fupids (the fuzzy userprofile intrusion detection
system) is a user-profile based IDS for the
OpenBSD kernel. It modifies certain syscalls in
order to detect suspicious behavior. For example,
it watches for network devices being set to
promiscuous mode, and it watches for the creation
of listen() sockets by users. fupids also handles
a program profile for your local users, and it can
find attackers who overtake existing accounts.