On Thu, 25 Apr 2002 21:49:24 -0400 Post, Mark K said: >Craig, >It's used with a firewall, not in place of. A firewall is intended to keep >the bad guys out in the first place. An IDS is designed to figure out that >they got in anyway, and tell you what it was they messed with while they >were there. Tripwire for instance keeps track of file sizes, dates (and I >think a checksum) of important system files. If one of those attributes >changes from one daily scan to the next, it tells you there's a problem.
Yup. Based on a question I was asked offline, I think I may been too circumspect in my statements. I was vague because I don't remember the details. Mike briefly talked to me about it about 3 weeks ago while we were talking about something else. My fuzzy rememberance was that some of the defaults were more for a dedicated machine, ala the recent discussion about memory size. The checksums also are a little compute bound too. For the record, since I haven't seen it mentioned, there are 2 versions of tripwire. The commercial version at www.tripwire.com and the Opensource version for Linux at www.tripwire.org. >Mark Post /ahw
