Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Tripwire Still Relevent?

Posted by Cliff on from the insufficient-data dept.

Deagol asks "I work for a good-sized University. I've heard that Tripwire and our software licensing department is negotiating for a site-license. I was asked to comment on whether our department would like to buy in. I personally lost interest in Tripwire when they went commercial (I guess seeing a well-respected research tool go proprietary soured the milk for me), and though I've toyed briefly with the 'open source' version, I mainly have experience with the Academic Source Release. Seeing how their demo is only a 'simulation' (how lame is that?), I can't get a feel for what the commercial version can really do for me. Does anyone know the value (if any) of commercial Tripwire over the free one; Are there open source packages that have made Tripwire obsolete?"

49 comments

  1. ViperDB by mwilson · · Score: 3, Informative

    Check out ViperDB, written in perl, it does it's checks every 5 minutes, in a highly optimized way at that. I actually know the guy who wrote it, and when setting up software on his machine set off his pager something fierce.

  2. Where I work... by SpaFF · · Score: 3, Informative

    We use samhain. It's very nice because it can log to a remote host and store the filesystem database on a remote host as well. It also runs as a deamon and scans at a set interval. You can even make it change its name and hide its code in image files so as to trick hax0rs into thinking that its not installed.

    The only thing I don't like about it is that I have it scheduled to check the machines every 10 mins, so if one of the junior admins changes something and forgets to reset the database I get an email every 10 mins until I reset it.

    The homepage for samhain is http://la-samhna.de/samhain/

    --
    -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d? s: a-- C++++ UL++++ P++ L+++ E- W++ N o-- K- w--- O- M+ V PS+ P
  3. Another example - by Discoflamingo13 · · Score: 3, Informative

    is Osiris, which has an Apache-style syntax and a weird pseudo-free license. I haven't worked with enough filesystem integrity management systems (aka intrusion detection systems) to differentiate its use from Tripwire. My two cents.

    1. Re:Another example - by Inthewire · · Score: 1

      Re your sig:

      I fucking love COE but I never seem to run into fans.

      --


      Writers imply. Readers infer.
  4. Aide by den_erpel · · Score: 4, Informative

    I guess this will not answer your question about the advantage of the commercial tripwire above the open source one, but I use aide for some time now and it does a good job for me. I think it does the same as tripwire does (the version of 2 years ago, since it was the last time I used this).

    [marc@scorpius marc]$ apt-cache show aide
    Package: aide
    Priority: optional
    Section: admin
    Installed-Size: 980
    Maintainer: Mike Markley
    Architecture: i386
    Version: 0.9-2
    Depends: libc6 (>= 2.3.1-1), debconf (>= 0.2.0)
    Recommends: cron, mailx
    Filename: pool/main/a/aide/aide_0.9-2_i386.deb
    Size: 346316
    MD5sum: a3610146e79608a34997450fdc56d74f
    Description: Advanced Intrusion Detection Environment
    AIDE creates a database from the regular expression rules that it finds
    from the config file. Once this database is initialized it can be used to
    verify the integrity of the files. It has several message digest algorithms
    (md5,sha1,rmd160,tiger,haval,etc.) that are used to check the integrity of
    the file. More algorithms can be added with relative ease. All of the usual
    file attributes can also be checked for inconsistencies.
    .
    You will almost certainly want to tweak the configuration file in /etc/aide/aide.conf. See manual.html for information on this file.

    --
    Genius doesn't work on an assembly line basis. You can't simply say, "Today I will be brilliant."
    1. Re: Aide by Omniscient+Ferret · · Score: 2, Informative

      Yup, it's worked for me. Checking my notes, I compared aide to tripwire 1.2 last September; I was annoyed by tripwire filling out unrequested fields. Going from memory: I think tripwire was _much_ slower than aide with similar options chosen (multiple checksums).

      This was before version 2 came out; I never got around to checking that out. Aide is up from 0.7 to 0.9, at least. 0.9 seemed a little faster than 0.7.

      As a disclaimer: I'm not sending the output of Aide to a database, or to another machine, or anything very fancy; I'm just getting a flat text file and running version tracking on that.

  5. Is Tripwire Still Relevent? by Anonymous Coward · · Score: 1, Funny

    Eye den't knew reelly, bet thenks fer esking !

    1. Re:Is Tripwire Still Relevent? by Anonymous Coward · · Score: 0

      +2 Funny? I don't get it.

    2. Re:Is Tripwire Still Relevent? by Anonymous Coward · · Score: 0

      Hint

  6. Relevant by benh57 · · Score: 0, Offtopic

    The proper spelling is "relevant", Cliff.

    % dict relevent
    No definitions found for "relevent", perhaps you mean:
    web1913: Relevant

  7. FCheck by sydb · · Score: 5, Informative

    About 4 months ago, a Windows-knowledgable colleague and my Unix-using self did a comparison of TripWire, ViperDB, Aide, Fcheck and another tool whose name escapes me. We were looking for speed, simplicity, effectiveness and portability *nix/Win32).

    FCheck ruled the day. It's easy to configure, works on *nix and Win32 (it's written in Perl), very fast in operation (We found Tripwire to be unusably slow/CPU-intensive for regularly scheduled checks) and passed every functional test we threw at it. It logs to syslog so you can send output to a remote machine. And it's GPL'd.

    As for Tripwire's proprietary version, my colleague reckoned the only benefit was the GUI. Personally I don't see the point of a GUI on a security tool which is meant to run unsupervised. I suppose it does reporting etc. but really, what more do you need other than "This file changed at dd/mm/yy, hh:mm.ss. The change was ....". A little bit of scripting will do everything else for you.

    --
    Yours Sincerely, Michael.
    1. Re:FCheck by soyle · · Score: 2, Informative

      Some time ago I did a comparison of various file-based intrusion ddetection systems. The free/opensource ones that seemed to stand out were Integrit http://integrit.sourceforge.net and Samhain http://samhain.sourceforge.net I have no idea wether they run on Windows, though.

  8. questions by sjanich · · Score: 2, Interesting

    Do any of these have:

    1) Central console to manage the application on servers across the Enterprise?

    2) Runs on Cisco routers?

    1. Re:questions by sydb · · Score: 3, Informative

      I never understood the requirement to have central management consoles for everything you run.

      If you have so many servers that managing them individually is not an option, then what you need is a general solution to the management problem, not a specific solution for every piece of software you run.

      For command line tools, manymaint (a nice Expect script) is one simple and free solution.

      As for doing checks of routers, you could just use tftp to download configs to a server on a scheduled basis and run your checks there.

      Computing is fun when you use your imagination to solve a problem (even an easy one like this) creatively, instead of asking "Here's my niche problem, where is the expensive niche product from a faceless bland corporation that fixes it?".

      --
      Yours Sincerely, Michael.
  9. Commercial Tripwire by roachmotel3 · · Score: 4, Informative

    First off, if you only have to worry about a couple of machines, anything works pretty well.

    Tripwire is good because it uses multiple hashing routines to figure out if something has changed (ie you can't pad a file with "0" until the hash is the same).

    Additionally, the real strength in the commercial version of tripwire is the scalability. If you have hundreds of machines you need to monitor, the commercial version provides a central console which at a glance shows you what's going on across all your machines as far as changes. And the central console allows you to reconcile changes or revert to a known good state remotely.

    All in all, if you only have a few boxen, don't buy it. If you have many and you don't want to spend all your time reconfiguring and updating a rules database, go for the commercial version.

    1. Re:Commercial Tripwire by Anonymous Coward · · Score: 0

      I use the commerical version of tripwire on irix. A couple of things. The central console is for windows only. So if your purely like a unix shop like I am, it's useless. If your OS (irix) is very dynamic, tripwire is useless. For example, with Irix, if you use inst to apply a patch, Irix will do a requickstart and suddenly all of your binaries/libraries will be flaged as having changed. You could configure tripwire not to flag, but it kind of defeats the purpose of tripwire if you stop monitoring inode/timestamp on say libc.so. But then again, they were dropping support for irix the last time I talked to them.

    2. Re:Commercial Tripwire by Eimi+Metamorphoumai · · Score: 3, Informative

      The Tripwire Manager is most certainly not Windows only; I know because I run it daily on a Linux box monitoring two Linux boxen and over 30 Solaris machines. I don't know about Irix, but I don't see why it would possibly be changing all those files. And you can turn off checking of attributes like inode and timestamp but leave on important attributes like checksums (we have a few files that get overwritten every night as part of a centralized configuration system, but have it set up not to notify us unless the contents change).

      --

      Visit me on #weirdness on the Galaxynet.

    3. Re:Commercial Tripwire by itripn · · Score: 1


      > The central console is for windows only.

      That is not true -- the commerical Tripwire management console runs on Solaris, Windows, and Linux.

  10. One option... by MrIcee · · Score: 3, Insightful
    ...is to roll your own.

    I also was looking to use Tripwire mainly to occassionally scan the system to ensure that no important files had been modified (duh). I was extremely put off by the price and tone of the website.

    If your main interest is simply to retain a database with checksums of files on your drive, and occassionally compare them for new files/changes - roll you own. I did and it was both easy an effective.

    Simply stated, I use a configuration file to specify what directories and/or files should be scanned. Likewise, the configuration file has filters that will reject scanning files if any part of the filename matches the filter. The program reads the config and then goes out and reads the files on the drive. I use two different checksum schemes that produce checksum strings of about 80 characters each. These are stored in a database with the absolute file name, it's inode, it's last modify date, it's size, and the checksums.

    When the program scans it merely checks the files against the database. If a file is new, it reports it as new to a log and adds it to the database. If a file has changed it reports it as changed to the log and then corrects the information in the database to reflect the change. If no change has occured, nothing happens to the database.

    The program spits out little run-time facts about how many files it's scanning, number new, number change and number unchanged. When the run is completed all you have to do is glance at the log and determine if any of the files that changed in the log are a concern and need to be checked out.

    There are a couple of advantages to do it yourself... first, no fee to Tripwire. Second... Tripwire is a known product. If you get a hacker in your system and he finds tripwire you can bet he'll try to do something to circumvent it. On the other hand, having written your own tripwire (and don't call it tripwire) - the hacker will not know this, not be familiar with your mechanism, and thus, will be unable to circumvent it. And finally, if your scanner is pretty good, clean and useable, it becomes a nice competitive product against Tripwire.

    1. Re:One option... by J'raxis · · Score: 1
      On the other hand, having written your own tripwire (and don't call it tripwire) - the hacker will not know this, not be familiar with your mechanism, and thus, will be unable to circumvent it.
      I wouldn't be this confident. Don't you think that a skilled hacker (not some s'kiddie with a pre-fab rootkit) would check the running process list, check the root cron, check your log directory, etc., etc., for anything that looks suspicious? Especially if your program is just a script, once he locates it (it's path is going to be listed somewhere, either in ps or crontab, right?) he could just read the source and figure out exactly how to beat it.

      I would think the most obvious attack would be to add ignore-patterns to the configuration file; or, since you're likely to catch a modification to the that (I assume you mod it yourself occasionally), just modify the script to ignore whatever he's done to your filesystem. Or he could update the checksums in your DB by hand. And so on.

      --
      Liberty in your lifetime
    2. Re:One option... by MrIcee · · Score: 2
      Actually, no. For obvious reasons one would not do these things.

      First, my trip program is not a 'script'. It's a C program and the source is not stored on the system. Second, it only exists in a private account and to run it I go super user and run it. It will not run otherwise. Third, I do not put it in a cron and it does not appear in any log files. Certainly, when I DO run it, it appears in the process table but the name of the program is inocculous (e.g., you would never realize it was what it was). The database we use is also prioprietary and not commercial.

      These things are fairly obvious, and they would apply to Tripwire as well. If your using tripwire you certainly want to hide that fact as much as possible - so putting it in a CRON would be plain silly.

      The point is, while it is not totally fool proof, rolling your own and being decerning on how you run it simply makes it harder, that's all. At some point too much time will be wasted looking and then trying to figure out how to deal with it. 3rd party programs by their very commercial nature are better understood and easier to circumvent (e.g., the more popular the commercial program is, the larger the chance that vulenerabilites are well known. A hand rolled obscure program easily falls between the cracks and can become invisible and thus effective).

      Of course, an even more effective thought would be to actually HAVE something that looks like tripwire (e.g., proper directories and files) running in the cron. Then the haxor thinks they have it and never realize there's a little 'ksh' that's not a 'ksh' (and no, ours is not called 'ksh') watching 'em.

    3. Re:One option... by JohnFluxx · · Score: 3, Insightful

      Jeez, aren't there any hackers in here any more?

      1) Tripwire and co. are interuder DETECTORS, i.e. after the fact. Your system is already comprimised.

      2) The data (checksums etc) must be on read only media, that cannot be altered no matter how what privilages you have to the system.

      3) The kernel should be assumed to be comprimised. This means to check your system, you must reboot the system to check your system.
      The alternative is not as secure, but easier, is to have a hardened kernel which makes root have limited access, and does not allow kernel modules, and does not allow raw memory access.

  11. Re:Or better... by MacAndrew · · Score: 1, Offtopic

    Oh, I agree it is off-topic, but it's relevant to a larger issue -- the mistakes look silly, and even sillier is the truculent refusal to fix typos, and even sillier is (as I suspect but hope not) the editor modding down the critic. Typos are are not the result of foolishness, but refusing to acknowledge them?

    It's like ketchup on your tie -- off-topic, distracting, and unprofessional. Note that this is not posted as an anonymous coward. I sincerely believe what I'm saying and am not just sniping.

  12. So many tools - so little time! by gilgongo · · Score: 2, Informative
    Security Focus Tools List

    "Intrusion Detection" has over 50 systems. I use Claymore (utterly simply, has saved my arse completely on one occasion).

    Tripwire has mindshare - not much else it seems.

    --
    "And the meaning of words; when they cease to function; when will it start worrying you?"
  13. new poll suggestion! by Anonymous Coward · · Score: 0
    Why does slashdot suck so bad?
    • Editors that can't be bothered to check if the story is a repeat or even true.
    • Editors that can't be bothered to spell check their one-line drivel
    • Crack-smoking moderators
    • Retarded posters
    • The Cowboy Neal option in every poll
    1. Re:new poll suggestion! by Anonymous Coward · · Score: 0

      Last option should be: Because there is a this damn cowboy neal option on every poll.

  14. Re:Or better... by MacAndrew · · Score: 2

    Sorry, I will not be intimidated. At least speak your mind.

  15. Tripwire's sales methods suck. by ivan256 · · Score: 2

    Tripwire basically does business by cold calling companies and trying to get in touch with somebody that has the correct ballance of knowledge to spending authority. They then try to convince this stupid person with the checkbook that their company is going to be hacked off the face of the earth if you don't buy. Then, if you still say no, they keep calling back once a month trying to find somebody else who will say yes, but with a line that goes something like "We were in discussions already with person x at your company, and you just weren't ready to buy yet, and we'd like to see if you're ready to go forward." Blech. Telemarketing sucks.

    1. Re:Tripwire's sales methods suck. by Majestix · · Score: 1

      LOL....oh thats about every software company under the sun....antivirus vendors....basically anything you download a demo for and are foolish enough to give them correct contact information (when you dont have to).

      --
      --- I was far from home, and the spell of the Eastern sea was upon me. -Lovecraft-
  16. Check out "Hacking Linux" by docl · · Score: 1

    I would not count myself an expert here, but I found the discussion in Chpt 2 of "Hacking Linux Exposed:Linux Security Secrets and Solutions" helpful. They recommend either AIDE or Nabou

  17. Just finished investigating host based intrusion by malice95 · · Score: 3, Informative

    I spent a few weeks checking out various opensource and commercial packages. If you have less then 10 or 20 machines then you can use almost anything including the academic source release of tripwire. If you have more then 20 machines none of the opensource products that I found support centralized management/reporting/logging which is key to a large number or systems. Tripwire has a great product commercially wise but they are very expensive. I highly suggest you check out INTACT from pedestal software instead of tripwire. They are a third the price and have all the same functionality of tripwire and then some... I demo'd them for quite a while and it works very well on solaris/linux/windows. I dont have any relationship to them.. I was just impressed with their product.

  18. Prelude by bobibleyboo · · Score: 0

    I have had alot of sucess with prelude.

  19. Re:Or better... by GigsVT · · Score: 1

    Don't bother. The editors will happily mod you down however many times it takes for the IP ban to kick in, and will never reply to this in an offtopic thread.

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  20. Re:Or better... by MacAndrew · · Score: 1

    So you do think it's them doing the modding. :) Pathetic if true. I can make up the karma elsewhere -- actually I think the editors are the only people I piss off. I wonder what would happen if we could mod them off the board, assuming they're even responsible here.

    I would at least silently fix the headline, even if making the usual excuses about their incredible productivity barring even trivial accuracy were too painful. Heck, I make spelling errirs and typpoes all the time, and would fix them later if I could.

    Yes, I do realize this is in vain. I'm just a noodge (sp?) -- and dislike petty big-fish-in-little-pond arrogance. (Says the petty spelling cop.)

  21. snort and intruder alert... by zonker · · Score: 0

    a company i used to work for used symantec's intruder alert on the inside of our network monitoring our servers and snort outside outside of the firewall in a dmz monitoring traffic going to the firewall.

    --

    Large print giveth, and the small print taketh away

  22. Poor man's tripwire by Danny+Rathjens · · Score: 2

    For rpm based distros you already have a database of checksums for most of the files on your system and rpm has a way to check them.
    So the poor man's tripwire is simply to run the verify command for all installed rpms like so:
    rpm -V `rpm -qa`
    It is also useful as a simple way to figure out what legitimate changes have been made to a vanilla install since it will tell you what config files have been modified since the install.

  23. Re:Or better... by GigsVT · · Score: 1

    So you do think it's them doing the modding

    Oh yeah, definitely. I'd say 90% of the troll and offtopic mods are editors. You can usually tell after you have been here long enough, which is user moderation and which is editor modding.

    For example, suppose you post something pro-gun-ownership in a CmdrTaco story, or a story you know he is interested in. You get 4 up mods and 2 overrated mods... which are later cancelled by more upmods. That kind of thing is pretty obvious. Or suppose you get a very early post in a story that seems a little trollish, but it really insightful, which is instantly downmodded, and usually later modded back up...

    Anyway, it's not always clear cut, but I can say with pretty good certainty which are editor mods and which are user mods. Modding in older stories is also an editor thing. A lot of the time they might slap down threads before a story gets archived, threads they don't want to be saved forever. For example this thread, which will likely be slapped down in the next day or two.

    Anyway, all in all I think the editors do a pretty good job, considering the power they wield. They do have pet peeves though, and meta-discussion in offtopic threads such as this one is one of them. Taco hates meta threads in general. Draw what conclusions you like from that. :)

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  24. if they're commercial... by pizza_milkshake · · Score: 2

    if they're commercial and can't give you a good idea why the commercial version is better, i don't know who can.

  25. Re:Or better... by MacAndrew · · Score: 2

    Thanks. I think if I were a paying customer -- and I may become one soon -- I would be more irritable about it. Instead I'm just a little uncomprehending.

    I'm not sure editors should have unlimited points. Unlike a regular publication this is much more a collaboration between writers and editors, with the writers and readers doing a lot of editing themselves. That editors can override as they please says that they know better than anyone else, which is doubtful. Perhaps they miss the days when they did all the moderation, before that became unfeasible and they had to grudgingly "allow" users to do it. Why not "tag" editor mods? Might get some interesting reader feedback when they detect tampering. One post of mine accumulated like 10 points to end up about where is started, I believe between people who thought it was trollish and others who thought it provoctive. I wonder what the record for dueling points might be.

    Whatever. However godlike I thought I was, I would still fix the fscking headline once it had been brought to my attention. And although our conversation is off-topic, this is where the improper (?) peevish modding took place -- they picked the time and place. Critiques should be attached to concrete examples. Besides, if editors act improperly on a trivial issue, what else goes on with, say, an editor's politics?

  26. Grammar != relevant by vasqzr · · Score: 1


    Quote
    I've heard that Tripwire and our software licensing department is negotiating for a site-license.
    End Quote

    'is negotating?'

    Try 'are negotiating'

    1. Re:Grammar != relevant by MacAndrew · · Score: 1
      At least that is an error of the submitter, not someone paid to edit text (hereinafter "editor"). I don't think the editor is obligated to edit the submission, though it is nice for clarity. If we really want to nitpick, I used to do scads of copyediting and would propose, subject to writer approval:
      Is Tripwire Still Relev[a]nt?
      Security Posted by Cliff on Saturday November 23, @04:07AM
      from the insufficient-data dept.
      Deagol asks "I work for a [large] University. I've heard that Tripwire and our software licensing department [are] negotiating [] a site license. I was asked to comment on whether our department [should] buy in. I [] lost interest in Tripwire when they went commercial (I guess seeing a well-respected research tool go proprietary soured the milk for me), and though I've toyed briefly with the 'open source' version, I mainly have experience with the Academic Source Release. [Because] their demo is only a 'simulation' (how lame is that?), I can't get a feel for what the commercial version [would] do for me. Does anyone know the value (if any) of commercial Tripwire [versus] the free [version][, or whether] there open source packages that have made Tripwire obsolete?"

      This provides a marginal improvement, though I think it is better prose. However, a misspelling in the headline that you refuse to correct -- the root of this loose thread -- makes you look foolish. (Even the NYT makes mistakes in big type, such as printing "priviledge" I once saw, but once the ink is dry and the paper is sold, what can they do?)
    2. Re:Grammar != relevant by Captain_Carnage · · Score: 1

      Sorry, but you're wrong. The word "department" is a collective noun. Here, though department represents a group of people, there is only /one/ department, and the action expressed applies to the department as a whole, so the singular form of the verb is correct.

      See e.g. The Beacon Handbook, pg. 177.

    3. Re:Grammar != relevant by Captain_Carnage · · Score: 1

      See also rule #5 at this page, or this link.

      I love it when people correct the grammar of others, when they themselves are wrong. Morons.

  27. Integration with package managers? by Omniscient+Ferret · · Score: 1

    I have been wondering about this, but I figured I would have to put it together myself: Are there any checksum programs that integrate with package managers?

    Specifically, I am thinking about Debian packages with md5sums. Separating the files verifiably changed by package would be helpful in tracking unexpected file modifications (due to lower volume) and for noting unsigned packages (not everything in Debian is signed yet).

  28. Re:Or better... by Anonymous Coward · · Score: 0

    I wonder what the record for dueling points might be.

    Around 800 mods. It was called the post of doom. Most of the poeple that modded it up were banned from moderation for several months, because they were tagged "moderation abusers".

  29. Sentinel by Anonymous Coward · · Score: 0

    i use sentinel http://freshmeat.net/projects/sentinel/?topic_id=4 3 ..its a hard core unix only tool but its compact and very fast (can max out the HDD). GPL source, really really lame graphical interface but it works ok in command line mode.

  30. Re:Or better... by Anonymous Coward · · Score: 0

    Hi. I'm a moderator.

    That is, I get points every so often and tend to spend them fairly quickly, including a number on those troll/offtopic/etc. things you said were mostly the province of the editors. While I usually feel pretty safe ignoring the very obvious trolls--why waste my points--I make it a point to combat the more subtle ones. Lately, it's been comments with a couple lines that seem moderately interesting and a really fake hidden link. I make it a point to knock those down wherever I can before some... naive moderator marks it as insightful.

    Another great thing that you may think is an editor is marking as offtopic or preferably overrated the people who post irrelevant crud with their +1 bonus. If you decide to post at score: 2, make sure what you have to say is above level, or you ARE overrated and will be moderated as such.

    Keep in mind the vast majority of this board is relatively silent. We don't post much. But we do read, and we do moderate, and we probably don't agree with the vocal minority.

    Although you're right. Would it kill for a spell check? I've seen other forums with them :>

  31. Re:Just finished investigating host based intrusio by Anonymous Coward · · Score: 0

    Also (for Windows only) try Data Sentinel available from Ionx: http://www.ionx.co.uk They have a 30 day trial on their website - I tried it and it looks pretty damn good. Very easy to use, and quite cheap.