19-04-2011, 04:25 PM
[attachment=12419]
1. INTRODUCTION
Tripwire is a reliable intrusion detection system. It is a software tool that checks to see what has changed in your system. It mainly monitors the key attribute of your files; by key attribute we mean the binary signature, size and other related data. Security and operational stability must go hand in hand; if the user does not have control over the various operations taking place, then naturally the security of the system is also compromised. Tripwire has a powerful feature which pinpoints the changes that has taken place, notifies the administrator of these changes, determines the nature of the changes and provide you with information you need for deciding how to manage the change.
Tripwire Integrity management solutions monitor changes to vital system and configuration files. Any changes that occur are compared to a snapshot of the established good baseline. The software detects the changes, notifies the staff and enables rapid recovery and remedy for changes. All Tripwire installation can be centrally managed. Tripwire software’s cross platform functionality enables you to manage thousands of devices across your infrastructure.
Security not only means protecting your system against various attacks but also means taking quick and decisive actions when your system is attacked.
First of all we must find out whether our system is attacked or not, earlier system logs are certainly handy. You can see evidences of password guessing and other suspicious activities. Logs are ideal for tracing steps of the cracker as he tries to penetrate into the system. But who has the time and the patience to examine the logs on a daily basis??
1.1 MOTIVATION
Penetration usually involves a change of some kind, like a new port has been opened or a new service. The most common change you can see is that a file has changed. If you can identify the key subsets of these files and monitor them on a daily basis, then we will be able to detect whether any intrusion took place. Tripwire is an open source program created to monitor the changes in a key subset of files identified by the user and report on any changes in any of those files. When changes made are detected, the system administrator is informed. Tripwire‘s principle is very simple, the system administrator identifies key files and causes tripwire to record checksum for those files. He also puts in place a cron job, whose job is to scan those files at regular intervals (daily or more frequently), comparing to the original checksum. Any changes, addition or deletion, are reported to the administrator. The administrator will be able to determine whether the changes were permitted or unauthorized changes. If it was the earlier case the n the database will be updated so that in future the same violation wouldn’t be repeated. In the latter case then proper recovery action would be taken immediately.
2. BASIC PURPOSE OF TRIPWIRE
Almost the same principle is used in computers. If any change is met upon while comparing the old values to the new ones, or if any data is being manipulated on the spot, the logs are checked for intrusion and then detected, after which all the changes can be undone.
Tripwire is a free and open-source software tool. It functions as a host-based intrusion detection system. It does not concern itself directly with detecting intrusion attempts in real time at the periphery of a computing system (as in network intrusion detection systems), but rather looks for and reports on the resultant changes of state in the computing system under observation Intruders usually leave traces of their activities (changes in the system state). Tripwire looks for these by monitoring key attributes of files that should not change—including binary signatures, size, expected changes in size, etc. and reporting its findings
While useful for detecting intrusions after the event, it can also serve many other purposes, such as integrity assurance, change management, policy compliance, and more.
A Host-based Intrusion Detection System (HIDS), as a special category of an Intrusion-Detection System, focuses its monitoring and analysis on the internals of a computing system
3. THE ACTUAL WORKING OF THE TRIPWIRE SYSTEM
A HIDS will monitor all or part of the dynamic behavior and of the state of a computer system. A HIDS might detect which program accesses what resources and assure that (say) a word-processor hasn't suddenly and inexplicably started modifying the system password-database. Similarly a HIDS might look at the state of a system, its stored information, whether in RAM, in the file-system, or elsewhere; and check that the contents of these appear as expected. One can think of a HIDS as an agent that monitors whether anything/anyone - internal or external - has circumvented the security policy that the operating system tries to enforce.
3.1 MONITORING DYNAMIC BEHAVIOUR
Many computer users have encountered tools that monitor dynamic system behavior in the form of anti-virus (AV) packages. While AV programs often also monitor system state, they do spend a lot of their time looking at who is doing what inside a computer - and whether a given program should or should not access one or another system resource. The lines become very blurred here, as many of the tools overlap in functionality.
3.2 MONITORING STATE
The principle of operation of a HIDS depends on the fact that successful intruders (crackers) will generally leave a trace of their activities. (In fact, such intruders often want to own the computer they have attacked, and will establish their "ownership" by installing software that will grant the intruders future access to carry out whatever activity (keyboard logging, identity theft, spamming, botnet activity, spyware-usage etc.) they envisage.)
In theory, a computer user has the ability to detect any such modifications, and the HIDS attempts to do just that and reports its findings. Ideally a HIDS works in conjunction with a NIDS, such that a HIDS finds anything that slips past the NIDS.
Ironically, most successful intruders, on entering a target machine, immediately apply best-practice security techniques to secure the system which they have infiltrated, leaving only their own backdoor open, so that other intruders can not take over their computers. (Crackers are a competitive bunch...) Again, one can detect (and learn from) such changes.
1. INTRODUCTION
Tripwire is a reliable intrusion detection system. It is a software tool that checks to see what has changed in your system. It mainly monitors the key attribute of your files; by key attribute we mean the binary signature, size and other related data. Security and operational stability must go hand in hand; if the user does not have control over the various operations taking place, then naturally the security of the system is also compromised. Tripwire has a powerful feature which pinpoints the changes that has taken place, notifies the administrator of these changes, determines the nature of the changes and provide you with information you need for deciding how to manage the change.
Tripwire Integrity management solutions monitor changes to vital system and configuration files. Any changes that occur are compared to a snapshot of the established good baseline. The software detects the changes, notifies the staff and enables rapid recovery and remedy for changes. All Tripwire installation can be centrally managed. Tripwire software’s cross platform functionality enables you to manage thousands of devices across your infrastructure.
Security not only means protecting your system against various attacks but also means taking quick and decisive actions when your system is attacked.
First of all we must find out whether our system is attacked or not, earlier system logs are certainly handy. You can see evidences of password guessing and other suspicious activities. Logs are ideal for tracing steps of the cracker as he tries to penetrate into the system. But who has the time and the patience to examine the logs on a daily basis??
1.1 MOTIVATION
Penetration usually involves a change of some kind, like a new port has been opened or a new service. The most common change you can see is that a file has changed. If you can identify the key subsets of these files and monitor them on a daily basis, then we will be able to detect whether any intrusion took place. Tripwire is an open source program created to monitor the changes in a key subset of files identified by the user and report on any changes in any of those files. When changes made are detected, the system administrator is informed. Tripwire‘s principle is very simple, the system administrator identifies key files and causes tripwire to record checksum for those files. He also puts in place a cron job, whose job is to scan those files at regular intervals (daily or more frequently), comparing to the original checksum. Any changes, addition or deletion, are reported to the administrator. The administrator will be able to determine whether the changes were permitted or unauthorized changes. If it was the earlier case the n the database will be updated so that in future the same violation wouldn’t be repeated. In the latter case then proper recovery action would be taken immediately.
2. BASIC PURPOSE OF TRIPWIRE
Almost the same principle is used in computers. If any change is met upon while comparing the old values to the new ones, or if any data is being manipulated on the spot, the logs are checked for intrusion and then detected, after which all the changes can be undone.
Tripwire is a free and open-source software tool. It functions as a host-based intrusion detection system. It does not concern itself directly with detecting intrusion attempts in real time at the periphery of a computing system (as in network intrusion detection systems), but rather looks for and reports on the resultant changes of state in the computing system under observation Intruders usually leave traces of their activities (changes in the system state). Tripwire looks for these by monitoring key attributes of files that should not change—including binary signatures, size, expected changes in size, etc. and reporting its findings
While useful for detecting intrusions after the event, it can also serve many other purposes, such as integrity assurance, change management, policy compliance, and more.
A Host-based Intrusion Detection System (HIDS), as a special category of an Intrusion-Detection System, focuses its monitoring and analysis on the internals of a computing system
3. THE ACTUAL WORKING OF THE TRIPWIRE SYSTEM
A HIDS will monitor all or part of the dynamic behavior and of the state of a computer system. A HIDS might detect which program accesses what resources and assure that (say) a word-processor hasn't suddenly and inexplicably started modifying the system password-database. Similarly a HIDS might look at the state of a system, its stored information, whether in RAM, in the file-system, or elsewhere; and check that the contents of these appear as expected. One can think of a HIDS as an agent that monitors whether anything/anyone - internal or external - has circumvented the security policy that the operating system tries to enforce.
3.1 MONITORING DYNAMIC BEHAVIOUR
Many computer users have encountered tools that monitor dynamic system behavior in the form of anti-virus (AV) packages. While AV programs often also monitor system state, they do spend a lot of their time looking at who is doing what inside a computer - and whether a given program should or should not access one or another system resource. The lines become very blurred here, as many of the tools overlap in functionality.
3.2 MONITORING STATE
The principle of operation of a HIDS depends on the fact that successful intruders (crackers) will generally leave a trace of their activities. (In fact, such intruders often want to own the computer they have attacked, and will establish their "ownership" by installing software that will grant the intruders future access to carry out whatever activity (keyboard logging, identity theft, spamming, botnet activity, spyware-usage etc.) they envisage.)
In theory, a computer user has the ability to detect any such modifications, and the HIDS attempts to do just that and reports its findings. Ideally a HIDS works in conjunction with a NIDS, such that a HIDS finds anything that slips past the NIDS.
Ironically, most successful intruders, on entering a target machine, immediately apply best-practice security techniques to secure the system which they have infiltrated, leaving only their own backdoor open, so that other intruders can not take over their computers. (Crackers are a competitive bunch...) Again, one can detect (and learn from) such changes.
