Aide or Tripwire?
Which one is more preferred, Aide or Tripwire? Doing some googleing I found posts on one versus the other but the posts were really old and outdated.
|
Quote:
|
Quote:
I liked aide better than tripwire, but as unixfool said try them and decide for yourself. Also another good choice is samhain. Quote:
|
The thing that bothers me about aide is that the db file isn't really protected and they suggest keeping it on a seperate device along with it's bin files for protection. From what I read, Tripwire requires a key for it's db and it's also crypted. Has Aide updated to this also?
Isn't Samhain a fork of Snort? I was planning on installing snort so wouldn't make since to have them together, right? |
Quote:
|
Quote:
However I would say encrypted or not your database should be kept on read only media and stored safely. nomb P.S. - I do want to +1 samhain though. Or Osiris if you want to be able to handle it from a server/client perspective. |
Quote:
As far as the debate... Tripwire has a full-out commercial version, http://www.tripwire.com/, which really puts AIDE to shame. But, as for me, I use AIDE because I can't afford that expensive crap. Plus, I never install aide ON the computer that I run it on. I always transfer a fresh copy over to run and spit out a database, and compare it to a known good one. I do this because really, if you are an 3LiT3 HaX0R, the first thing you will notice is that crontab -l has /bin/aide in it which would lead you to modify that /bin/aide to ignore any changes it finds and spit out an "Everything is OK" message. So, TripWire is WAYYYYYYYYYYYYYYYY better, if you pay for it. But Aide is small and portable and gets part of the job done. |
Quote:
I see your point and that is what i was concerned about. What I did was i transfered the aide config file, binary(i run this copy), and database to a thumb drive and just plug it in and do a check/update when i feel like it(personal home pc). Does this sound like a good solution? I wouldn't mind trying samhain out if gentoo would make a working ebuild for it. Samhain seems to leave the commercial version of tripwire in the dust(unless i'm miss reading the features). |
Tripwire AFAIK just a file integrity checker. Samhain is a Host-based Intrusion Detection System. An alternative to Samhain is OSSEC, which is another open source HIDS.
|
Quote:
Samhain's Web Interface is spiffy though. Actually, OSSEC's dashboard is the closest thing to completely pointless as tatas on a tree. |
Quote:
|
Quote:
Thanks for mentioning SGUIL. That looks like a decent program for analysis. |
Quote:
|
@szboardstretcher I forgot to mention that limit on the free version of Splunk, thanks.
@unixfool Maybe, but file integrity checking is just one way to monitor a host's security. Tripwire just seems too limited and calling it a HIDS to me is kind of like calling AV software a HIDS. Personally, I just think of a HIDS as having more functionality than just file integrity or just AV scanning. It's really just semantics, though. |
Quote:
The jist of it is that it depends on the user's needs. If all they need is file integrity checking and they already have a suite of tools that meets their needs in securing a network, Tripwire might just fit the bill. But to state that it isn't a HIDS because it isn't rich in features compared to similar tools...that's a bit of a reach. No offense. That's like saying that, compared to Sguil, BASE isn't a SEM because Sguil has more options. That's not quite fair. This is why I say for OPs to test the software they have questions about and decide on their own. Their own testing should weigh more than internet suggestions, IMO. |
All times are GMT -5. The time now is 09:11 AM. |