Intrusion Detection Tools

Modified 5 October 2009

System Intrusion Detection

Assuming you got your system into a reasonable state, you would like to keep it there. Or, at least you would like to know if it is changed!

• Tripwire
  • Commercial version, with support, for various flavors of UNIX and Windows. They also have Tripwire for Routers and Tripwire for Apache Webservers — http://www.tripwire.com/
  • A Linux-only open-source version of the commercial one. Midway between the commercial and the ASR in terms of features: http://www.tripwire.com/blog
  • Academic Source Release (ASR), free and unsupported, for UNIX:
    • http://osmirrors.cerias.purdue.edu/pub/gentoo/distfiles/tripwire-2.3.1-2.tar.gz
    • http://sourceforge.net/projects/tripwire/
• AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire — http://www.cs.tut.fi/~rammer/aide.html
• Osiris is a free replacement for Tripwire — http://osiris.shmoo.com/
• Samhain is a free replacement for Tripwire — http://www.la-samhna.de/samhain/
• SNARE - System iNtrusion Analysis & Reporting Environment provides host-based intrusion detection for Linux, including graphical configuration, monitoring, and reporting tools: http://www.intersectalliance.com/projects/Snare/index.html
• Snare BackLog for Solaris replaces the normal Solaris C2 Audit log collection and reporting sybsystem: http://www.intersectalliance.com/projects/SnareBackLog/
• BackLog is a Windows NT service to collect and process Event Log information: http://www.intersectalliance.com/projects/BackLogNT/index.html
• Also see Purdue's CERIAS group, http://www.cerias.purdue.edu/, for current research in this challenging area.

Network Intrusion Detection

Note carefully that most "network intrustion detection" system really detect an attack and not an intrusion. Still possibly useful, just make sure you understand what a tool really does.

Also be somewhat skeptical of the real need for NID. If you are running BSD, do you really care that someone on the other side of the planet is trying to exploit a risk only found on Microsoft SQL Server? Is it appropriate to waste your time being "warned" about this complete non-risk? Aggressive NID can be a denial-of-service attack against yourself!

Snort is a great tool that detects and diagnoses scans, probes, and attempted attacks. http://www.snort.org/

• RazorBack is another graphical tool for analyzing Snort logs: http://www.intersectalliance.com/projects/RazorBack/index.html
• ACID-XML analyzes Snort logs and generates XML tables: http://www.maximumunix.com/

Tools to automatically analyze audit trails for suspicious events.

• CMDF, SAIC, San Diego CA.
• NetRanger, WheelGroup Corp, San Antonia TX.
• NetStalker, Haystack Labs Inc., Austin TX.
• ID-Trak, Internet Tools, Inc., http://www.internettools.com
• GrIDS, Computer Security Laboratory, University of California, Davis. The most ambitious, still under development.

A list of other log analysis tools: http://counterguide.com/listing.php?type=logs

Also see Purdue's CERIAS group, http://www.cerias.purdue.edu/, for current research in this challenging area.

Back to the main Security Page

Home Unix/Linux Networking Infosec Travel Technical Radio Site Map Contact