Hex dump of Gibe-F worm.

Intrusion Detection Tools

Intrusion Detection on Hosts and Networks

Assuming you got your system into a reasonable state, you would like to keep it there. Or, at least you would like to know if it is changed!

SIEM or Security Information Event Management is the current buzzword in the field.

File System Change Detection

Tripwire is the best-known solution. They also offer products to check router configurations and modules used by a web server to detect unwanted content change and serve out a "Temporarily unavailable" page in its place.

AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire, included in many Linux distributions.

Osiris and Samhain are alternatives to AIDE.
Osiris Samhain

Host Intrusion Detection Systems

SNARE - System iNtrusion Analysis & Reporting Environment provides host-based intrusion detection for Linux, Solaris, and Windows including graphical configuration, monitoring, and reporting tools.
SNARE Snare Agents for Linux, Solaris, OS X, Windows

Network Intrusion Detection

Note carefully that most "network intrustion detection" system really detect an attack and not an intrusion. Still possibly useful, just make sure you understand what a tool really does.

Also be somewhat skeptical of the real need for NID. If you are running BSD, do you really care that someone on the other side of the planet is trying to exploit a risk only found on Microsoft SQL Server? Is it appropriate to waste your time being "warned" about this complete non-risk? Aggressive NID can be a denial-of-service attack against yourself!

Snort is a great tool that detects and diagnoses scans, probes, and attempted attacks.

There are many tools to automatically analyze audit trails for suspicious events. Splunk and Hewlett-Packard's ArcSight are the big names in the field.

Also see Purdue's CERIAS group for current research in this challenging area.