I am looking for an IDS that tracks an intruders activities in the event of a breach. Thanks.
You mean something that recognises a breach and then, instead of blocking the attempt, carefully starts to monitor and log the attacker's activities?
There can be no automated solution for that. You'd need all the breaches and the attackers to act in a predictable (machine-trackable) way and that's just impossible. Besides, an IDS can only monitor stuff that goes through it. So if I can break into a system on your LAN and get an SSH tunnel going, then I can do everything on your LAN through that SSH tunnel without the IDS being able to see anything but encypted packets.
Maybe you are interested in so-called honepots or honeynets instead?
I've looked at that option as well. Maybe I should have worded my request that I was interested in some type of utility to work in conjunction with an IDS.
I've also found a program known as Tripwire, that while it doesn't protect your network, it tracks changes made to files on an ongoing basis in the event of a breach.
Tripwire and IDS Issues
Tripwire -->YES :giddy: does exactly what an IDS is intended for!
For Windows systems, install Gygwin as a Unix compatible interface.
Under that, Install Tripwire.
Now for the lecture ( sorry )
All IDS systems are reactive just like all AV systems; they're useful after
your system is infected. The nice facility of the IDS is it provides postmortem
analysis as to WHAT WAS CHANGED
(since the last base line was taken) and therein lies the problem --
keeping it up todate with every install.
You save space and time by configuring an IDS to scan ONLY those areas which
impact the integrity of the System; meaning you avoid scanning USER directories.
IMO, users are recovered via a backup solutions.