Intrusion Detection Systems

One helpful tool for discovering attacks is an Intrusion Detection System (IDS). Basically, there are two types of IDSs: Network Intrusion Detection Systems (NIDS) and Host Intrusion Detection Systems (HIDS). The former can be used to monitor network traffic for signs of well-known attacks and the latter can be used to detect manipulations on a host.

A NIDS basically consists of a management console and one or more sensors. The sensors can be placed at intersections on a network to monitor and evaluate the passing traffic. Since the traffic will usually be checked against an attack reference database, this database needs to be updated regularly. Two popular, open-source IDS solutions are Prelude-IDS and Snort.

HIDS are divided into two categories: scanners and checksum-verifying tools. The former, like chkrootkit, check for signs of known rootkits. If a system is suspected of being hacked, running such a scanner is a good idea. Because scanners always need reference data to scan for, they are not capable of detecting less-well-known rootkits.

In addition to scanners, you can also use checksum-verifying tools such as AIDE, Samhain, or Osiris. Such tools are capable of calculating and storing checksums and other meta information about all the files specified in their configuration. If a system is suspected of being hacked, the scanners can show modifications of the system by comparing these stored values with the current calculated ones.

Because of that operating mode, these tools need to be configured and used proactively. Additionally, configuration and maintenance of such tools isn't trivial because in-depth insight of the system is needed to set it up properly. Additionally, you need to update the database for those tools regularly to be useful and store them on readonly media. If an attacker is capable of modifying the database, those tools are useless.


A rootkit is a set of software tools intended to conceal running processes, files, or system data. Attackers install rootkits to maintain further access to a system without being discovered. Usually rootkits either replace or modify commands like ps, ls, or netstat to hide themselves or install a kernel module that modifies the operating system.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment