 2017-04-17.unhide is notable because it's part of Debian and Fedora
  12. "UnHide". Ubuntu. Retrieved 2017-04-19. UnHide in the Ubuntu Repositories
  13. "UnHide". Ubuntu. Retrieved 2017-04-19. UnHide in the CentOS Repositories
  14. "Logwatch". debian. Retrieved 2017-04-17. Logwatch is notable because it's part of Debian and Fedora
  15. "LogWatch". Ubuntu. Retrieved 2017-04-19. LogWatch in the Ubuntu Repositories
  16. "LogWatch". Ubuntu. Retrieved 2017-04-19. LogWatch in the CentOS Repositories
  17. "Logcheck". debian. Retrieved 2017-04-17. Logcheck is notable because it's part of Debian and Fedora
  18. "Logcheck". Ubuntu. Retrieved 2017-04-19. Logcheck in the Ubuntu Repositories
  19. "Logcheck". Ubuntu. Retrieved 2017-04-19. Logcheck in the CentOS Repositories
  20. "Epylog". debian. Retrieved 2017-04-17. Epylog is notable because it's part of Debian and Fedora
  21. "Epylog". Ubuntu. Retrieved 2017-04-19. Epylog in the Ubuntu Repositories
  22. "Epylog". Ubuntu. Retrieved 2017-04-19. Epylog in the CentOS Repositories
  23. "SWATCH". debian. Retrieved 2017-04-17. SWATCH is notable because it's part of Debian and Fedora
  24. "SWATCH". Ubuntu. Retrieved 2017-04-19. SWATCH in the Ubuntu Repositories
  25. "SWATCH". Ubuntu. Retrieved 2017-04-19. SWATCH in the CentOS Repositories
  26. "Sagan". Ubuntu. Retrieved 2017-04-19. Sagan in the Ubuntu Repositories
  27. "AIDE". Ubuntu. Retrieved 2017-04-19. AIDE in the Ubuntu Repositories
  28. "AIDE". Ubuntu. Retrieved 2017-04-19. AIDE in the CentOS Repositories
  29. "Tripwire". Ubuntu. Retrieved 2017-04-19. Tripwire in the Ubuntu Repositories
  30. "Tripwire". Ubuntu. Retrieved 2017-04-19. Tripwire in the CentOS Repositories
  31. "Tripwire". Ubuntu. Retrieved 2017-04-19. Tripwire in the Ubuntu Repositories
  32. Last updated
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.