TripwireAn opensource

IDS

A File System Integrity Checker for Intrusion

Detection

What is Tripwire? Reliable intrusion detection system.

Tool that checks to see what changes

have been made in your system.

Pinpoints, notifies, determines the

nature, and provides information on

the changes on how to manage the

change.

Mainly monitors the key attributes(like

binary signature, size and other

related data) of your files.

Changes are compared to the

established good baseline.

Security is compromised, if there is no

control over the various operations

taking place.

Security not only means protecting

your system against various attacks

but also means taking quick and

decisive actions when your system is

attacked.

How does Tripwire Works?

First, a baseline database is created storing the original attributes like binary values in registry.

If the host computer is intruded, the intruder changes these values to go undetected.

The TripWire software constantly checks the systemlogs to check if any unauthorized changes were made.

If so, then it reports to the user.

User can then undo those changes to revert the system back to the original state.

Where is Tripwire Used

? Tripwire for Servers(TS) is software used by

servers.

Can be installed on any server that needs to be

monitored for any changes.

Typical servers include mail servers, web

servers, firewalls, transaction server,

development server.

It is used for network devices like routers,

switches, firewall, etc.

If any of these devices are tampered with, it

can lead to huge losses for the Organization

that supports the network.

Tripwire for Network Devices

Tripwire for network devices maintains a log of all significant actions including adding and deleting nodes, rules, tasks and user accounts.

Automatic notification of changes to your routers, switches and firewalls.

Automatic restoration of critical network devices.

Heterogeneous support for today’s most commonly used network devices.

User Authentication Levels “Monitors” are allowed only to monitor

the application. They cannot make changes to Tripwire for Network Devices or to the devices that the software monitors.

“Users” can make changes to Tripwire for Network Devices, such as add routers, switches, groups, tasks etc. but they cannot make changes to the devices it monitors

“Power users” can make changes to the software and to the devices it monitors.

“Administrator” can perform all actions, plus delete violations and log messages

There are two types of Tripwire Manager

Active Tripwire Manager

Passive Tripwire Manager

This active Tripwire Manager gives a user the ability to update the database, schedule integrity checks, update and distribute policy and configuration files and view integrity reports.

The passive mode only allows to view the status of the machines and integrity reports.

How to install and use

Tripwire Installing Tripwire

Initialize the Tripwire database

Testing Tripwire

Report Files

Schedule Check using cron

Set up Email notifications

What is the benefit of

Tripwire? Increase security: - Immediately detects and

pinpoints unauthorized change.

Instill Accountability :- Tripwire identifies and reports the sources of change.

Gain Visibility:- Tripwire software provides a centralized view of changes across the enterprise infrastructure and supports multiple devices from multiple vendors

Ensure Availability:- Tripwire software reduces troubleshooting time, enabling rapid discovery and recovery. Enables the fastest possible restoration back to a desired, good state

Drawbacks Ineffective when applied to frequently

changing files.

Higher learning curve to install, edit,

and maintain the software.

Cost Effective

Applications Tripwire for Servers(used as

software).

Tripwire for Host Based Intrusion

Detection System(HIDS) and also for

Network Based Intrusion Detection

System (NIDS).

Tripwire for Network Devices like

Routers, Switches etc.

References

Gene H. Kim and Eugene H. Spafford, 1994. Experiences with Tripwire: Using Integrity checkers for Intrusion Detection, Purdue Technical Report CSD-TR-93-071, Coast Laboratory, Department of Computer Sciences, Purdue University.

Gene H. Kim and Eugene H. Spafford, 1994.Design and Implementation of Tripwire: A file system integrity checker, Purdue Technical Report CSD-TR-93-071, Coast Laboratory, Department of Computer Sciences, Purdue University.

Tripwire

http://www.tripwire.com

Thank You !Contact:dhananjay5315@gmail.com