Open sparrell opened 4 years ago
There is some functionality overlap, but the products in this space are different. I think it is a little early to decide on this. As an example, you could say detect hash abc123, which both a network sensor and a software agent could do. One may inspect network traffic and parse out data streams whereas the other may compute the hash based on a file open.
I haven't used multiple HIDS to have an educated opinion. So based on OSSEC that i have used and have experience, I can claim that a common AP for HIDS and NIDS (such as Suricata and Snort) would be adequate.