Re: snort or tripwire, which is best?
From: Rod Smith (rodsmith_at_nessus.rodsbooks.com)
Date: Wed, 7 Sep 2005 15:39:09 -0000
In article <email@example.com>,
Proteus <firstname.lastname@example.org> writes:
> On Tue, 06 Sep 2005 23:32:49 +0000, Pierre Asselin wrote:
>> They don't do the same thing. snort listens to live packets on
>> your network interface while tripwire scans your filesystems.
> So snort will not log or notify me (as would tripwire) if a system file is
> altered by an intrusion?
Correct. Snort *might*, though, alert you to an intruder BEFORE the
intruder has a chance to alter that system file. Whether or not Snort does
this depends on how Snort is configured and how the intruder attempts to
For a home or small office system (which is what it sounds like yours is,
although you didn't say explicitly), your single best security step is to
put your computer(s) behind a NAT router. This device will block incoming
connection attempts unless you explicitly enable them. AFAIK, such access
attempts are the main source of compromise for Linux systems (as opposed
to the e-mail worms that run rampant in Windows-land). Snort and Tripwire
are certainly useful, but they're also a bit of a pain to set up and use,
and they're both monitoring tools -- they can't block accesses the way a
NAT router or even local firewall rules can do.
-- Rod Smith, email@example.com http://www.rodsbooks.com Author of books on Linux, FreeBSD, and networking