[nylug-talk] Intrusion Detection

[Brandorr]

On Sun, Mar 30, 2008 at 5:47 PM, Lee Revell <rlrevell at joe-job.com> wrote:
> On Fri, Mar 28, 2008 at 12:30 PM, Chris Knadle <Chris.Knadle at coredump.us> wrote:
>  > On Thursday 27 March 2008, H. G. wrote:
>  >  > As I recall, the most low impact way monitor the filesystem was
>  >  > with fam or something, since fam alerts you when files change,
>  >  > as opposed to you manually sweeping the filesystem looking
>  >  > for changes (causing lots of disk activity and performance
>  >  > problems in the process).  OSSEC doesn't use the former
>  >  > strategy, unfortunately. :-(
>  >
>  >    I've been playing around with Osiris some.  One of the complaints that's
>  >  typical of AIDE, Tripwire, etc, is that the checksums for files are stored
>  >  locally (with an offline copy to verify).  Osiris stores and check checksums
>  >  using an encrypted connection with a remote server (unless of course the
>  >  daemon and client are on the same box).  It's worth a look.
>  >
>
>  We use Samhain at my workplace.  It's quite good, can store checksums
>  on a remote server, and does not noticeably impact performance when
>  sweeping the filesystem.
>
>  http://www.la-samhna.de/samhain/
>
>  The free web interface is not great, but there's a better one you can
>  buy (source included IIRC) for about 100 euros.
>
>  Lee
>
>
> _____________________________________________________________________________
>  Hire expert Linux talent by posting jobs here :: http://jobs.nylug.org
>  The nylug-talk mailing list is at nylug-talk at nylug.org
>  The list archive is at http://nylug.org/pipermail/nylug-talk
>  To subscribe or unsubscribe: http://nylug.org/mailman/listinfo/nylug-talk

Snort, Nessus and Tripwire are the three (open source) tools that you
will want to investigate.

-Brian

-- 
- Brian Gupta

http://opensolaris.org/os/project/nycosug/

http://www.genunix.org/wiki/index.php/OpenSolaris_New_User_FAQ