15 years ago, I tried to installed an IDS: snort. After 2 days, I gave up: it was painful to install, docs were not as prevalent as now, and most importantly, it did not come with predefined rules. Before beginning to have something working, I had to spend 2 days, to write regular expression and be lucky to catch something. Days have changed, I guess snort too, but before trying back snort, I found OSSEC.
OSSEC is called an HIDS: a “Host Intrusion Detection System”; because it is mainly a Log Analyzer but not only. OSSEC is mainly useful for 3 things: see what is going on; stop brute-force attacks (ftp, web, ssh…); cover PCI-compliance requirements related to monitoring.
NB – This how-to book is a quick and dirty guide for OSSEC, it is not a reference book. If you need more, Daniel Cid, the author of OSSEC, wrote a book in 2008 titled OSSEC Host-Based Intrusion Detection Guide. You can buy it on Amazon or download it for free (PDF, 8.4 MB).