Hi everyone ,
I am thinking of using a IDS on my Workstation and I was wondering is it worth it ?
Still choosing between Snort, Zeek , AIDE and Tripwire. The purpose of this setup is to be able to see any changes to the system, network monitoring and intruder detection with active prevention.
Most of those will work.
The issue you will probably encounter is that since fedora is updated frequently, you may need to establish a routine of updating the IDS database every time there is a system update performed. Otherwise there are likely to be a lot of false alarms as files are updated and no longer match what was last stored in the database.
I used to use tripwire and ran into this issue so had to adjust my habits to fit my scheduled update routine.
It may be worth the effort if your system is directly facing the internet or if you are in the habit of visiting questionable sites and downloading a lot.
Understood, it depends on my threat level and my habit mostly. Well , in my case both of the arguments you listed would be false, meaning I wouldn’t be needing an IDS but the reason I was considering the option is I want to have more control over everything. Plus, I do like trying out security features. On the other hand, you did point out a issue for me which is the update routine. Now I can monitor my network with other tools so the only question is there a simpler way of detecting changes to the system and intruder detection with active prevention while not using any IDS ?