[vox-tech] Re: vox-tech Digest, Vol 1, Issue 1235

Gene R Gomez gene at gomezbrothers.com
Wed Jun 30 12:55:27 PDT 2004 

Hey folks...

> On Tuesday 29 June 2004 07:10 pm, Lewis Perdue wrote:
> > Back when our server was originally cracked, someone suggested that we
look
> > at tripwire to monitor things once we had a clean install ... well,
we've
> > got a clean install, but our investigation of Tripwire shows a GIANT
> > corporate Dilbert empire with layer upon layer of obfuscation and a set
of
> > sticky hurdles to clear before even getting an evaluation unit ... they
> > boast of being able to monitor 2,500 servers, but Geez, folks how about
> > something for one or two servers?
>
> I thought tripwire was GPL?
>
>   http://sourceforge.net/projects/tripwire/
>
> > Isn't there an open-source alternative for this bloatware poster child?
> > Even something that does a simple checksum kinda thing on key system and
> > .conf files would be welcome.
>
> If you go to freshmeat.net and enter "intrusion detection"
> into the search box you'll see a ton of choices.  Perhaps
> someone else has specific recommendations....

Yeah...the bonus of commercial tripwire over GPL tripwire is wider OS
support (commercial supports Windows natively), and a monitoring console.
However, the Tripwire commercial console can be replaced using Prelude, an
Open Source Hybrid IDS that can poll data from multiple sources and
consolidate it into a single console, and that way you can use pure GPL
tripwire.  Right now Prelude natively supports Snort, Samhain (which is a
FIC/File Integrity Checker that fulfills your needs above), Nessus, and some
other stuff.  Additionally, many things that can log to syslog have support
via the Prelude LML (Log Management Lackey).  Here's a directory listing of
the current rulesets:

apc-emu.rules       ipfw.rules         pam.rules           ssh.rules
bigip.rules         ipso.rules         pcanywhere.rules    sudo.rules
cisco-pix.rules     Makefile           portsentry.rules    tripwire.rules
cisco-router.rules  Makefile.am        postfix.rules       unsupported
cisco-vpn.rules     Makefile.in        proftpd.rules       vigor.rules
clamav.rules        modsecurity.rules  qpopper.rules       vpopmail.rules
contrib             ms-sql.rules       sendmail.rules      wap11.rules
dell-om.rules       nagios.rules       shadow-utils.rules  webmin.rules
grsecurity.rules    navce.rules        simple.rules        wu-ftp.rules
honeyd.rules        netfilter.rules    single.rules
ipchains.rules      ntsyslog.rules     squid.rules

In short, Prelude is an excellent event consolidator/Hybrid IDS solution.
Anyone serious about Open Source security should probably have a look at it
at some point or another:

http://www.prelude-ids.org

Gene R Gomez

More information about the vox-tech mailing list