Host-based intrusion detection system comparison explained

Comparison of host-based intrusion detection system components and systems.

Free and open-source software

As per the Unix philosophy a good HIDS is composed of multiple packages each focusing on a specific aspect.

Package	Updated	Ubuntu Official Repositories	CentOS Official Repositories	openSUSE Official Repositories	File	Network	Logs	Config	Notes
OSSEC	2022	[1]	[2]	[3]
Wazuh	2022			?
Samhain	2021	[4]		[5]			[6]
Snort	2018	[7]	[8]
chkrootkit	2023	[9]					[10]
rkhunter	2018	[11]	[12]
unhide[13]	2012	[14]	[15]						proc ps compare
Sguil	2017
Logwatch[16]	2017	[17]	[18]
Logcheck[19]	2017	[20]	[21]
Epylog[22]	2014	[23]	[24]
SWATCH[25]	2015	[26]	[27]
sagan	2021	[28]
aide	2023	[29]	[30]
tripwire	2018	[31]	[32]
Tiger	2018	[33]							3/42 modules are Debian specific.

Proprietary software

Package	Year[34]	Linux	Windows	File	Network	Logs	Config	Notes
Lacework	2018
Verisys	2018
Nessus	2017
Atomicorp	2019							Commercially enhanced version of OSSEC
Spartan	2021							Websocket API, IP to Country mapping, DynDNS Integration

References

1. Web site: Downloads OSSEC. OSSEC. 2017-10-19 . OSSEC for Debian Based systems
2. Web site: Downloads OSSEC. OSSEC. 2017-10-29 . OSSEC for RHEL/Fedora Based systems
3. Web site: ossec-hids. openSUSE OBS. 2024-08-11 . An Open Source Host-based Intrusion Detection System
4. Web site: Samhain . Ubuntu . 2017-04-19 . Samhain in the Ubuntu Repositories
5. Web site: Samhain . openSUSE OBS. 2024-08-11 . File integrity and host-based IDS
6. Last
7. Web site: Snort . Ubuntu . 2017-04-19 . Snort in the Ubuntu Repositories
8. Web site: Snort . Cisco Systems . 2017-05-31 . Snort in the CentOS Repositories
9. Web site: ChkRootkit . Ubuntu . 2017-04-19 . ChkRootkit in the Ubuntu Repositories
10. lastlog, wtmp, utmp, wtmpx
11. Web site: RKHunter . Ubuntu . 2017-04-19 . RKHunter in the Ubuntu Repositories
12. Web site: RKHunter . Ubuntu . 2017-04-19 . RKHunter in the CentOS Repositories
13. Web site: unhide . debian . 2017-04-17 . unhide is notable because it's part of Debian and Fedora
14. Web site: UnHide . Ubuntu . 2017-04-19 . UnHide in the Ubuntu Repositories
15. Web site: UnHide . Ubuntu . 2017-04-19 . UnHide in the CentOS Repositories
16. Web site: Logwatch . debian . 2017-04-17 . Logwatch is notable because it's part of Debian and Fedora
17. Web site: LogWatch . Ubuntu . 2017-04-19 . LogWatch in the Ubuntu Repositories
18. Web site: LogWatch . Ubuntu . 2017-04-19 . LogWatch in the CentOS Repositories
19. Web site: Logcheck . debian . 2017-04-17 . Logcheck is notable because it's part of Debian and Fedora
20. Web site: Logcheck . Ubuntu . 2017-04-19 . Logcheck in the Ubuntu Repositories
21. Web site: Logcheck . Ubuntu . 2017-04-19 . Logcheck in the CentOS Repositories
22. Web site: Epylog . debian . 2017-04-17 . Epylog is notable because it's part of Debian and Fedora
23. Web site: Epylog . Ubuntu . 2017-04-19 . Epylog in the Ubuntu Repositories
24. Web site: Epylog . Ubuntu . 2017-04-19 . Epylog in the CentOS Repositories
25. Web site: SWATCH . debian . 2017-04-17 . SWATCH is notable because it's part of Debian and Fedora
26. Web site: SWATCH . Ubuntu . 2017-04-19 . SWATCH in the Ubuntu Repositories
27. Web site: SWATCH . Ubuntu . 2017-04-19 . SWATCH in the CentOS Repositories
28. Web site: Sagan . Ubuntu . 2017-04-19 . Sagan in the Ubuntu Repositories
29. Web site: AIDE . Ubuntu . 2017-04-19 . AIDE in the Ubuntu Repositories
30. Web site: AIDE . Ubuntu . 2017-04-19 . AIDE in the CentOS Repositories
31. Web site: Tripwire . Ubuntu . 2017-04-19 . Tripwire in the Ubuntu Repositories
32. Web site: Tripwire . Ubuntu . 2017-04-19 . Tripwire in the CentOS Repositories
33. Web site: Tripwire . Ubuntu . 2017-04-19 . Tripwire in the Ubuntu Repositories
34. Last updated

External links

• Debian security manual
• Arch security wiki
• CentOS security wiki
• Ubuntu security wiki