Re: Tripwire (clone) which would you prefer?
> In what sense? Logging to syslog/email/external database and signing the Bringing machine to knees seems pretty intrusive to me. Samhain runs as deamon, and IIRC it scans running processes and does other things in effort to detect trojans and lkms. This activity used to boost idle load avg from ~0.1-0.3 to ~1.0, and created serious problems with handling peak loads. AFAIK you can modify the way you want to run samhain, and it's been years since I tried using samhain, so samhain probably became more efficient, and todays 6G-ram 3Ghz cpus probably pack enough grunt to safely ignore additional load, but one should always be carefull with 'extra features'. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Tripwire (clone) which would you prefer?
On Mon, Feb 23, 2004 at 12:50:27PM +0100, Dariush Pietrzak wrote: > > samhain (in unstable, should be easy to backport) which has some > > interesting features. > And those interesting features should make you cautious before you deploy > samhain in production environment. I find it rather intrusive. In what sense? Logging to syslog/email/external database and signing the reports seems pretty unintrusive to me. Regards Javi signature.asc Description: Digital signature
Re: Tripwire (clone) which would you prefer?
> In what sense? Logging to syslog/email/external database and signing the Bringing machine to knees seems pretty intrusive to me. Samhain runs as deamon, and IIRC it scans running processes and does other things in effort to detect trojans and lkms. This activity used to boost idle load avg from ~0.1-0.3 to ~1.0, and created serious problems with handling peak loads. AFAIK you can modify the way you want to run samhain, and it's been years since I tried using samhain, so samhain probably became more efficient, and todays 6G-ram 3Ghz cpus probably pack enough grunt to safely ignore additional load, but one should always be carefull with 'extra features'. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Tripwire (clone) which would you prefer?
On Mon, Feb 23, 2004 at 12:50:27PM +0100, Dariush Pietrzak wrote: > > samhain (in unstable, should be easy to backport) which has some > > interesting features. > And those interesting features should make you cautious before you deploy > samhain in production environment. I find it rather intrusive. In what sense? Logging to syslog/email/external database and signing the reports seems pretty unintrusive to me. Regards Javi signature.asc Description: Digital signature
Re: Tripwire (clone) which would you prefer?
> samhain (in unstable, should be easy to backport) which has some > interesting features. And those interesting features should make you cautious before you deploy samhain in production environment. I find it rather intrusive. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
Re: Tripwire (clone) which would you prefer?
On Mon, Feb 23, 2004 at 10:42:05AM +0100, Jan Lühr wrote: > Greetings, > > well, I looking for an open source intrusion detection. At first, tripwire > caputures my attention, but the last open source version seems to be three > years old - is it still in development or badly vulnerable? > Then I searched for tripwire in the woody packages and found integrit and > bsign - so which would you prefer and why? > Are there any interesting other projekt that worth looking for? Besides aide (which is nice, and has already been mentioned) there is also samhain (in unstable, should be easy to backport) which has some interesting features. Regards Javi signature.asc Description: Digital signature
Re: Tripwire (clone) which would you prefer?
Also see this page for a useful comparison between AIDE and tripwire: http://www.fbunet.de/aide.shtml Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
Re: Tripwire (clone) which would you prefer?
> I did a survey of intergity checkers. I didn't find bsign then, but I'd vote against bsign - it modifies original binaries, thus rendering debian md5 sums useless. ( It would be great if one could get packages with bsign-signed binaries, signed by DDs or release team ). I prefer integrit it's very convienient - and convenience comes with a price - in default mode of operation it updates your md5sums, so you can run it and get incremental notifies about what changes in your system. That might not be want you want. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9
RE: Tripwire (clone) which would you prefer?
Hello, Actually Im using Integrit with Coda. I store the binary and the database on a read only coda mount (you can't mount it rw unless you know the coda password), and its really fast and reliable. So my vote is Integrit, btw you should check all of them and then make a decision for you needs. Best regards, Domonkos Czinke -Original Message- From: Jan Lühr [mailto:[EMAIL PROTECTED] Sent: Monday, February 23, 2004 10:42 AM To: debian-security@lists.debian.org Subject: Tripwire (clone) which would you prefer? Greetings, well, I looking for an open source intrusion detection. At first, tripwire caputures my attention, but the last open source version seems to be three years old - is it still in development or badly vulnerable? Then I searched for tripwire in the woody packages and found integrit and bsign - so which would you prefer and why? Are there any interesting other projekt that worth looking for? Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Tripwire (clone) which would you prefer?
On Monday, 2004-02-23 at 10:42:05 +0100, Jan Lühr wrote: > well, I looking for an open source intrusion detection. At first, tripwire > caputures my attention, but the last open source version seems to be three > years old - is it still in development or badly vulnerable? > Then I searched for tripwire in the woody packages and found integrit and > bsign - so which would you prefer and why? > Are there any interesting other projekt that worth looking for? Stable != bad, ask the Debian project :-P I'm using a combination of Tripwire and AIDE. Before I decided on that, I did a survey of intergity checkers. I didn't find bsign then, but integrit. At that time 3.00.05 was most current. It did not offer a variety of hashes, only SHA1. It offered no database integrity like Tripwire does (and seemingly AIDE now, too). In general it was one of the better tools, but not as flexible and versatile as AIDE and Tripwire. HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett |
Re: Tripwire (clone) which would you prefer?
> samhain (in unstable, should be easy to backport) which has some > interesting features. And those interesting features should make you cautious before you deploy samhain in production environment. I find it rather intrusive. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Tripwire (clone) which would you prefer?
I have used AIDE (Advanced Intrusion Detection Environment) both in production use and when I've been an instructor on unix security courses I've made the students learn to use it, because it's really simple and easy to use. Even though it's quite simple, I don't see it lacking anything important in qualities. TONI HEINONEN TELEWARE OY Tel. +358 40 836 1815 Itäkeskuksen Maamerkki 00930 Helsinki, Finland [EMAIL PROTECTED] * www.teleware.fi > -Original Message- > From: Jan Lühr [mailto:[EMAIL PROTECTED] > Sent: Monday, February 23, 2004 11:42 AM > To: debian-security@lists.debian.org > Subject: Tripwire (clone) which would you prefer? > > > Greetings, > > well, I looking for an open source intrusion detection. At > first, tripwire > caputures my attention, but the last open source version > seems to be three > years old - is it still in development or badly vulnerable? > Then I searched for tripwire in the woody packages and found > integrit and > bsign - so which would you prefer and why? > Are there any interesting other projekt that worth looking for? > > Keep smiling > yanosz > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > >
Tripwire (clone) which would you prefer?
Greetings, well, I looking for an open source intrusion detection. At first, tripwire caputures my attention, but the last open source version seems to be three years old - is it still in development or badly vulnerable? Then I searched for tripwire in the woody packages and found integrit and bsign - so which would you prefer and why? Are there any interesting other projekt that worth looking for? Keep smiling yanosz
Re: Tripwire (clone) which would you prefer?
On Mon, Feb 23, 2004 at 10:42:05AM +0100, Jan Lühr wrote: > Greetings, > > well, I looking for an open source intrusion detection. At first, tripwire > caputures my attention, but the last open source version seems to be three > years old - is it still in development or badly vulnerable? > Then I searched for tripwire in the woody packages and found integrit and > bsign - so which would you prefer and why? > Are there any interesting other projekt that worth looking for? Besides aide (which is nice, and has already been mentioned) there is also samhain (in unstable, should be easy to backport) which has some interesting features. Regards Javi signature.asc Description: Digital signature
Re: Tripwire (clone) which would you prefer?
Also see this page for a useful comparison between AIDE and tripwire: http://www.fbunet.de/aide.shtml Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Tripwire (clone) which would you prefer?
> I did a survey of intergity checkers. I didn't find bsign then, but I'd vote against bsign - it modifies original binaries, thus rendering debian md5 sums useless. ( It would be great if one could get packages with bsign-signed binaries, signed by DDs or release team ). I prefer integrit it's very convienient - and convenience comes with a price - in default mode of operation it updates your md5sums, so you can run it and get incremental notifies about what changes in your system. That might not be want you want. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Tripwire (clone) which would you prefer?
Hello, Actually Im using Integrit with Coda. I store the binary and the database on a read only coda mount (you can't mount it rw unless you know the coda password), and its really fast and reliable. So my vote is Integrit, btw you should check all of them and then make a decision for you needs. Best regards, Domonkos Czinke -Original Message- From: Jan Lühr [mailto:[EMAIL PROTECTED] Sent: Monday, February 23, 2004 10:42 AM To: [EMAIL PROTECTED] Subject: Tripwire (clone) which would you prefer? Greetings, well, I looking for an open source intrusion detection. At first, tripwire caputures my attention, but the last open source version seems to be three years old - is it still in development or badly vulnerable? Then I searched for tripwire in the woody packages and found integrit and bsign - so which would you prefer and why? Are there any interesting other projekt that worth looking for? Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Tripwire (clone) which would you prefer?
On Monday, 2004-02-23 at 10:42:05 +0100, Jan Lühr wrote: > well, I looking for an open source intrusion detection. At first, tripwire > caputures my attention, but the last open source version seems to be three > years old - is it still in development or badly vulnerable? > Then I searched for tripwire in the woody packages and found integrit and > bsign - so which would you prefer and why? > Are there any interesting other projekt that worth looking for? Stable != bad, ask the Debian project :-P I'm using a combination of Tripwire and AIDE. Before I decided on that, I did a survey of intergity checkers. I didn't find bsign then, but integrit. At that time 3.00.05 was most current. It did not offer a variety of hashes, only SHA1. It offered no database integrity like Tripwire does (and seemingly AIDE now, too). In general it was one of the better tools, but not as flexible and versatile as AIDE and Tripwire. HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | "Violence is the resort of the violent" Lu Tze | | "Thief of Time", Terry Pratchett | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Tripwire (clone) which would you prefer?
I have used AIDE (Advanced Intrusion Detection Environment) both in production use and when I've been an instructor on unix security courses I've made the students learn to use it, because it's really simple and easy to use. Even though it's quite simple, I don't see it lacking anything important in qualities. TONI HEINONEN TELEWARE OY Tel. +358 40 836 1815 ItÃkeskuksen Maamerkki 00930 Helsinki, Finland [EMAIL PROTECTED] * www.teleware.fi > -Original Message- > From: Jan LÃhr [mailto:[EMAIL PROTECTED] > Sent: Monday, February 23, 2004 11:42 AM > To: [EMAIL PROTECTED] > Subject: Tripwire (clone) which would you prefer? > > > Greetings, > > well, I looking for an open source intrusion detection. At > first, tripwire > caputures my attention, but the last open source version > seems to be three > years old - is it still in development or badly vulnerable? > Then I searched for tripwire in the woody packages and found > integrit and > bsign - so which would you prefer and why? > Are there any interesting other projekt that worth looking for? > > Keep smiling > yanosz > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > èPÔ ‘ ™¨¥¶‡^n&§±ç.®+rê®zËeŠËluæâjz+ƒ…«.n7œ¶‡îžË±Êâmäë¢æåx*'µ§-–+-™«-z¹b²Ûy¸šžŠà
Tripwire (clone) which would you prefer?
Greetings, well, I looking for an open source intrusion detection. At first, tripwire caputures my attention, but the last open source version seems to be three years old - is it still in development or badly vulnerable? Then I searched for tripwire in the woody packages and found integrit and bsign - so which would you prefer and why? Are there any interesting other projekt that worth looking for? Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]