Blare is an experimental policy-based, host-based intrusion detector for Linux. Its main purpose is to serve as a testbed environment for experimenting with a new intrusion detection approach.

Unlike other IDSes such as Snort or Snare, Blare requires neither attack signatures, learned profiles nor knowledge of program behavior. Its main goals are:

• to detect all violations of an implemented security policy, including violations using unknown and/or novel attacks;
• to report only actual policy violations (i.e. no false positives);
• to allow dealing with usual security policies such as Discretionary Access Control, Bell-LaPadula etc.

You can find more information on the Documentation and Papers pages