An integrity monitor watches key system structures for change. For example, a basic integrity monitor uses system files or registry keys as "bait" to track changes by an intruder. Although limited, integrity monitors can add an additional layer of protection to other forms of intrusion detection.
The most popular integrity monitor is Tripwire (http://www.tripwire.com). Tripwire is available both for Windows and Unix, and can monitor a number of attributes, including the following:
Tripwire can be customized to your network's individual characteristics. In fact, you can use Tripwire to monitor any change to your system. Thus, it can be a powerful tool in your IDS arsenal.
Like traditional hex-signature virus scanners, the majority of IDSs attempt to detect attacks based on a database of known attack signatures. When a hacker attempts a known exploit, the IDS attempts to match the exploit against its database. For example, Snort (http://www.snort.org) is a freeware signature-based IDS that runs on both Unix and Windows.
Because it is open source, Snort has the potential to grow its signature database faster than any proprietary tool. Snort consists of a packet decoder, a detection engine, and a logging and alerting subsystem. Snort is a stateful IDS, which means that it can reassemble and track fragmented TCP attacks.
A classic example of a signature that IDSs detect involves CGI scripts. A hacker's exploit scanning tools usually include a CGI scanner that probes the target Web server for known CGI bugs . For example, the well-known phf exploit enabled an attacker to return any file instead of the proper HTML. To detect a phf attack, a network IDS scanner would search packets for part of the following string:
Anomaly detection involves establishing a baseline of normal system or network activity, and then sounding an alert when a deviation occurs. Because network traffic is constantly changing, such a design lends itself more to host-based IDSs, rather than network IDSs. As you will see later in the chapter, anomaly detection provides high sensitivity, but low specificity. We will discuss where such a tool would be most useful.