[NTLUG:Discuss] If you were using an intrusion detection system...
Mark Hanna
Mark.Hanna at freemanco.com
Sat May 6 12:44:56 CDT 2006
Technically, Tripwire, AIDE and LIDS are file/data integrity tools, not
intrusion detection tools (although AIDE stands for Advanced Intrusion
Detection Environment, this is a bit of a misnomer)
Using them for IDS is only one of many ways they can be implemented.
Tripwire has a commercial and an FOSS source version, so depending on
your needs (corporate environment?), maybe you want the support of the
commercial version?
I've personally used Tripwire (back when it was FOSS only) and AIDE, and
they can both be quite a bit of a pain to configure correctly.
They all basically function the same way in that you define what files
you want monitored and in what manner (filesize, mod times, permissions)
and then they compute a hash of each file building a database for later
comparison. The hassle is setting the right balance in what
files/directories and what aspects of each file/directory. The more you
select, the longer it will take to compute the hashes.
LIDS is both a kernel patch and userspace tool implementation, so unless
you are very familiar with hand patching, re-compiling, and installing
your kernels from source, I would stay away from this one.
Tripwire and AIDE are userspace tools only.
Regardless of which one you choose, a critical aspect that very often
gets overlooked is, do NOT store the database on the system itself. The
preferred method is saving it up to read-only media, USB key or to
another server if neither of those are an option. Choosing a "good and
strong" hash method can also be a little daunting for novice users. I'm
a little behind on my reading of this, but I think right now stay away
from SHA1 and MD5.
-----Original Message-----
From: Discuss-bounces at ntlug.org [mailto:Discuss-bounces at ntlug.org] On
Behalf Of Leroy Tennison
Sent: Saturday, May 06, 2006 7:14 AM
To: NTLUG Discussion List
Subject: [NTLUG:Discuss] If you were using an intrusion detection
system...
What would you use?
I know about Tripwire and have found Aide and LIDS, any input would be
much appreciated. Thanks.
_______________________________________________
http://ntlug.pmichaud.com/mailman/listinfo/discuss
More information about the Discuss
mailing list