Intrusion Detection Systems: Re: Tripwire or alternative

[fernando () pedestalsoftware com (Fernando Trias)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
I've had some experience building integrity checkers for all sorts of 
platforms, so I hope my 2 cents are relevant. I'm not familiar with Dragon 
Squire so I can't comment on it but it sounds quite interesting.

Centralizing information in the freeware version of tripwire is achieved by 
emailing the reports to a central email which somebody must check every 
day. No central console required. But it sounds like the problem is not 
solved by centralization.

I would guess that the problem is that there are not enough eyes to scan 
through everything: scanning logs is a fairly boring and miserable job. 
That job is not made easier or more pleasant by a central console. To solve 
this problem, aside from hiring more people, you may contract a company 
like Counterpane or its equivalent that monitors logs (no endorsement or 
connection; it's just the first name that comes up in my mind).

Another common problem that you may be experiencing is that tripwire may 
not be configured properly and generates a lot of junk. The only solution 
is to spend a lot of time refining the policy file on every system or 
getting smarter software.

As far as I know, Intact (www.pedestalsoftware.com; this is an endorsement 
since I work there) is the only integrity checker that helps you with this 
problem by analyzing the changes in the entire system (including users and 
groups, which other products do not do) for a period of time, in order to 
determine what, in fact, should change and what should not during normal 
operations. The key is that it does all this automatically. This is 
particularly useful in NT where files and settings are all over the place, 
but also relevant in Unix platforms--and especially if you are monitoring 
LDAP directories.

> > We're currently running the educational version of tripwire... no one is
> > really administering it and the reports are just being ignored. As I see
> > it, the short fall of this free version is the inability to centralize the
> > databases/reports and the granularity/control of the reports. From what I
> > saw it's quite cryptic as well. My company's a non profit and qualifies for
> > tripwire's commercial product with a discount. We're considering going to
> > it, but want to see if there are viable alternatives. Has any one put
> > together something that can be used with the existing freeware version of
> > tripwire as far as centralizing information and creating reports? Are there
> > any other free or commercial products that may better/easier? How does
> > Flight Recorder fit into the scheme of things. Obviously these are pretty
> > green questions, but we had to get attacked for someone to get off their
> > duffs and now they want to know everything yesterday. At least the check
> > books are coming out :-)
> >
> > Any direction would be greatly appreciated.
> Hi Roy,
>
> Dragon Squire is very close to shipping. It provides file integrity checking
> and signature analysis of log files such as /var/log/messages or the
> access_log file. It has a very small footprint. Management of multiple Dragon
> Squires occurs though the same interface as with the Dragon Sensor. This means
> that all management and alert correlation occurs through a web interface. This
> is also the mechanism we are using to correlate firewall logs with Dragon
> data.
>
> I'm tempted to send another 4-5 pages of marketing stuff for NSW, but feel
> free
> to visit the web page at http://www.securitywizards.com ;)
>
> Ron Gula
> 410-381-2101
> Network Security Wizards
----------------------------
Fernando Trias                     Pedestal Software, LLC
fernando () pedestalsoftware com    Phone: +1 (508) 520-8960
http://www.pedestalsoftware.com    Fax: +1 (508) 520-8638