Host-based intrusion detection system comparison

Comparison of host-based intrusion detection system components and systems.

[[Free and open-source software]]

As per the Unix philosophy a good HIDS is composed of multiple packages each focusing on a specific aspect.

class="wikitable sortable"
Package ! Updated ! Ubuntu Official Repositories ! CentOS Official Repositories ! openSUSE Official Repositories ! File ! Network ! Logs ! Config ! Notes
OSSEC \| 2025 \| {{no}}{{cite web \|url=https://ossec.github.io/downloads.html#apt-automated-installation-on-ubuntu-and-debian \|title=Downloads OSSEC\|publisher=OSSEC\|accessdate=2017-10-19 }} OSSEC for Debian Based systems \| {{no}}{{cite web \|url=https://ossec.github.io/downloads.html#rhel-centos-fedora-and-others \|title=Downloads OSSEC\|publisher=OSSEC\|accessdate=2017-10-29 }} OSSEC for RHEL/Fedora Based systems \| {{yes}}{{cite web \|url=https://software.opensuse.org/package/ossec-hids \|title=ossec-hids\|publisher=openSUSE OBS\|accessdate=2024-08-11 }} An Open Source Host-based Intrusion Detection System \| {{yes}} \| {{yes}} \| {{yes}} \| {{yes}} \|
Wazuh \|2022 \| {{no}} \| {{no}} \| ? \| {{yes}} \| {{yes}} \| {{yes}} \| {{yes}} \|
Samhain \| 2023 \| {{yes}}{{cite web \|url=http://packages.ubuntu.com/search?keywords=samhain \|title=Samhain \|publisher=Ubuntu \|accessdate=2017-04-19 }} Samhain in the Ubuntu Repositories \| {{no}} \| {{yes}}{{cite web \|url=https://software.opensuse.org/package/samhain?search_term=Samhain \|title=Samhain \|publisher=openSUSE OBS\|accessdate=2024-08-11 }} File integrity and host-based IDS \| {{yes}} \| {{no}} \| {{partial}}Last \| \|
Snort \| 2021 \| {{yes}}{{cite web \|url=http://packages.ubuntu.com/search?keywords=snort \|title=Snort \|publisher=Ubuntu \|accessdate=2017-04-19 }} Snort in the Ubuntu Repositories \| {{no}}{{cite web \|url=https://pkgs.org/download/snort \|title=Snort \|publisher=Cisco Systems \|accessdate=2017-05-31 }} Snort in the CentOS Repositories \| {{no}} \| {{no}} \| {{yes}} \| {{no}} \| \|
chkrootkit \| 2023 \| {{yes}}{{cite web \|url=http://packages.ubuntu.com/search?keywords=chkrootkit \|title=ChkRootkit \|publisher=Ubuntu \|accessdate=2017-04-19 }} ChkRootkit in the Ubuntu Repositories \| {{no}} \| {{yes}} \| {{yes}} \| {{no}} \| {{partial}}lastlog, wtmp, utmp, wtmpx \| \|
rkhunter \| 2018 \| {{yes}}{{cite web \|url=http://packages.ubuntu.com/search?keywords=rkhunter \|title=RKHunter \|publisher=Ubuntu \|accessdate=2017-04-19 }} RKHunter in the Ubuntu Repositories \| {{yes}}{{cite web \|url=https://pkgs.org/download/rkhunter \|title=RKHunter \|publisher=Ubuntu \|accessdate=2017-04-19 }} RKHunter in the CentOS Repositories \| {{yes}} \| {{yes}} \| {{no}} \| {{no}} \| {{yes}} \|
[http://www.unhide-forensics.info unhide]{{cite web \|url=https://packages.debian.org/search?keywords=unhide \|title=unhide \|publisher=debian \|accessdate=2017-04-17 }}unhide is notable because it's part of Debian and Fedora \| 2012 \| {{yes}}{{cite web \|url=http://packages.ubuntu.com/search?keywords=unhide \|title=UnHide \|publisher=Ubuntu \|accessdate=2017-04-19 }} UnHide in the Ubuntu Repositories \| {{yes}}{{cite web \|url=https://pkgs.org/download/unhide \|title=UnHide \|publisher=Ubuntu \|accessdate=2017-04-19 }} UnHide in the CentOS Repositories \| {{yes}} \| {{no}} \| {{no}} \| {{no}} \| \| proc ps compare
Sguil \| 2017 \| {{no}} \| {{no}} \| {{no}} \| {{no}} \| {{yes}} \| {{no}} \| \|
[https://sourceforge.net/p/logwatch/wiki/Home/ Logwatch]{{cite web \|url=https://packages.debian.org/search?keywords=logwatch \|title=Logwatch \|publisher=debian \|accessdate=2017-04-17 }} Logwatch is notable because it's part of Debian and Fedora \| 2017 \| {{yes}}{{cite web \|url=http://packages.ubuntu.com/search?keywords=logwatch \|title=LogWatch \|publisher=Ubuntu \|accessdate=2017-04-19 }} LogWatch in the Ubuntu Repositories \| {{yes}}{{cite web \|url=https://pkgs.org/download/logwatch \|title=LogWatch \|publisher=Ubuntu \|accessdate=2017-04-19 }} LogWatch in the CentOS Repositories \| {{yes}} \| {{no}} \| {{no}} \| {{yes}} \| \|
[http://www.logcheck.org/ Logcheck]{{cite web \|url=https://packages.debian.org/search?keywords=logcheck \|title=Logcheck \|publisher=debian \|accessdate=2017-04-17 }} Logcheck is notable because it's part of Debian and Fedora \| 2017 \| {{yes}}{{cite web \|url=http://packages.ubuntu.com/search?keywords=logcheck \|title=Logcheck \|publisher=Ubuntu \|accessdate=2017-04-19 }} Logcheck in the Ubuntu Repositories \| {{yes}}{{cite web \|url=https://pkgs.org/download/logcheck \|title=Logcheck \|publisher=Ubuntu \|accessdate=2017-04-19 }} Logcheck in the CentOS Repositories \| {{yes}} \| {{no}} \| {{no}} \| {{yes}} \| \|
Epylog{{cite web \|url=https://packages.debian.org/search?keywords=epylog \|title=Epylog \|publisher=debian \|accessdate=2017-04-17 }} Epylog is notable because it's part of Debian and Fedora \| 2014 \| {{yes}}{{cite web \|url=http://packages.ubuntu.com/search?keywords=epylog \|title=Epylog \|publisher=Ubuntu \|accessdate=2017-04-19 }} Epylog in the Ubuntu Repositories \| {{yes}}{{cite web \|url=https://pkgs.org/download/epylog \|title=Epylog \|publisher=Ubuntu \|accessdate=2017-04-19 }} Epylog in the CentOS Repositories \| {{yes}} \| {{no}} \| {{no}} \| {{yes}} \| \|
[https://sourceforge.net/projects/swatch/?source=directory SWATCH]{{cite web \|url=https://packages.debian.org/search?keywords=swatch \|title=SWATCH \|publisher=debian \|accessdate=2017-04-17 }} SWATCH is notable because it's part of Debian and Fedora \| 2015 \| {{yes}}{{cite web \|url=http://packages.ubuntu.com/search?keywords=swatch \|title=SWATCH \|publisher=Ubuntu \|accessdate=2017-04-19 }} SWATCH in the Ubuntu Repositories \| {{yes}}{{cite web \|url=https://pkgs.org/download/swatch \|title=SWATCH \|publisher=Ubuntu \|accessdate=2017-04-19 }} SWATCH in the CentOS Repositories \| {{yes}} \| {{no}} \| {{no}} \| {{yes}} \| \|
sagan \| 2021 \| {{yes}}{{cite web \|url=http://packages.ubuntu.com/search?keywords=sagan \|title=Sagan \|publisher=Ubuntu \|accessdate=2017-04-19 }} Sagan in the Ubuntu Repositories \| {{no}} \| {{no}} \| {{no}} \| {{no}} \| {{yes}} \| \|
aide \| 2023 \| {{yes}}{{cite web \|url=http://packages.ubuntu.com/search?keywords=aide \|title=AIDE \|publisher=Ubuntu \|accessdate=2017-04-19 }} AIDE in the Ubuntu Repositories \| {{yes}}{{cite web \|url=https://pkgs.org/download/aide \|title=AIDE \|publisher=Ubuntu \|accessdate=2017-04-19 }} AIDE in the CentOS Repositories \| {{yes}} \| {{yes}} \| {{no}} \| {{no}} \| \|
tripwire \| 2018 \| {{yes}}{{cite web \|url=http://packages.ubuntu.com/search?keywords=tripwire \|title=Tripwire \|publisher=Ubuntu \|accessdate=2017-04-19 }} Tripwire in the Ubuntu Repositories \| {{yes}}{{cite web \|url=https://pkgs.org/download/tripwire \|title=Tripwire \|publisher=Ubuntu \|accessdate=2017-04-19 }} Tripwire in the CentOS Repositories \| {{yes}} \| {{yes}} \| {{no}} \| {{no}} \| \|
Tiger \| 2018 \| {{yes}}{{cite web \|url=http://packages.ubuntu.com/search?keywords=tiger \|title=Tripwire \|publisher=Ubuntu \|accessdate=2017-04-19 }} Tripwire in the Ubuntu Repositories \| {{no}} \| {{no}} \| {{yes}} \| {{no}} \| {{no}} \| {{yes}} \| 3/42 modules are Debian specific.

class="wikitable sortable"

Package

! Updated

! Ubuntu Official Repositories

! CentOS Official Repositories

! openSUSE Official Repositories

! File

! Network

! Logs

! Config

! Notes

OSSEC

| 2025

| {{no}}{{cite web |url=https://ossec.github.io/downloads.html#apt-automated-installation-on-ubuntu-and-debian |title=Downloads OSSEC|publisher=OSSEC|accessdate=2017-10-19 }} OSSEC for Debian Based systems

| {{no}}{{cite web |url=https://ossec.github.io/downloads.html#rhel-centos-fedora-and-others |title=Downloads OSSEC|publisher=OSSEC|accessdate=2017-10-29 }} OSSEC for RHEL/Fedora Based systems

| {{yes}}{{cite web |url=https://software.opensuse.org/package/ossec-hids |title=ossec-hids|publisher=openSUSE OBS|accessdate=2024-08-11 }} An Open Source Host-based Intrusion Detection System

| {{yes}}

Wazuh

|2022

| {{no}}

| ?

| {{yes}}

Samhain

| 2023

| {{yes}}{{cite web |url=http://packages.ubuntu.com/search?keywords=samhain |title=Samhain |publisher=Ubuntu |accessdate=2017-04-19 }} Samhain in the Ubuntu Repositories

| {{no}}

| {{yes}}{{cite web |url=https://software.opensuse.org/package/samhain?search_term=Samhain |title=Samhain |publisher=openSUSE OBS|accessdate=2024-08-11 }} File integrity and host-based IDS

| {{yes}}

| {{no}}

| {{partial}}Last

Snort

| 2021

| {{yes}}{{cite web |url=http://packages.ubuntu.com/search?keywords=snort |title=Snort |publisher=Ubuntu |accessdate=2017-04-19 }} Snort in the Ubuntu Repositories

| {{no}}{{cite web |url=https://pkgs.org/download/snort |title=Snort |publisher=Cisco Systems |accessdate=2017-05-31 }} Snort in the CentOS Repositories

| {{no}}

| {{yes}}

| {{no}}

chkrootkit

| 2023

| {{yes}}{{cite web |url=http://packages.ubuntu.com/search?keywords=chkrootkit |title=ChkRootkit |publisher=Ubuntu |accessdate=2017-04-19 }} ChkRootkit in the Ubuntu Repositories

| {{no}}

| {{yes}}

| {{no}}

| {{partial}}lastlog, wtmp, utmp, wtmpx

rkhunter

| 2018

| {{yes}}{{cite web |url=http://packages.ubuntu.com/search?keywords=rkhunter |title=RKHunter |publisher=Ubuntu |accessdate=2017-04-19 }} RKHunter in the Ubuntu Repositories

| {{yes}}{{cite web |url=https://pkgs.org/download/rkhunter |title=RKHunter |publisher=Ubuntu |accessdate=2017-04-19 }} RKHunter in the CentOS Repositories

| {{yes}}

| {{no}}

| {{yes}}

[http://www.unhide-forensics.info unhide]{{cite web |url=https://packages.debian.org/search?keywords=unhide |title=unhide |publisher=debian |accessdate=2017-04-17 }}unhide is notable because it's part of Debian and Fedora

| 2012

| {{yes}}{{cite web |url=http://packages.ubuntu.com/search?keywords=unhide |title=UnHide |publisher=Ubuntu |accessdate=2017-04-19 }} UnHide in the Ubuntu Repositories

| {{yes}}{{cite web |url=https://pkgs.org/download/unhide |title=UnHide |publisher=Ubuntu |accessdate=2017-04-19 }} UnHide in the CentOS Repositories

| {{yes}}

| {{no}}

| proc ps compare

Sguil

| 2017

| {{no}}

| {{yes}}

| {{no}}

[https://sourceforge.net/p/logwatch/wiki/Home/ Logwatch]{{cite web |url=https://packages.debian.org/search?keywords=logwatch |title=Logwatch |publisher=debian |accessdate=2017-04-17 }} Logwatch is notable because it's part of Debian and Fedora

| 2017

| {{yes}}{{cite web |url=http://packages.ubuntu.com/search?keywords=logwatch |title=LogWatch |publisher=Ubuntu |accessdate=2017-04-19 }} LogWatch in the Ubuntu Repositories

| {{yes}}{{cite web |url=https://pkgs.org/download/logwatch |title=LogWatch |publisher=Ubuntu |accessdate=2017-04-19 }} LogWatch in the CentOS Repositories

| {{yes}}

| {{no}}

| {{yes}}

[http://www.logcheck.org/ Logcheck]{{cite web |url=https://packages.debian.org/search?keywords=logcheck |title=Logcheck |publisher=debian |accessdate=2017-04-17 }} Logcheck is notable because it's part of Debian and Fedora

| 2017

| {{yes}}{{cite web |url=http://packages.ubuntu.com/search?keywords=logcheck |title=Logcheck |publisher=Ubuntu |accessdate=2017-04-19 }} Logcheck in the Ubuntu Repositories

| {{yes}}{{cite web |url=https://pkgs.org/download/logcheck |title=Logcheck |publisher=Ubuntu |accessdate=2017-04-19 }} Logcheck in the CentOS Repositories

| {{yes}}

| {{no}}

| {{yes}}

Epylog{{cite web |url=https://packages.debian.org/search?keywords=epylog |title=Epylog |publisher=debian |accessdate=2017-04-17 }} Epylog is notable because it's part of Debian and Fedora

| 2014

| {{yes}}{{cite web |url=http://packages.ubuntu.com/search?keywords=epylog |title=Epylog |publisher=Ubuntu |accessdate=2017-04-19 }} Epylog in the Ubuntu Repositories

| {{yes}}{{cite web |url=https://pkgs.org/download/epylog |title=Epylog |publisher=Ubuntu |accessdate=2017-04-19 }} Epylog in the CentOS Repositories

| {{yes}}

| {{no}}

| {{yes}}

[https://sourceforge.net/projects/swatch/?source=directory SWATCH]{{cite web |url=https://packages.debian.org/search?keywords=swatch |title=SWATCH |publisher=debian |accessdate=2017-04-17 }} SWATCH is notable because it's part of Debian and Fedora

| 2015

| {{yes}}{{cite web |url=http://packages.ubuntu.com/search?keywords=swatch |title=SWATCH |publisher=Ubuntu |accessdate=2017-04-19 }} SWATCH in the Ubuntu Repositories

| {{yes}}{{cite web |url=https://pkgs.org/download/swatch |title=SWATCH |publisher=Ubuntu |accessdate=2017-04-19 }} SWATCH in the CentOS Repositories

| {{yes}}

| {{no}}

| {{yes}}

sagan

| 2021

| {{yes}}{{cite web |url=http://packages.ubuntu.com/search?keywords=sagan |title=Sagan |publisher=Ubuntu |accessdate=2017-04-19 }} Sagan in the Ubuntu Repositories

| {{no}}

| {{yes}}

aide

| 2023

| {{yes}}{{cite web |url=http://packages.ubuntu.com/search?keywords=aide |title=AIDE |publisher=Ubuntu |accessdate=2017-04-19 }} AIDE in the Ubuntu Repositories

| {{yes}}{{cite web |url=https://pkgs.org/download/aide |title=AIDE |publisher=Ubuntu |accessdate=2017-04-19 }} AIDE in the CentOS Repositories

| {{yes}}

| {{no}}

tripwire

| 2018

| {{yes}}{{cite web |url=http://packages.ubuntu.com/search?keywords=tripwire |title=Tripwire |publisher=Ubuntu |accessdate=2017-04-19 }} Tripwire in the Ubuntu Repositories

| {{yes}}{{cite web |url=https://pkgs.org/download/tripwire |title=Tripwire |publisher=Ubuntu |accessdate=2017-04-19 }} Tripwire in the CentOS Repositories

| {{yes}}

| {{no}}

Tiger

| 2018

| {{yes}}{{cite web |url=http://packages.ubuntu.com/search?keywords=tiger |title=Tripwire |publisher=Ubuntu |accessdate=2017-04-19 }} Tripwire in the Ubuntu Repositories

| {{no}}

| {{yes}}

| {{no}}

| {{yes}}

| 3/42 modules are Debian specific.

[[Proprietary software]]

class="wikitable sortable"
Package ! YearLast updated ! Linux ! Windows ! File ! Network ! Logs ! Config ! Notes
[https://www.lacework.com/ Lacework] \| 2018 \| {{yes}} \| {{no}} \| {{yes}} \| {{yes}} \| {{yes}} \| {{yes}} \|
Verisys \| 2018 \| {{yes}} \| {{yes}} \| {{yes}} \| {{yes}} \| \| {{yes}} \|
Nessus \| 2017 \| {{yes}} \| {{yes}} \| \| \| \| {{yes}} \|
[https://www.atomicorp.com/atomic-enterprise-ossec/ Atomicorp] \|2019 \| {{yes}} \| {{yes}} \| {{yes}} \| {{yes}} \| {{yes}} \| {{yes}} \|Commercially enhanced version of OSSEC
[https://spartan.mobilefx.com/ Spartan] \|2021 \| {{no}} \| {{yes}} \| {{yes}} \| {{yes}} \| {{yes}} \| {{yes}} \|Websocket API, IP to Country mapping, DynDNS Integration

class="wikitable sortable"

Package

! YearLast updated

! Linux

! Windows

! File

! Network

! Logs

! Config

! Notes

[https://www.lacework.com/ Lacework]

| 2018

| {{yes}}

| {{no}}

| {{yes}}

Verisys

| 2018

| {{yes}}

Nessus

| 2017

| {{yes}}

[https://www.atomicorp.com/atomic-enterprise-ossec/ Atomicorp]

|2019

| {{yes}}

|Commercially enhanced version of OSSEC

[https://spartan.mobilefx.com/ Spartan]

|2021

| {{no}}

| {{yes}}

|Websocket API, IP to Country mapping, DynDNS Integration

References

External links

[https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-tools.en.html Debian security manual]
[https://wiki.archlinux.org/index.php/Security Arch security wiki]
[https://wiki.centos.org/HowTos/OS_Protection CentOS security wiki]
[https://wiki.ubuntu.com/BasicSecurity Ubuntu security wiki]

Category:Intrusion detection systems