Host based intrusion detection

Forrest is a host based intrusion detection using enhanced bsd process accounting files to spot unusual process trees (ex: httpd calling something it never called before). It works in combination with the vserver project.

Here is complete introduction to the project: principle.pdf.

Kernel patch

Here is the kernel patch that sits on top of the kernel vserver patch (from kernel 3.13.11): forrest-kernel-patch.diff.


Packages for Centos 6.5 64 bits may be found here (compiled by me). You need linuxconf-lib and forrest.

Source is available using subversion here.