Intrusion detection system

 What is a network intrusion detection system?
Intrusion detection systems help prevent intruders (a.k.a. hackers/crackers) from breaking into computer systems to steal or vandalize data. These systems can be categorized in the following ways:

Network intrusion detection systems (NIDS) monitor packets on the network wire and attempt to discover if a hacker/cracker is attempting to break into a system (or cause a denial of service attack). A typical example is a system that watches for large numbers of TCP connection requests (SYN) to many different ports on a target machine, thus discovering if someone is attempting a TCP port scan. A NIDS may run either on the target machine watching its own traffic (usually integrated with the stack and services themselves), or on an independent machine promiscuously watching all network traffic (hub, router, probe). A 'network' IDS monitors many machines, whereas the others monitor only the ones on which they are installed.

System integrity verifiers (SIV) monitor system files to discover when an intruder changes them (thereby leaving behind a back-door). The most famous of such systems is Tripwire. An SIV may watch other components, such as the Windows registry and chron configuration, in order to find well-known signatures. It may also detect when a user acquires root/administrator-level privileges. Many existing products in this area should be considered as tools more than complete systems: Tripwire, for example, detects changes in critical system components, but doesn't generate realtime alerts upon an intrusion.

Log file monitors (LFM) monitor log files generated by network services. In a similar manner to NIDS, these systems look for patterns in the log files that suggest an intruder is attacking. A typical example would be a parser for HTTP server log files looking for intruders who try well-known security holes, such as the 'phf' attack.