Overview

You've worked with network intrusion detection systems, systems that identify anomalous packets or streams as they cross through your network.  A second type of intrusion detection system is the host-based IDS (HIDS).  HIDS work typically by calculating a hash of important files and encrypting these hashes ina a database. On a certain schedule the HIDS will recalculate the hashes and compare it to those in the encrypted database. If the hashes don't match, something hash changed. In this section I discuss HIDS, and demonstrate a well-known (now commercial) HIDS, Tripwire.

Videos

• Introduction to HIDS (25 min)
• Tripwire (20 min) 

Readings

• Host- vs. Network-Based Intrusion Detection Systems (SANS reading room)
• Host-Based IDS vs Network-Based IDS (Part 1: WindowSecurity)
• Host-Based IDS vs Network-Based IDS (Part 2: WindowSecurity) 

Additional Resources:

• Opensource Tripwire