Re: snort or tripwire, which is best?

From: Rod Smith (rodsmith_at_nessus.rodsbooks.com)
Date: 09/07/05

• Next message: Mr. Boy: "Re: Port 443 Question"
• Previous message: Proteus: "Re: snort or tripwire, which is best?"
• In reply to: Proteus: "Re: snort or tripwire, which is best?"
• Next in thread: Proteus: "Re: snort or tripwire, which is best?"
• Reply: Proteus: "Re: snort or tripwire, which is best?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 7 Sep 2005 15:39:09 -0000

In article <pan.2005.09.07.14.30.31.31799@uselessemail.net>,
        Proteus <proteus@uselessemail.net> writes:
>
> On Tue, 06 Sep 2005 23:32:49 +0000, Pierre Asselin wrote:
> ..
>> They don't do the same thing. snort listens to live packets on
>> your network interface while tripwire scans your filesystems.
>
> So snort will not log or notify me (as would tripwire) if a system file is
> altered by an intrusion?

Correct. Snort *might*, though, alert you to an intruder BEFORE the
intruder has a chance to alter that system file. Whether or not Snort does
this depends on how Snort is configured and how the intruder attempts to
break in.

For a home or small office system (which is what it sounds like yours is,
although you didn't say explicitly), your single best security step is to
put your computer(s) behind a NAT router. This device will block incoming
connection attempts unless you explicitly enable them. AFAIK, such access
attempts are the main source of compromise for Linux systems (as opposed
to the e-mail worms that run rampant in Windows-land). Snort and Tripwire
are certainly useful, but they're also a bit of a pain to set up and use,
and they're both monitoring tools -- they can't block accesses the way a
NAT router or even local firewall rules can do.

-- 
Rod Smith, rodsmith@rodsbooks.com
http://www.rodsbooks.com
Author of books on Linux, FreeBSD, and networking

---

• Next message: Mr. Boy: "Re: Port 443 Question"
• Previous message: Proteus: "Re: snort or tripwire, which is best?"
• In reply to: Proteus: "Re: snort or tripwire, which is best?"
• Next in thread: Proteus: "Re: snort or tripwire, which is best?"
• Reply: Proteus: "Re: snort or tripwire, which is best?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Linux/*nix open source IDS ... Snort is my personal favorite. ... AFAIK Tripwire is more a "System File ... IDS" which creates a hash of files and compares to check for differences. ... sort of critiques they have received. ... (Focus-IDS) Re: Info HIDS ... Snort will provide the kind of monitoring you are asking about. ... be configured to monitor an entire network, and output logs in tcp dump, ... >configure an HIDS (tripwire) to get intrusion's information about a Web ... (Security-Basics) Re: snort or tripwire, which is best? ... > For a relative novice using Mandriva linux, which would be better, snort ... for me to install and configure on my system? ... your network interface while tripwire scans your filesystems. ... (comp.os.linux.security) Re: Need some advice on an IDS solution ... > Drew Cutter wrote: ... Snort does run on solaris. ... I like snort and a file integrity checker, like tripwire. ... (comp.security.firewalls)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2005-09