subject:"Re\: Tripwire \(clone\) which would you prefer\?"

Re: Tripwire (clone) which would you prefer?

2004-02-24 Thread Javier Fernndez-Sanguino Pea

On Mon, Feb 23, 2004 at 12:50:27PM +0100, Dariush Pietrzak wrote:
  samhain (in unstable, should be easy to backport) which has some
  interesting features.
  And those interesting features should make you cautious before you deploy
 samhain in production environment. I find it rather intrusive.

In what sense? Logging to syslog/email/external database and signing the 
reports seems pretty unintrusive to me.

Regards

Javi


signature.asc
Description: Digital signature

Re: Tripwire (clone) which would you prefer?

2004-02-24 Thread Dariush Pietrzak

 In what sense? Logging to syslog/email/external database and signing the 
 Bringing machine to knees seems pretty intrusive to me. 
Samhain runs as deamon, and IIRC it scans running processes and does other
things in effort to detect trojans and lkms. This activity used to boost
idle load avg from ~0.1-0.3 to ~1.0, and created serious problems with
handling peak loads.
 AFAIK you can modify the way you want to run samhain, and it's been years
since I tried using samhain, so samhain probably became more efficient, and
todays 6G-ram 3Ghz cpus probably pack enough grunt to safely ignore
additional load, but one should always be carefull with 'extra features'.

-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Tripwire (clone) which would you prefer?

2004-02-24 Thread Javier Fernández-Sanguino Peña

On Mon, Feb 23, 2004 at 12:50:27PM +0100, Dariush Pietrzak wrote:
  samhain (in unstable, should be easy to backport) which has some
  interesting features.
  And those interesting features should make you cautious before you deploy
 samhain in production environment. I find it rather intrusive.

In what sense? Logging to syslog/email/external database and signing the 
reports seems pretty unintrusive to me.

Regards

Javi


signature.asc
Description: Digital signature

Re: Tripwire (clone) which would you prefer?

2004-02-24 Thread Dariush Pietrzak

 In what sense? Logging to syslog/email/external database and signing the 
 Bringing machine to knees seems pretty intrusive to me. 
Samhain runs as deamon, and IIRC it scans running processes and does other
things in effort to detect trojans and lkms. This activity used to boost
idle load avg from ~0.1-0.3 to ~1.0, and created serious problems with
handling peak loads.
 AFAIK you can modify the way you want to run samhain, and it's been years
since I tried using samhain, so samhain probably became more efficient, and
todays 6G-ram 3Ghz cpus probably pack enough grunt to safely ignore
additional load, but one should always be carefull with 'extra features'.

-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9

RE: Tripwire (clone) which would you prefer?

2004-02-23 Thread Toni Heinonen

I have used AIDE (Advanced Intrusion Detection Environment) both in production use and 
when I've been an instructor on unix security courses I've made the students learn to 
use it, because it's really simple and easy to use. Even though it's quite simple, I 
don't see it lacking anything important in qualities.

TONI HEINONEN  
  
TELEWARE OY
Tel. +358 40 836 1815
Itkeskuksen Maamerkki
00930 Helsinki, Finland
[EMAIL PROTECTED] * www.teleware.fi


 -Original Message-
 From: Jan Lhr [mailto:[EMAIL PROTECTED]
 Sent: Monday, February 23, 2004 11:42 AM
 To: [EMAIL PROTECTED]
 Subject: Tripwire (clone) which would you prefer?
 
 
 Greetings,
 
 well, I looking for an open source intrusion detection. At 
 first, tripwire 
 caputures my attention, but the last open source version 
 seems to be three 
 years old - is it still in development or badly vulnerable?
 Then I searched for tripwire in the woody packages and found 
 integrit and 
 bsign - so which would you prefer and why?
 Are there any interesting other projekt that worth looking for?
 
 Keep smiling
 yanosz
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact 
 [EMAIL PROTECTED]
 
 
P  
^n.+rzelujz+.n7mx*'-+--zby

Re: Tripwire (clone) which would you prefer?

2004-02-23 Thread Lupe Christoph

On Monday, 2004-02-23 at 10:42:05 +0100, Jan Lühr wrote:

 well, I looking for an open source intrusion detection. At first, tripwire 
 caputures my attention, but the last open source version seems to be three 
 years old - is it still in development or badly vulnerable?
 Then I searched for tripwire in the woody packages and found integrit and 
 bsign - so which would you prefer and why?
 Are there any interesting other projekt that worth looking for?

Stable != bad, ask the Debian project :-P

I'm using a combination of Tripwire and AIDE. Before I decided on that,
I did a survey of intergity checkers. I didn't find bsign then, but
integrit. At that time 3.00.05 was most current. It did not offer a
variety of hashes, only SHA1. It offered no database integrity like
Tripwire does (and seemingly AIDE now, too). In general it was one of
the better tools, but not as flexible and versatile as AIDE and
Tripwire.

HTH,
Lupe Christoph
-- 
| [EMAIL PROTECTED]   |   http://www.lupe-christoph.de/ |
| Violence is the resort of the violent Lu Tze |
| Thief of Time, Terry Pratchett   |


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Tripwire (clone) which would you prefer?

2004-02-23 Thread Domonkos Czinke

Hello,

Actually Im using Integrit with Coda. I store the binary and the database on a read 
only coda mount (you can't mount it rw unless you know the coda password), and its 
really fast and reliable. So my vote is Integrit, btw you should check all of them and 
then make a decision for you needs.

Best regards,
Domonkos Czinke

-Original Message-
From: Jan Lhr [mailto:[EMAIL PROTECTED] 
Sent: Monday, February 23, 2004 10:42 AM
To: [EMAIL PROTECTED]
Subject: Tripwire (clone) which would you prefer?


Greetings,

well, I looking for an open source intrusion detection. At first, tripwire 
caputures my attention, but the last open source version seems to be three 
years old - is it still in development or badly vulnerable?
Then I searched for tripwire in the woody packages and found integrit and 
bsign - so which would you prefer and why?
Are there any interesting other projekt that worth looking for?

Keep smiling
yanosz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Tripwire (clone) which would you prefer?

2004-02-23 Thread Dariush Pietrzak

 I did a survey of intergity checkers. I didn't find bsign then, but
 I'd vote against bsign - it modifies original binaries, thus rendering
debian md5 sums useless. ( It would be great if one could get packages with
bsign-signed binaries, signed by DDs or release team ).
 I prefer integrit it's very convienient - and convenience comes with a
price - in default mode of operation it updates your md5sums, so you can
run it and get incremental notifies about what changes in your system.
That might not be want you want.

-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Tripwire (clone) which would you prefer?

2004-02-23 Thread Richard Atterer

Also see this page for a useful comparison between AIDE and tripwire:

http://www.fbunet.de/aide.shtml

Cheers,

  Richard

-- 
  __   _
  |_) /|  Richard Atterer |  GnuPG key:
  | \/¯|  http://atterer.net  |  0x888354F7
  ¯ '` ¯


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Tripwire (clone) which would you prefer?

2004-02-23 Thread Javier Fernndez-Sanguino Pea

On Mon, Feb 23, 2004 at 10:42:05AM +0100, Jan Lühr wrote:
 Greetings,
 
 well, I looking for an open source intrusion detection. At first, tripwire 
 caputures my attention, but the last open source version seems to be three 
 years old - is it still in development or badly vulnerable?
 Then I searched for tripwire in the woody packages and found integrit and 
 bsign - so which would you prefer and why?
 Are there any interesting other projekt that worth looking for?

Besides aide (which is nice, and has already been mentioned) there is also
samhain (in unstable, should be easy to backport) which has some
interesting features.

Regards

Javi


signature.asc
Description: Digital signature

Re: Tripwire (clone) which would you prefer?

2004-02-23 Thread Dariush Pietrzak

 samhain (in unstable, should be easy to backport) which has some
 interesting features.
 And those interesting features should make you cautious before you deploy
samhain in production environment. I find it rather intrusive.

-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Tripwire (clone) which would you prefer?

2004-02-23 Thread Toni Heinonen

I have used AIDE (Advanced Intrusion Detection Environment) both in production 
use and when I've been an instructor on unix security courses I've made the 
students learn to use it, because it's really simple and easy to use. Even 
though it's quite simple, I don't see it lacking anything important in 
qualities.

TONI HEINONEN   
 
TELEWARE OY
Tel. +358 40 836 1815
Itäkeskuksen Maamerkki
00930 Helsinki, Finland
[EMAIL PROTECTED] * www.teleware.fi


 -Original Message-
 From: Jan Lühr [mailto:[EMAIL PROTECTED]
 Sent: Monday, February 23, 2004 11:42 AM
 To: debian-security@lists.debian.org
 Subject: Tripwire (clone) which would you prefer?
 
 
 Greetings,
 
 well, I looking for an open source intrusion detection. At 
 first, tripwire 
 caputures my attention, but the last open source version 
 seems to be three 
 years old - is it still in development or badly vulnerable?
 Then I searched for tripwire in the woody packages and found 
 integrit and 
 bsign - so which would you prefer and why?
 Are there any interesting other projekt that worth looking for?
 
 Keep smiling
 yanosz
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact 
 [EMAIL PROTECTED]

Re: Tripwire (clone) which would you prefer?

2004-02-23 Thread Lupe Christoph

On Monday, 2004-02-23 at 10:42:05 +0100, Jan LÃ¼hr wrote:

 well, I looking for an open source intrusion detection. At first, tripwire 
 caputures my attention, but the last open source version seems to be three 
 years old - is it still in development or badly vulnerable?
 Then I searched for tripwire in the woody packages and found integrit and 
 bsign - so which would you prefer and why?
 Are there any interesting other projekt that worth looking for?

Stable != bad, ask the Debian project :-P

I'm using a combination of Tripwire and AIDE. Before I decided on that,
I did a survey of intergity checkers. I didn't find bsign then, but
integrit. At that time 3.00.05 was most current. It did not offer a
variety of hashes, only SHA1. It offered no database integrity like
Tripwire does (and seemingly AIDE now, too). In general it was one of
the better tools, but not as flexible and versatile as AIDE and
Tripwire.

HTH,
Lupe Christoph
-- 
| [EMAIL PROTECTED]   |   http://www.lupe-christoph.de/ |
| Violence is the resort of the violent Lu Tze |
| Thief of Time, Terry Pratchett   |

RE: Tripwire (clone) which would you prefer?

2004-02-23 Thread Domonkos Czinke

Hello,

Actually Im using Integrit with Coda. I store the binary and the database on a 
read only coda mount (you can't mount it rw unless you know the coda password), 
and its really fast and reliable. So my vote is Integrit, btw you should check 
all of them and then make a decision for you needs.

Best regards,
Domonkos Czinke

-Original Message-
From: Jan Lühr [mailto:[EMAIL PROTECTED] 
Sent: Monday, February 23, 2004 10:42 AM
To: debian-security@lists.debian.org
Subject: Tripwire (clone) which would you prefer?


Greetings,

well, I looking for an open source intrusion detection. At first, tripwire 
caputures my attention, but the last open source version seems to be three 
years old - is it still in development or badly vulnerable?
Then I searched for tripwire in the woody packages and found integrit and 
bsign - so which would you prefer and why?
Are there any interesting other projekt that worth looking for?

Keep smiling
yanosz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Tripwire (clone) which would you prefer?

2004-02-23 Thread Dariush Pietrzak

 I did a survey of intergity checkers. I didn't find bsign then, but
 I'd vote against bsign - it modifies original binaries, thus rendering
debian md5 sums useless. ( It would be great if one could get packages with
bsign-signed binaries, signed by DDs or release team ).
 I prefer integrit it's very convienient - and convenience comes with a
price - in default mode of operation it updates your md5sums, so you can
run it and get incremental notifies about what changes in your system.
That might not be want you want.

-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9

Re: Tripwire (clone) which would you prefer?

2004-02-23 Thread Richard Atterer

Also see this page for a useful comparison between AIDE and tripwire:

http://www.fbunet.de/aide.shtml

Cheers,

  Richard

-- 
  __   _
  |_) /|  Richard Atterer |  GnuPG key:
  | \/¯|  http://atterer.net  |  0x888354F7
  ¯ '` ¯

Re: Tripwire (clone) which would you prefer?

2004-02-23 Thread Javier Fernández-Sanguino Peña

On Mon, Feb 23, 2004 at 10:42:05AM +0100, Jan Lühr wrote:
 Greetings,
 
 well, I looking for an open source intrusion detection. At first, tripwire 
 caputures my attention, but the last open source version seems to be three 
 years old - is it still in development or badly vulnerable?
 Then I searched for tripwire in the woody packages and found integrit and 
 bsign - so which would you prefer and why?
 Are there any interesting other projekt that worth looking for?

Besides aide (which is nice, and has already been mentioned) there is also
samhain (in unstable, should be easy to backport) which has some
interesting features.

Regards

Javi


signature.asc
Description: Digital signature

Re: Tripwire (clone) which would you prefer?

2004-02-23 Thread Dariush Pietrzak

 samhain (in unstable, should be easy to backport) which has some
 interesting features.
 And those interesting features should make you cautious before you deploy
samhain in production environment. I find it rather intrusive.

-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9

Re: Tripwire (clone) which would you prefer?

Re: Tripwire (clone) which would you prefer?

Re: Tripwire (clone) which would you prefer?

Re: Tripwire (clone) which would you prefer?

RE: Tripwire (clone) which would you prefer?

Re: Tripwire (clone) which would you prefer?

RE: Tripwire (clone) which would you prefer?

Re: Tripwire (clone) which would you prefer?

Re: Tripwire (clone) which would you prefer?

Re: Tripwire (clone) which would you prefer?

Re: Tripwire (clone) which would you prefer?

RE: Tripwire (clone) which would you prefer?

Re: Tripwire (clone) which would you prefer?

RE: Tripwire (clone) which would you prefer?

Re: Tripwire (clone) which would you prefer?

Re: Tripwire (clone) which would you prefer?

Re: Tripwire (clone) which would you prefer?

Re: Tripwire (clone) which would you prefer?

18 matches

Site Navigation

Mail list logo

Footer information