Comparison of host-based intrusion detection system components and systems.
As per the Unix philosophy a good HIDS is composed of multiple packages each focusing on a specific aspect.
Package | Last Update | Debian Official Repositories | AlmaLinux Official Repositories | openSUSE Official Repositories | File | Network | Logs | Config | Notes |
---|---|---|---|---|---|---|---|---|---|
OSSEC | 2025 | No [1] | No [2] | Yes [3] | Yes | Yes | Yes | Yes | |
Wazuh | 2025 [4] | No | No | ? | Yes | Yes | Yes | Yes | |
Samhain | 2023 | Yes [5] | No | Yes [6] | Yes | No | Partial [7] | ||
Snort | 2025 [8] | Yes [9] | No [10] | No | No | Yes | No | ||
chkrootkit | 2023 | Yes [11] | No | Yes | Yes | No | Partial [12] | ||
rkhunter | 2018 | Yes [13] | Yes [14] | Yes | Yes | No | No | Yes | |
unhide [15] | 2012 | Yes [16] | Yes [17] | Yes | No | No | No | proc ps compare | |
Sguil | 2017 | No | No | No | No | Yes | No | ||
Logwatch [18] | 2017 | Yes [19] | Yes [20] | Yes | No | No | Yes | ||
Logcheck [21] | 2017 | Yes [22] | Yes [23] | Yes | No | No | Yes | ||
Epylog [24] | 2014 | Yes [25] | Yes [26] | Yes | No | No | Yes | ||
SWATCH [27] | 2015 | Yes [28] | Yes [29] | Yes | No | No | Yes | ||
sagan | 2021 | Yes [30] | No | No | No | No | Yes | ||
aide | 2025 | Yes [31] | Yes [32] | Yes | Yes | No | No | yes | uses libs for routines |
tripwire | 2018 | Yes [33] | Yes [34] | Yes | Yes | No | No | ||
Tiger | 2018 | Yes [35] | No | No | Yes | No | No | Yes | 3/42 modules are Debian specific. |
Package | Year [36] | Linux | Windows | File | Network | Logs | Config | Notes |
---|---|---|---|---|---|---|---|---|
Lacework | 2018 | Yes | No | Yes | Yes | Yes | Yes | |
Verisys | 2018 | Yes | Yes | Yes | Yes | Yes | ||
Nessus | 2017 | Yes | Yes | Yes | ||||
Atomicorp | 2019 | Yes | Yes | Yes | Yes | Yes | Yes | Commercially enhanced version of OSSEC |
Spartan | 2021 | No | Yes | Yes | Yes | Yes | Yes | Websocket API, IP to Country mapping, DynDNS Integration |