Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Tripwire Still Relevent?

Posted by Cliff on from the insufficient-data dept.

Deagol asks "I work for a good-sized University. I've heard that Tripwire and our software licensing department is negotiating for a site-license. I was asked to comment on whether our department would like to buy in. I personally lost interest in Tripwire when they went commercial (I guess seeing a well-respected research tool go proprietary soured the milk for me), and though I've toyed briefly with the 'open source' version, I mainly have experience with the Academic Source Release. Seeing how their demo is only a 'simulation' (how lame is that?), I can't get a feel for what the commercial version can really do for me. Does anyone know the value (if any) of commercial Tripwire over the free one; Are there open source packages that have made Tripwire obsolete?"

12 of 49 comments (clear)

  1. ViperDB by mwilson · · Score: 3, Informative

    Check out ViperDB, written in perl, it does it's checks every 5 minutes, in a highly optimized way at that. I actually know the guy who wrote it, and when setting up software on his machine set off his pager something fierce.

  2. Where I work... by SpaFF · · Score: 3, Informative

    We use samhain. It's very nice because it can log to a remote host and store the filesystem database on a remote host as well. It also runs as a deamon and scans at a set interval. You can even make it change its name and hide its code in image files so as to trick hax0rs into thinking that its not installed.

    The only thing I don't like about it is that I have it scheduled to check the machines every 10 mins, so if one of the junior admins changes something and forgets to reset the database I get an email every 10 mins until I reset it.

    The homepage for samhain is http://la-samhna.de/samhain/

    --
    -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d? s: a-- C++++ UL++++ P++ L+++ E- W++ N o-- K- w--- O- M+ V PS+ P
  3. Another example - by Discoflamingo13 · · Score: 3, Informative

    is Osiris, which has an Apache-style syntax and a weird pseudo-free license. I haven't worked with enough filesystem integrity management systems (aka intrusion detection systems) to differentiate its use from Tripwire. My two cents.

  4. Aide by den_erpel · · Score: 4, Informative

    I guess this will not answer your question about the advantage of the commercial tripwire above the open source one, but I use aide for some time now and it does a good job for me. I think it does the same as tripwire does (the version of 2 years ago, since it was the last time I used this).

    [marc@scorpius marc]$ apt-cache show aide
    Package: aide
    Priority: optional
    Section: admin
    Installed-Size: 980
    Maintainer: Mike Markley
    Architecture: i386
    Version: 0.9-2
    Depends: libc6 (>= 2.3.1-1), debconf (>= 0.2.0)
    Recommends: cron, mailx
    Filename: pool/main/a/aide/aide_0.9-2_i386.deb
    Size: 346316
    MD5sum: a3610146e79608a34997450fdc56d74f
    Description: Advanced Intrusion Detection Environment
    AIDE creates a database from the regular expression rules that it finds
    from the config file. Once this database is initialized it can be used to
    verify the integrity of the files. It has several message digest algorithms
    (md5,sha1,rmd160,tiger,haval,etc.) that are used to check the integrity of
    the file. More algorithms can be added with relative ease. All of the usual
    file attributes can also be checked for inconsistencies.
    .
    You will almost certainly want to tweak the configuration file in /etc/aide/aide.conf. See manual.html for information on this file.

    --
    Genius doesn't work on an assembly line basis. You can't simply say, "Today I will be brilliant."
    1. Re: Aide by Omniscient+Ferret · · Score: 2, Informative

      Yup, it's worked for me. Checking my notes, I compared aide to tripwire 1.2 last September; I was annoyed by tripwire filling out unrequested fields. Going from memory: I think tripwire was _much_ slower than aide with similar options chosen (multiple checksums).

      This was before version 2 came out; I never got around to checking that out. Aide is up from 0.7 to 0.9, at least. 0.9 seemed a little faster than 0.7.

      As a disclaimer: I'm not sending the output of Aide to a database, or to another machine, or anything very fancy; I'm just getting a flat text file and running version tracking on that.

  5. FCheck by sydb · · Score: 5, Informative

    About 4 months ago, a Windows-knowledgable colleague and my Unix-using self did a comparison of TripWire, ViperDB, Aide, Fcheck and another tool whose name escapes me. We were looking for speed, simplicity, effectiveness and portability *nix/Win32).

    FCheck ruled the day. It's easy to configure, works on *nix and Win32 (it's written in Perl), very fast in operation (We found Tripwire to be unusably slow/CPU-intensive for regularly scheduled checks) and passed every functional test we threw at it. It logs to syslog so you can send output to a remote machine. And it's GPL'd.

    As for Tripwire's proprietary version, my colleague reckoned the only benefit was the GUI. Personally I don't see the point of a GUI on a security tool which is meant to run unsupervised. I suppose it does reporting etc. but really, what more do you need other than "This file changed at dd/mm/yy, hh:mm.ss. The change was ....". A little bit of scripting will do everything else for you.

    --
    Yours Sincerely, Michael.
    1. Re:FCheck by soyle · · Score: 2, Informative

      Some time ago I did a comparison of various file-based intrusion ddetection systems. The free/opensource ones that seemed to stand out were Integrit http://integrit.sourceforge.net and Samhain http://samhain.sourceforge.net I have no idea wether they run on Windows, though.

  6. Commercial Tripwire by roachmotel3 · · Score: 4, Informative

    First off, if you only have to worry about a couple of machines, anything works pretty well.

    Tripwire is good because it uses multiple hashing routines to figure out if something has changed (ie you can't pad a file with "0" until the hash is the same).

    Additionally, the real strength in the commercial version of tripwire is the scalability. If you have hundreds of machines you need to monitor, the commercial version provides a central console which at a glance shows you what's going on across all your machines as far as changes. And the central console allows you to reconcile changes or revert to a known good state remotely.

    All in all, if you only have a few boxen, don't buy it. If you have many and you don't want to spend all your time reconfiguring and updating a rules database, go for the commercial version.

    1. Re:Commercial Tripwire by Eimi+Metamorphoumai · · Score: 3, Informative

      The Tripwire Manager is most certainly not Windows only; I know because I run it daily on a Linux box monitoring two Linux boxen and over 30 Solaris machines. I don't know about Irix, but I don't see why it would possibly be changing all those files. And you can turn off checking of attributes like inode and timestamp but leave on important attributes like checksums (we have a few files that get overwritten every night as part of a centralized configuration system, but have it set up not to notify us unless the contents change).

      --

      Visit me on #weirdness on the Galaxynet.

  7. Re:questions by sydb · · Score: 3, Informative

    I never understood the requirement to have central management consoles for everything you run.

    If you have so many servers that managing them individually is not an option, then what you need is a general solution to the management problem, not a specific solution for every piece of software you run.

    For command line tools, manymaint (a nice Expect script) is one simple and free solution.

    As for doing checks of routers, you could just use tftp to download configs to a server on a scheduled basis and run your checks there.

    Computing is fun when you use your imagination to solve a problem (even an easy one like this) creatively, instead of asking "Here's my niche problem, where is the expensive niche product from a faceless bland corporation that fixes it?".

    --
    Yours Sincerely, Michael.
  8. So many tools - so little time! by gilgongo · · Score: 2, Informative
    Security Focus Tools List

    "Intrusion Detection" has over 50 systems. I use Claymore (utterly simply, has saved my arse completely on one occasion).

    Tripwire has mindshare - not much else it seems.

    --
    "And the meaning of words; when they cease to function; when will it start worrying you?"
  9. Just finished investigating host based intrusion by malice95 · · Score: 3, Informative

    I spent a few weeks checking out various opensource and commercial packages. If you have less then 10 or 20 machines then you can use almost anything including the academic source release of tripwire. If you have more then 20 machines none of the opensource products that I found support centralized management/reporting/logging which is key to a large number or systems. Tripwire has a great product commercially wise but they are very expensive. I highly suggest you check out INTACT from pedestal software instead of tripwire. They are a third the price and have all the same functionality of tripwire and then some... I demo'd them for quite a while and it works very well on solaris/linux/windows. I dont have any relationship to them.. I was just impressed with their product.