HIDS on BSD

While not as glamorous as NIDS, HIDS can be extremely valuable in detecting an attack that has actually been successfully carried out. One of the big failings with most NIDS systems is their inability to recognize if an attack launched against a host was successful in compromising the host. From the perspective of watching network traffic and assembling signatures for successful exploitation, NIDS have a long way to go.

However, once an attacker has broken in, he will likely leave footprints all over the system. Files will be created or modified. Processes will be terminated. Kernel parameters may be changed. A HIDS should be able to detect at least some of these footprints and alert youto the fact that something has gone very wrong.