Intrusion Detection Systems for your network: Part I
It is recommended that a Tripwire snapshot be taken when you are confident of system integrity, for instance when an operating system installation or upgrade is performed. A digital signature is computed for every file and directory under the watch of Tripwire. Many signature algorithms are available to choose from. There are eight signature functions bundled into Tripwire and you can even add your own if you wish. Several of the provided signatures however are fairly simple to spoof, all of the 16-bit checksum, 16 and 32 bit CRC algorithms can be reversed with publicly available software running on a desk-top computer. The Tripwire documentation recommends using these only if you are concerned with the time required to compute the signatures: when you run Tripwire every hour for example. Instead, the authors recommend using message-digest algorithms (MD4, MD5, and Snefru), that produce larger, 128 bit signatures, which they claim, are computationally infeasible to reverse.
Does Tripwire keep out intruders?
Sadly speaking no, but pals the whole essence of this system is to put into place invisible cameras on your system that are completely invisible to the intruder who manages to bypass your existing security framework. Thus Tripwire running stealthily on your system, just sits and waits for something to go wrong. As soon as a violation occurs it throws a detailed postmortem, having analyzed the crime scenario. Thus Tripwire will help you determine damage to any of your data, whether it is corrupted, what is the extent of damage over the network, what System files have been replaced (possible placement of TROJANS on you System binaries) and in general, the extent of damage. Thus once you have initialized the database, each time you run Tripwire, you will be verifying the File System for consistency checks as mentioned in a POLICY file that we will be discussing about later.
Tripwire is not limited to tracking system file modifications, it can be configured to monitor any file or directory tree on your *NIX host, and you don't need any special privileges to run it. Any user can create their own tripwire configuration file and produce a change report for file-systems that they have read access on. In addition to file signatures, inode information can be examined by tripwire, permission and modes, inode number, number of links, user id, group id, file size, modification time stamp and the access tim e stamp can all be examined.
Is it Open Source?
- « first
- ‹ previous
- of 4
- next ›
- last »