Intrusion Detection on Hosts and Networks
Assuming you got your system into a reasonable state, you would like to keep it there. Or, at least you would like to know if it is changed!
SIEM or Security Information Event Management is the current buzzword in the field.
File System Change Detection
is the best-known solution.
They also offer products to check router configurations
and modules used by a web server to detect unwanted
content change and serve out a "Temporarily unavailable"
page in its place.
(Advanced Intrusion Detection Environment)
is a free replacement for Tripwire, included in
many Linux distributions.
are alternatives to AIDE.
If you need an enterprise-grade system to scan, assess, and manage a mixture of Windows, Linux, and Mac systems, check out the ManageEngine Vulnerability Manager Plus system. It does vulnerability assessment, web server hardening, and ties into your patch and configuration management systems. Large organizations need something like this to meet their compliance requirements.
Host Intrusion Detection Systems
OSSEC is a free open-source IDS.
There are agents for Linux, BSD, OS X, Windows, and Solaris.
It does log analysis, integrity checking, Windows registry
monitoring, and rootkit detection.
A central data collector and analyzer provides a web
It supports active response, making it a HIPS or
Host-based Intrusion Prevention System.
Wazuh is a fork of the OSSEC project.
Falco is a free open-source IDS
Sysdig | Falco
SNARE - System iNtrusion Analysis &
provides host-based intrusion detection for
Linux, Solaris, and Windows including graphical configuration,
monitoring, and reporting tools.
SNARE Snare Agents for Linux, Solaris, OS X, Windows
Network Intrusion Detection
Note carefully that most "network intrustion detection" system really detect an attack and not an intrusion. Still possibly useful, just make sure you understand what a tool really does.
Also be somewhat skeptical of the real need for NID. If you are running BSD, do you really care that someone on the other side of the planet is trying to exploit a risk only found on Microsoft SQL Server? Is it appropriate to waste your time being "warned" about this complete non-risk? Aggressive NID can be a denial-of-service attack against yourself!
is a free Linux distribution with several network IDS tools
plus Wazuh (see above) and other host IDS,
testing, and analysis tools.
Snort is a great tool that detects and diagnoses scans, probes, and attempted attacks.
There are many tools to automatically analyze audit trails for suspicious events. Splunk, Hewlett-Packard's ArcSight, and IBM's QRadar are the big names in the field.
Also see Purdue's CERIAS group for current research in this challenging area.