Classnotes | UNIX03 | RecentChanges | Preferences Intrusion Detection Systems are designed to catch what might have gotten past the firewall. They can either be designed to catch an active break-in attempt in progress, or to detect a successful break-in after the fact. In the latter case, it is too late to prevent any damage, but at least we have early awareness of a problem.
For host based IDS, "after the fact" break-in detection is done with utilities that monitor the filesystem for changes. System files that have changed in some way, but should not change -- unless we did change them -- are a dead give away that something is amiss. Anyone who gets in, and gets root, will presumably make changes to the system somewhere. This is usually the very first thing done. Either so they can get back in through a backdoor, or to launch an attack against someone else. In which case, they have to change or add files to the system.
This is where tools like tripwire (http://www.tripwire.org) play a role. Such tools monitor various aspects of the filesystem, and compare them against a stored database. And can be configured to send an alert if any changes are detected. Such tools should only be installed on a known "clean" system.
