Summary

After reading this chapter, you should have a good comfort level with the concept of both host-and network-based intrusion detection systems. The tools presented here are all part of the SLES environment. Deploying these solutions can vastly improve your chances of detecting unwelcome visitors.

The tools presented here are an essential part of a proper HIDS and NIDS environment. On the host intrusion side, you saw tools that are capable of determining whether changes have been made to the content of the filesystem. You also saw other tools that can be used to monitor port scans of your systems.

On the network side, you looked at tools such as Snort and ACID and how you can use them to raise alerts when suspicious traffic is detected. You can watch for abnormal network loads using tools such as MRTG and Cacti. Such traffic can alert you to machines that might be compromised or at the very least are behaving in an unexpected fashion.

All these tools participate together in protecting your environment and contribute to a robust, layered defense against attacks.

The most difficult portion of intrusion detection is fine-tuning the various solutions. Improperly tuned environments generate a large number of false-positive results. This can lead to situations in which valid results are missed. Alternately, solutions that have been overtuned may become blind to a whole family of attack mechanisms.

Patience, vigilance, and a good knowledge of what is supposed to be present on your network infrastructure are the key factors to a successful implementation.