SNARE: Host-Based Linux Intrusion Detection
Source: 8Wire.com
Perhaps one reason that Linux hasn't become more prominent in the corporate world has been its lack of sophisticated host-based intrusion detection systems (IDSs). There are many Linux IDSs in use that are network-based, meaning that they attempt to detect intrusions before they occur. Now, there is at least one host-based Linux IDS, called SNARE (System iNtrusion Analysis and Reporting Environment).
Host-based IDSs use auditing and event logging on individual computers to detect intrusions after they have occurred. Despite the apparent contradiction, it is more effective to control a security breach with a host-based system than to prevent a security breach with a network-based system. Most Unix and other mainframe shops use host-based security systems on their various network and file servers.