Detection and monitoring is your early-warning layer. The goal is to spot suspicious activity — unusual traffic patterns, repeated failed logins, unexpected file changes — and generate alerts before a threat becomes a full incident.
Detection does not prevent an attack. It tells you an attack is happening (or already happened) so you can respond. Pair detection tools with a solid incident response plan.

What is an Intrusion Detection System (IDS)?

An Intrusion Detection System (IDS) is a security technology that monitors network traffic or system activities for suspicious behavior or policy violations. When a potential intrusion is detected, the system generates alerts for security personnel to investigate. There are two main types:
TypeWhat it monitorsHow it detects
Network IDS (NIDS)Network traffic between hostsSignature matching, anomaly detection
Host-based IDS (HIDS)Activity on a single host (logs, file changes, processes)Policy rules, file integrity checks
An IDS alerts — it does not automatically block. An Intrusion Prevention System (IPS) extends IDS by also blocking detected threats inline. Related concepts: Network security, anomaly detection, security monitoring, Intrusion Prevention System (IPS), malware signatures.

Log Analysis

System and application logs are your most reliable source of truth after (or during) an incident. The following command-line tools help you search and parse them efficiently.

grep — Search logs for patterns

grep finds lines matching a regular expression. It is your first tool for hunting through large log files. 
# Find all failed SSH login attempts in auth.log
grep "Failed password" /var/log/auth.log

# Find attempts for a specific user
grep "Failed password for root" /var/log/auth.log

# Count occurrences (-c)
grep -c "Failed password" /var/log/auth.log

# Show 2 lines of context around each match
grep --context 2 "Failed password" /var/log/auth.log

# Search recursively through all logs in a directory
grep --recursive "ERROR" /var/log/

# Search across multiple files
grep "WARN" /var/log/syslog /var/log/kern.log
Platforms: Linux, macOS. Windows equivalent: Select-String in PowerShell.

tail — Watch logs in real time

# Follow a log file as new lines are written (live monitoring)
tail -f /var/log/syslog

# Show the last 50 lines, then follow
tail -n 50 -f /var/log/auth.log

awk — Extract and aggregate log fields

awk is ideal when you need to extract specific columns from structured log output (e.g., extracting just the source IP addresses from a log). 
# Print the 9th field (often the source IP in syslog format)
awk '{print $9}' /var/log/auth.log

# Count occurrences of each source IP
awk '{print $9}' /var/log/auth.log | sort | uniq -c | sort -rn | head -20

Network Sniffing

Network sniffers capture packets traversing an interface, letting you see exactly what traffic is flowing — useful for detecting exfiltration, unusual connections, or malware C2 communication.

tcpdump — Command-line packet capture

# Capture all traffic on eth0
tcpdump -i eth0

# Capture only traffic on port 443 (HTTPS)
tcpdump -i eth0 port 443

# Write capture to a file for later analysis
tcpdump -i eth0 -w capture.pcap

# Read a saved capture
tcpdump -r capture.pcap

# Capture traffic to/from a specific host
tcpdump -i eth0 host 192.168.1.100

# Show packet contents in ASCII
tcpdump -A -i eth0 port 80

Wireshark — GUI packet analyzer

Wireshark provides a graphical interface for capturing and dissecting packets. You can open .pcap files produced by tcpdump for detailed analysis. Key Wireshark features for detection:
  • Follow TCP Stream — reassemble a full conversation between two hosts
  • Display filters — e.g., http.request.method == "POST" to find form submissions
  • Statistics → Conversations — identify hosts generating unusually high traffic volume

File Integrity Monitoring

File Integrity Monitoring (FIM) detects unauthorized changes to critical system files — a key indicator of compromise. 
# Generate a checksum for a file (baseline)
sha256sum /etc/passwd > /secure/baseline/passwd.sha256

# Compare current state to baseline
sha256sum --check /secure/baseline/passwd.sha256
# OK means unchanged; FAILED means the file was modified
Tools like AIDE (Advanced Intrusion Detection Environment) automate this at scale across your entire filesystem.

Putting it together: a simple monitoring workflow

1

Establish a baseline

Record normal behavior — typical login times, expected outbound connections, baseline file checksums — so anomalies stand out.
2

Deploy log collection

Ensure system, application, and network device logs are all flowing to a central location (a SIEM or log aggregator). Use rsyslog or similar to forward logs.
3

Set up real-time alerts

Configure your IDS or SIEM to alert on high-confidence indicators: repeated auth failures, unexpected outbound connections, SUID file creation.
4

Review alerts promptly

An alert that nobody reads is the same as no alert. Assign ownership and response SLAs to your alert categories.
5

Preserve evidence

When investigating, work on copies. Use dd to image disks and save raw .pcap files before you start analysis. See Incident Response for details.