Host Based Intrusion Detection System: Samhain

Type n0where
Reporter N0where
Modified 2014-11-15T16:23:26


The Samhain host-based intrusion detection system (HIDS) provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes. samhain is a file and host integrity and intrusion alert system suitable for single hosts as well as for large, UNIX-based networks. It offers advanced features to support and facilitate centralized monitoring. In particular, samhain can optionally be used as a client/server system with monitoring clients on individual hosts, and a central log server that collects the messages of all clients.

The configuration and database files for each client can be stored centrally and downloaded by clients from the log server. Using conditionals (based on hostname, machine type, OS, and OS release, all with regular expresions) a single configuration file for all hosts on the network can be constructed.

Samhain has been designed to monitor multiple hosts with potentially different operating systems, providing centralized logging and maintenance , although it can also be used as standalone application on a single host.

The client (or standalone) part is called samhain, while the server is referred to as yule. Both can run as daemon processes.

Samhain is an open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows).


You will need all the required build tools installed as we are going to compile Samhain

apt-get install build-essential

Here is a short check list to follow:

  1. You will need MySQL and Apache running on your server.
  2. You will need the MySQL development package (generaly mysql-devel ) installed for the server side of things.
  3. MySQL must have a root password set.
  4. The server and client(s) host name must be fully qualified.
  5. The server and client(s) /etc/host file must be correct (really correct, not Red Hat default correct), and DNS must be working for both forward and reverse lookups.
  6. Port 50888 TCP should be open, or whatever port you set when building.
  7. ImageMagick is required on the client

Host Based Intrusion Detection System: Samhain Host Based Intrusion Detection System: Samhain

Host Based Intrusion Detection System: Samhain

Host Based Intrusion Detection System: Samhain download