Hi Nelson -
File integrity checkers (like tripwire), HIDS, NIDS. HIPS, and NIPS and other security solutions all complement each other. You can find some useful definitions at:
http://www.networkintrusion.co.uk/ids.htmI think Tripwire's CTO's posting that you can find at
http://archives.neohapsis.com/archives/sf/ids/2000-q4/0071.html provides a good summary of what file integrity checkers like tripwire and host intrusion detection systems like HIDS can do:
"To roll up in one sentence, I view IDS as early warning detection, and integrity as damage assessment and recovery. I use both, because both are essential."
As a simplification, within host intrusion detection, there are two main classes of HIDS (anomaly detection & misuse detection). The problem is that those words can mean different things to different people. Our
HPUX HIDS could be seen as doing both anomaly detection (we can flag things that don't normally happen) and misuse detection (we detect things like unauthorized file modifications or unauthorized access
attempts, such as repeated failed logins/su attempts to become a privileged user). But we don't do system or application profiling, so we can't call ourselves a true anomaly detector.
We take the approach of monitoring for attempts to exploit certain Unix vulnerabilities. See
http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS#threats_monitored for the list.
Here is how I would break them down:
Tripwire
- Runs in batch mode (e.g., typically daily runs, more frequently for small set of critical files)
- Establishes a known "good" state (requires persistent database)
- Discovers state changes (changes in file contents and in file attributes)
- Rollback feature: provides mechanism to either manually or automatically recover from undesired file changes and restore files back to known "good" state.
- Open source version (but no rollback feature, no central management, basic reporting)
- Commercial version (Server/Enterprise Tripwire) (has central management,
rollback/change control, GUI, Enterprise version supports network devices). See
http://www.tripwire.com/products/enterprise/ost/HPUX Host IDS
- Real-time detection, not batch mode
- Detects the exploitation of certain vulnerabilities, not just file modification
- Unauthorized File Modification (critical files, log files, non-owned files)
- Creation of privileged files (setuid and privileged world-writable files)
- Poorly written privileged programs (buffer overflow, race condition)
- Weak password and/or unauthorized access (logins/logouts)
- Password Guessing (failed logins, failed su attempts)
- Does not perform real-time file integrity checks due to performance impact of frequently calculating file content signatures on either a large number of files and/or large-sized files. Does detect file creations, deletions and truncations in real-time.
- Complements Tripwire by providing early detection/warning
- Can detect signs of attack as the attack is unfolding (e.g., detects when critical file opened for modification before file is modified)
- OpenView Operations (OVO) integration by providing HIDS SPI from free download gallery.
- Supports response framework for customized responses to alerts (e.g., forward alerts by email, kill offending process, restore file to good state, integration with other management solutions)
- Comes with preconfigured surveillance schedules for out-of-the-box detection
- Supported by HP
- Free download
Pierre
