wIDSard is a host-based Intrusion Detection System for i386 Linux platform.

It intercepts, at user level, system calls specified in a configuration file written by the user. It is based on strace source for syscall interception. A finite-state automata is used to trace the monitored process. The language used for the configuration file is regular expression based.

If a particular sequence of system calls is intercepted, then an appropriate action could be executed (kill the process, log...)


  • Linux Kernel >= 2.2.x
  • it doesn't require Kernel modification (it needs only Kernel source to compile)
  • a quite good knowledge of Linux system calls to compile a configuration file





Released version 0.12




If you have some comments to do, or you wanna ask something about wIDSard feel free to contact stefano.frassi[AT]




wIDSard language

Example of rules file 1

Example of rules file 2
Example of rules file 3
wIDSard language (Italian) Logo