Results 1 to 10 of 10

Thread: FIDS - File System Integrity Checkers...

  1. #1
    Senior Member
    Join Date
    Nov 2002
    Posts
    382

    FIDS - File System Integrity Checkers...

    Folks, I'm lokking for info about FIDS(File System-based IDS) in order to track file system changes (executable, library, shell scripts, ....) in order to "guaranty*" my file system integrity.
    As a good AO member I have performed a quick search on google and I found the following list of tools:
    - AIDE (Advanced Intrusion Detection Environment)
    - chkrootkit
    - Dragon Squire
    - FCheck
    - integrit
    - samhain
    - ....

    I didn't intentionnaly include TripWire bcoz its commercial. Did I mention that I'm looking for an open sourtce for Linux?

    I'm sure some AOs have experienced such tools, could u give personnal feedback!
    u'll make my day !

    thanx

    *some will say that we can't guaranty anything since some attackers could compromise the host and change log files but ....
    [shadow] SHARING KNOWLEDGE[/shadow]

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    115
    i used most of the tools you mentioned above, but tripwire is what i use right now and no they have an open source version of tripwire. check www.tripwire.org (i had to edit this since when i typed in tripwire.org without the www sent me to somewhere else, damn dns!). you should be able to find previous rpms/tarballs for this.

    -w0rm3y

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Try http://sourceforge.net/projects/tripwire/ <-- official sourceforge and kept up to date.

    Other than the ones you've mentioned, I don't know of any others. I've used Tripwire before and my students use it in their Advanced class to muck around with. (Although I'm hearing rumblings from some of problems with Slack 9 and SourceForge Trip)..
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    Thanx folks. Good to know
    Tripwire is available in open source!

    I never used it but with a quick look at it; it seems a bit painful to use:
    - Tell me if I'm wrong but it seems that config require to specficy file per file that need to be checked. Can't we do smth like any executable, library, ...
    And what type of check does it performs a checksum or file size.

    Maybe the best is to give a try....
    [shadow] SHARING KNOWLEDGE[/shadow]

  5. #5
    Junior Member
    Join Date
    May 2003
    Posts
    9
    Tripwire is the most popular now, but AIDE is supposed to be better. You should know that if you are hacked any hacker will just modify or delete the database once getting root. To prevent that you can put it on a write protected floppy if it will fit... or a CD. I'd use a FIDS and chkrootkit. After it is installed you run it to create the database of hashes and then after that you can run it periodically so it will create the hashes again and compare them to the hashes in the database. If any hashes are changed then it will alert you. How to install and use it is in the manual, install, or readme files. After reading those it shouldn't be so complicated
    Being a scriptkiddy is hazardous to your health.
    It causes your body to be thrown into jail.

  6. #6
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    I ran into a tut for Tripwire somewhere. Sorry I can't think of it now, but I will post it for all to see when I find it. It's not my tut, but why reinvent the wheel if it's in a good format. I will find it and post it with the source so that you will have something else additional as a resource.
    Opinions are like holes - everybody\'s got\'em.

    Smile

  7. #7
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    Ok, I remembered where I saw the article/introduction to Tripwire for Linux. The link is below:

    http://www.security-forums.com/forum...light=tripwire
    Opinions are like holes - everybody\'s got\'em.

    Smile

  8. #8
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    cheers T2K2,
    I thought Tripwire was also a NIDS.

    Thanx all for sharing
    [shadow] SHARING KNOWLEDGE[/shadow]

  9. #9
    Senior Member
    Join Date
    Aug 2002
    Posts
    508

    Re: FIDS - File System Integrity Checkers...

    Originally posted here by Networker
    Folks, I'm lokking for info about FIDS(File System-based IDS) in order to track file system changes (executable, library, shell scripts, ....) in order to "guaranty*" my file system integrity.
    As a good AO member I have performed a quick search on google and I found the following list of tools:
    - AIDE (Advanced Intrusion Detection Environment)
    - chkrootkit
    -

    I am using AIDE (install from ports on FreeBSD ) http://www.cs.tut.fi/~rammer/aide/manual.html and chkrootkit http://www.chkrootkit.org/ on my BSD laptop, specially chkrootkit it's really cool.. (tip: always check out their manual..its very helpfull.. manual it's my best friend ).


    Cheerrs


    Annya
    Not an image or image does not exist!
    Not an image or image does not exist!

  10. #10
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    Hey folks another question about AIDE and Tripwire.
    Is there a features that provides alarm to a remote manager such as SNMP traps?
    [shadow] SHARING KNOWLEDGE[/shadow]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •