The next is a comparability of two main open-source host-based intrusion detection techniques (HIDS): Open Supply Tripwire and OSSEC. Each are competent HIDS choices with distinct advantages and downsides that warrant additional evaluation.
OSSEC
OSSEC is a free, open supply HIDS. It runs on all main OS platforms: Linux, Home windows (agent solely), most Unix flavors, and Mac OS. Initially developed by Daniel Cid and made public in 2004, the mission was acquired in 2008 by Third Brigade, which in flip was acquired by Pattern Micro in 2009. Because it stands at present, Pattern Micro continues to increase industrial assist for OSSEC whereas concurrently sustaining the open-source model.
Due to its breadth of talents and options, OSSEC is appropriate as an enterprise HIDS tool– although it may also be deployed in standalone mode if desired, along with the usual server-agent setup. The server and brokers talk securely on UDP port 1514 through messages encrypted utilizing the Blowfish algorithm and compressed utilizing zlib. Try the OSSEC options web page for a full listing of OSSEC options.
OSSEC consists of the next sub-parts:
Principal Software: the central supervisor for monitoring and receiving info from brokers, syslog, databases and even agentless units. It additionally shops the file integrity database and the log and occasion recordsdata. It have to be put in on Linux, Solaris, BSD, or MacOS – no Home windows assist is offered.OSSEC Agent: small applications put in on the nodes to be monitored. In a server-agent setup it collects and sends real-time info to the OSSEC server in regards to the state of the node on which it’s put in. There’s additionally a particular Home windows agent that runs solely within the server-agent mode.Internet Interface: the GUI for managing duties and monitoring features. Sadly, OSSEC’s well-developed GUI does work on Home windows platforms.
OSSEC additionally has a sophisticated log evaluation engine that may analyze logs from a number of units in a number of completely different codecs akin to FTP servers (ftpd, pure-ftpd), databases (PostgreSQL, MySQL), internet servers (Apache, IIS, Zeus), mail servers (imapd, Postfix, Sendmail, Change, vpopmail), firewalls (iptables, Home windows firewall, Cisco PIX, ASA) and even some competing NIDS options (Cisco IOS, Snort IDS) and Home windows occasion logs.
Regardless of its perks, OSSEC has some notable drawbacks. Transitioning to newer variations of the platform will be tough, as any beforehand outlined guidelines are overwritten by default values upon upgrading. Which means that current guidelines have to be exported and re-imported after the improve, with no telling what might happen whereas the system is quickly utilizing default guidelines. Miscoordination with pre-shared keys may also be problematic– OSSEC’s consumer and server talk through a Blowfish-encrypted channel, and occasionally– key sharing is initiated previous to the creation of stated channel, which may make for a irritating expertise.
Tripwire Open Supply
In contrast to OSSEC, Tripwire is offered as each an open supply providing and a full-fledged enterprise model. Since OSSEC is open-source, the comparability right here will probably be to Tripwire’s open-source model. Try Tripwire Open Supply vs. Tripwire Enterprise to study extra in regards to the variations between these two.
A pioneer in host-based intrusion detection, Tripwire has its origins in a 1992 mission by Purdue College graduate pupil Gene Kim and his professor Dr. Eugene Spafford. Certainly, a lot of Tripwire’s early strategies and options turned de facto requirements for IDS options at massive.
Tripwire Open Supply solely runs on Linux and *nix systems– there isn’t a Home windows assist, though (no shock) it’s accessible within the industrial enterprise model. The open supply model after all has much less options than enterprise, although it’s fortunately not as bare-bones as typical freemium choices. What the open supply model lacks most vastly are enterprise options such because the aforementioned multi-platform assist, centralized management and reporting, a master-agent configuration mode, superior automation options {and professional} company support– albeit, this final choice is obtainable by mum or dad firm Tripwire Inc.
Tripwire Open Supply brokers monitor Linux techniques to detect and report any unauthorized modifications to recordsdata and directories. It first creates a baseline of all recordsdata in an encrypted file (encryption protects it from malware tampering) then screens the recordsdata for modifications, together with permissions, inner file modifications, and timestamp particulars. Cryptographic hashes are employed to detect modifications in a file with out storing its total contents within the database. Whereas helpful for detecting intrusions after they’ve occurred, Tripwire Open Supply may serve many different functions, akin to integrity assurance, change administration and coverage compliance.
Considered one of Tripwire Open Supply’s main shortcomings is that it doesn’t generate real-time alerts upon intrusion detection – the small print are solely saved in a log file for later perusal. And it additionally can’t detect any intrusions already within the system previous to set up. It’s thus advisable to put in Tripwire Open Supply instantly after OS set up.
Abstract
Each OSSEC and Tripwire are wonderful open supply HIDS instruments. Each have distinctive strengths and weaknesses, although OSSEC boasts a richer options than Tripwire Open Supply. That stated, Tripwire Enterprise is available– at a cost– if additional enterprise bells and whistles are wanted. The desk under is a summarized comparability of the 2.
Â
Professionals
Cons
OSSEC
Can be utilized in each serverless and server-agent mode Gives nearly all options within the open supply model Open supply model supported on all main OS platforms
Improve course of overwrites current guidelines with out-of-the-box rulesPre-sharing keys will be problematic Home windows supported in server-agent mode solely
Tripwire Open Supply
Wonderful for small, decentralized Linux setupsGood integration with Linux and *Nix
Solely runs on Linux/*NixRequires not less than intermediate Linux administration proficiency, as no company assist is availableSome helpful superior options not accessible in open-source versionNo real-time alerts
References
http://www.iraj.in/journal/journal_file/journal_pdf/3-27-139087836726-32.pdf
https://www.tripwire.com/merchandise/tripwire-enterprise/
https://www.alienvault.com/blogs/security-essentials/open-source-intrusion-detection-tools-a-quick-overview
Prepared to save lots of time and streamline your belief administration course of?
