Host-based IDS

[rapier57]

I'm doing some research on Tripwire, AIDE and some other approaches to host-based IDS (file status monitoring and such).

Free, open source stuff only, thanks.

I found some things on SourceForge, including Labrador (which seems to be just getting a leg up, so to speak).

I'm looking for any suggestions or direction others have taken or products used. Since we are budget challenged, we are looking for open source, freeware or whatever, and need cross-platform (that's why Labrador looked good). We have Linux, Unix (HP-UX), Solaris, and Windows servers.

Any suggestions or ideas are appreciated.

[rapier57]

I just have to bump this, sorry. I wanted to add Osiris to the mix:

http://www.hostintegrity.com/osiris/

Seems to be a pretty mature product.

Still looking for those who have implemented or use any of these tools to provide some feedback or comparisons. I know Tripwire is the standard, but we're looking for something that will work across the array of servers we have.

Thanks for the help.

[ric-o]

I've played around with Osiris in the past (about 1 yr ago) and we have recently started looking at it again. It is a pretty nice and simple product.

In my limited experience so far...

Pros
* Easy to install
* Does as it advertises
* Provides stock config templates which include monitoring Windows system and program files directories
* Can be configured to send email alerts when changes detected

Cons
* No GUI (some may consider this a positive). The only reason why I consider it a con is because if you dont have much time and need to get a snapshot of the status of the systems in a visual way forget it. Some folks were developing a GUI for it months ago...dont know status of those apps
* Reporting is limited
* No monitoring of Registry. This feature was on the _to be added_ list but dont know status.
* Scanning of system for changes impacts the performance (CPU) of the computer so be mindfull of that when determining how frequent to perform the scan.

[rapier57]

Hey, thanks ric-o!

I'm playing around with it now and I think the current version has some better features. It still uses the CLI.

A product comparison on Samhain Labs gives a pretty good rundown of various similar items. Two of them don't seem to be available any more. And, the comparison was about 1.5 years ago.

http://www.la-samhna.de/library/scanners.html

Thanks for bringing up the registry monitoring. This won't be a big deal for the Linux/Unix systems, but it will for the Windows servers. I'll see if the current version does any of that.

[ric-o]

Originally posted here by rapier57
Thanks for bringing up the registry monitoring. This won't be a big deal for the Linux/Unix systems, but it will for the Windows servers. I'll see if the current version does any of that.

Just checked their feature _wish list_ and Win Registry monitoring is listed so it's not in the code yet. Damn. NTFS ACL monitoring is on the wish list too...that would be cool.

Osiris v4.2.0 wish list in no particular order:

- hash passwords in auth.db
- add export DB to text option.
- add bitfield mask for modules to scan agent binary in status structure.
- open port monitoring module (done for xp and linux).
- ps like monitoring module.
- NTFS file stream support.
- NTFS ACL monitoring (SACL/DACL)
- windows registry monitoring code.
- macros for common windows files, e.g. ${PROGRAM_FILES} ${SYSTEM_ROOT}.
- allow for specification of trusted db update comments.
- zlib database files
- OSF1 port.
- fix daylight savings on scheduling.
- fix NoEntry rule so it can handle quotes.
- stream log messages to client.
- daily,weekly,monthly management console notices.
- stealth mode
- bind to specific network interface.