free Unix intrusion detection systems?

[topaz]

What intrusion detection toolkits does the modern Unix admin typically turn to?  Here are some of the ones I'm aware of:

• Snort
• Tiger (appears to be under active development now?)
• LIDS (seems to require kernel patching)
• PortSentry/SentryTools
• chkrootkit

I gather that these choices are not mutually incompatible, either (e.g. Tiger appears to provide a framework that may include Snort, chkrootkit and possibly others).

Those of you who have explored this issue in more depth than I have: what tools do you use and why?  Have you actually experienced an attack while guarded by any of these tools, and how did they perform?

Comments

[ronebofh.livejournal.com]

Tripwire (http://www.tripwire.com/products/enterprise/ost/)

Haven't used it since last millennium, though.

[qwrrty.livejournal.com]

Right, I was under the impression that tripwire was moneyware. Apparently I was mistaken?

[jss]

Yes, you're at least partly mistaken; I've installed free Tripwire in the past. There's probably a vendor out there willing to send it to you and charge you large Professional Services fees for a full or partial body to maintain/monitor it, but the base code is free IIRC.

[ronebofh.livejournal.com]

The link goes to the open source version. They also have the payware version.

[fengshui.livejournal.com]

Also, many recent Linux distros have MD5/SHA sums for each file they include in their packages.

[jss]

What previous responders have said. I've used chkrootkit, snort, and tripwire, as well as YASSP on Suns, plus md5 checksums of object or source code archives of stuff I've downloaded (not just for Linux, but for open source in general).