Extracted from the book "OSSEC HIDS - Host-Based Intrusion Detection Guide" by Andrew Hey/Daniel Cid/ page 8-9 comparing HIDS vs. NIDS: " An HIDS detects events on a server or workstation and can generate alerts similar to an NIDS. An HIDS, however, is able to inspect the full communications stream. NIDS evasion techniques, such as fragmentation attacks or session splicing, do not apply because the HIDS is able to inspect the fully recombined session as it is presented to the operating system. Encrypted communications can be monitored because your HIDS inspection can look at the traffi c before it is encrypted. This means that HIDS signatures will still be able to match against common attacks and not be blinded by encryption.
An HIDS is also capable of performing additional system level checks that only IDS software installed on a host machine can do, such as fi le integrity checking, registry monitoring, log analysis, rootkit detection, and active response. " My own opinion of 'root' vs. 'user' --- Sure, root activities have the potential to create maximum damage. However, when hackers focus on information stealing, I think user activities could be very valuable and should not be ignored easily. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
