Based in Denver, CO, Agile Ideation collects the thoughts and experiences of Ed Schaefer. His posts explore agile and devops related topics as he works to maximize team effectiveness and minimize waste through continuous learning, coaching and empowering teams.

Intrusion Detection Systems Comparison Table

            A commonly used category of risk management tool is known as an intrusion detection system (IDS). These can either consist of a physical device or a piece of software. An IDS monitors network traffic, and other network or system activities, to detect malicious activity or policy violations. These systems can be used for real-time monitoring, or can be used to generate reports that can be reviewed by individuals involved in risk management. Some systems will provide alerts and notifications from real-time monitoring so steps can be taken to block or eliminate an intruder as soon as possible.           

Intrusion Detection Tool


Advanced Intrusion Detection Environment (AIDE)


1. Maturity of Tool

Created in 1998

Created in 1999

Used for over a decade, utilizing over 15 years of research

2. Market Acceptance or Relevance

Most widely deployed IDS/IPS. Millions of downloads, nearly 400,000 registered users. In 2009 entered InfoWorld’s Open Source Hall of Fame.

Used on many UNIX-like systems as baseline control and for rootkit detection.

Use of policy scripts means this software could be effective for any organization/industry as long as the scripts are tailored for a specific use.

3. Licensing Models

Open source; annual subscription, cost per sensor.

Open source only

BSD License – open source

4. Platform Compatibility

Windows, Unix (including OS X and multiple versions of Linux)

Any modern Unix platform

Any modern Unix platform

5. Ease of Installation

Simple to install via executable file.

Code must be compiled to be installed. Database must be created to maintain comparison information

Code must be compiled to be installed.

6. Other Characteristics

Uses a simple command line interface. Performs real-time traffic and packet analysis on IP networks.

File and directory integrity checker. Database is created to provide a baseline to run a direct comparison with current files or directories.

Passively watches network traffic. Policy scripts must be written to create event handlers to automate activities when certain events occur.


            Intrusion detection systems are readily available for any organization to utilize. There are a number of open-source solutions that will provide an organization with all the necessary tools to perform intrusion detection. Many of these tools are easily customizable to fit the needs of the specific organization. A downside to using open-source tools for many organizations is the lack of support. Of the IDS tools discussed, only Snort provides support in the form of an annual subscription. The other IDS tools require an organization to implement, maintain and support on their own, which could be inconvenient for some organizations. If that is the case, it make more sense for an organization to pursue a commercial IDS solution.

Risk Management Planning

Vulnerability Management