Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Day 7 - Identification: Host-based Intrusion Detection Systems - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Day 7 - Identification: Host-based Intrusion Detection Systems

Host-based IDS can be a powerful tool for identifying potential incidents.  There are some major advantages in host-
based IDS over network-based IDS such as target-specific knowledge, identifying file modifications, and identifying rootkits that use encrypted network communication channels.  However, the additional features usually result in additional maintenance and alerts.

How do you use host-based IDS to identify suspicious activity?  Is there any organizations that rely solely on host-based IDS while ignoring network-based IDS?  Since host-based IDS should be able to provide more concrete evidence that a host has been compromised - do you sometimes move straight to a forensic evaluation of the host upon receiving alerts from a host-based IDS?  Is anyone using honeypots (or known-vulnerable hosts) anymore as an input to their host-based IDS systems for identifying targetted attacks?

Please send us your thoughts and comments via our contact page.  We will update the diary as new submissions come in.

Kyle

112 Posts

Sign Up for Free or Log In to start participating in the conversation!