[nylug-talk] Intrusion Detection

H. G. tekronis at gmail.com
Mon Mar 31 15:30:28 EDT 2008 

On Mon, Mar 31, 2008 at 3:19 PM, Brandorr <brandorr at opensolaris.org> wrote:

> On Sun, Mar 30, 2008 at 5:47 PM, Lee Revell <rlrevell at joe-job.com> wrote:
> > On Fri, Mar 28, 2008 at 12:30 PM, Chris Knadle <Chris.Knadle at coredump.us>
> wrote:
> >  > On Thursday 27 March 2008, H. G. wrote:
> >  >  > As I recall, the most low impact way monitor the filesystem was
> >  >  > with fam or something, since fam alerts you when files change,
> >  >  > as opposed to you manually sweeping the filesystem looking
> >  >  > for changes (causing lots of disk activity and performance
> >  >  > problems in the process).  OSSEC doesn't use the former
> >  >  > strategy, unfortunately. :-(
> >  >
> >  >    I've been playing around with Osiris some.  One of the complaints
> that's
> >  >  typical of AIDE, Tripwire, etc, is that the checksums for files are
> stored
> >  >  locally (with an offline copy to verify).  Osiris stores and check
> checksums
> >  >  using an encrypted connection with a remote server (unless of course
> the
> >  >  daemon and client are on the same box).  It's worth a look.
> >  >
> >
> >  We use Samhain at my workplace.  It's quite good, can store checksums
> >  on a remote server, and does not noticeably impact performance when
> >  sweeping the filesystem.
> >
> >  http://www.la-samhna.de/samhain/
> >
> >  The free web interface is not great, but there's a better one you can
> >  buy (source included IIRC) for about 100 euros.
> >
> >  Lee
> >
> >
> >
> _____________________________________________________________________________
> >  Hire expert Linux talent by posting jobs here :: http://jobs.nylug.org
> >  The nylug-talk mailing list is at nylug-talk at nylug.org
> >  The list archive is at http://nylug.org/pipermail/nylug-talk
> >  To subscribe or unsubscribe:
> http://nylug.org/mailman/listinfo/nylug-talk
>
> Snort, Nessus and Tripwire are the three (open source) tools that you
> will want to investigate.
>
> -Brian
>
> --
> - Brian Gupta
>
> http://opensolaris.org/os/project/nycosug/
>
> http://www.genunix.org/wiki/index.php/OpenSolaris_New_User_FAQ

Tripwire is still active/alive?  One of the reasons I decided not to go the
Tripwire
route was due to the fact that activity seemed to have ceased in the open
source
version.

More information about the nylug-talk mailing list