Looking at Intrusion Detection in Red Hat Enterprise Linux 4
Having unauthorized users entering your systems is definitely something that you don't want to happen. Of course you want to stop them before they get in. But before you can do something about keeping out unwanted visitors, you first need to know whether someone has entered your systems. This is what intrusion detection is all about: finding out whether someone is in your system who doesn't belong there.
Most of us check to be sure that our doors are locked before we go to bed at night or leave the house. We do this to keep someone from getting into our house while we are sleeping or while we are away. In much the same way, you can actively check the locks on your system "doors" to be sure that no unauthorized users can get in. You can check the security of your systems by actively checking your systems for known attack methods by using special software designed for this purpose.
One such program that is commonly used to check systems for open ports and other types of connectivity information is nmap. With nmap, which is a network exploration tool and security scanner that is included with the default installation of Enterprise Linux, you can scan your systems to determine which ones are up and what services they are offering. You can then use the information that you obtain from the scan to determine how secure your systems are and what you can do to make them more secure if required.
As its name implies, with passive detection, no direct action is taken to test the system for open ports or other vulnerabilities. This method of intrusion detection uses system log files to track all connections to the system. The log files are continuously reviewed by the system administrator for details that would indicate that the system has been compromised.
You can use file integrity software, such as Tripwire, to take a snapshot of the system when it is fully configured and operating as it would be when connected to the network. The snapshot contains information about system configuration files and operating parameters and is stored on the system. Periodically, the snapshot is compared with the same parameters on the running system, looking for any changes. If changes are discovered, Tripwire informs you of the changes, and thus you know that your system might have been compromised.
Although passive detection can tell you that your system has been compromised, it tells you only after the break-in has occurred. Any damage that the intruder might have caused will be yours to deal with. Active detection, on the other hand, gives you the opportunity to test your systems for open vulnerabilities and to close the open holes.