For Host based IDS on Windows based systems, try Intact from Pedestal Software. Intact can even log changes to remote SQL database and roll back any file system/registry changes/permissions etc etc. You can make a CD rom image of the intact database and use that as well to detect changes. TripWire has it's roots as a Unix file based utility but has some changes made in the NT version to handle changes specific to that OS. I think Intact has more features and less cost for Windows environment, however. ----- Original Message ----- From: "Ron DuFresne" <[EMAIL PROTECTED]> To: "mht" <[EMAIL PROTECTED]> Cc: "Jose Nazario" <[EMAIL PROTECTED]>; "Ken Seefried" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; "Crumrine, Gary L" <[EMAIL PROTECTED]> Sent: Wednesday, March 07, 2001 3:34 PM Subject: RE: IDS > > I have a pretty good understanding of tripwire, and have used it for a > number of years. I still differentiate it from tools I also use like > snort and others. Perhaps this is my choice and fits my needs better. > > But, I have programs on my win toys that will monitor changes made when > installing new SW, to ease uninstalling, they have much the same > functionality as tripwire, and are by no means IDS tools for sure. > > Norton's tools and certianly others track registry entries to monitor > changes and to provide backouts, again, some of the same functionality as > tripwire and yet by no means in and of themselve an IDS. > > Now, would I consider logcheck/swatch and tripwire as tools involved in > the total IDS solutions I roll out? yes. > > Of course, I tend to roll tcpwrappers into those solutions, though, I'd > never classify it as a 'firewall'. > > Thanks, > > Ron DuFresne > > On Wed, 7 Mar 2001, mht wrote: > > > Tripwire is used to determine how UNIX and Microsoft Windows NT file > > systems, and Windows NT registry keys have changed. It begins by creating a > > baseline database of files, directories, and in the case of Microsoft > > Windows NT, the NT Registry. This baseline includes up to 28 attributes for > > each file. Attributes include: file size, write-times, create-times, number > > of alternate file streams, and up to four cryptographic checksums of the > > file contents. > > Tripwire conducts subsequent file checks, it compares the state of the > > system with the baseline database. Any inconsistencies are reported to and > > to the host systems log file. Additionally, the reports can be emailed to > > an administrator. > > > > A simple but yet complex door knob rattle that requires the following: > > > > Tripwire Technical Training offers convenient, comprehensive training > > courses for anyone who works with Tripwire software. Tripwire Authorized > > Training Centers (TATCs) are located throughout North America. The > > coursework covers the following topics: > > · Installation and Configuration > > · Editing Policy Files to Fine-Tune the Assessment Process > > · Database File- and Integrity-Checking Processes > > · Report File Management > > · Updating Database and Policy Files > > · Deployment Planning > > > > If it was a simple IDS as you state, why does need to take all the listed > > classes above in order to configure it and understand it.. Hmm, must be a > > better way of defining what an IDS is.. > > > > (Starting to gnaw on my coyote ugly arm..-:) > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." -- Johnny Hart > ***testing, only testing, and damn good at it too!*** > > OK, so you're a Ph.D. Just don't touch anything. > > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] > - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
