Download presentation
Presentation is loading. Please wait.
Published byMagdalene McDowell Modified over 8 years ago
1
IDS And Tripwire Rayhan Mir COSC 356
2
What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions and attacks Expands available options to manage risk from threats and vulnerabilities
3
Types of IDS Network-based (NIDS) Monitors network traffic Most commonly used Host-based (HIDS) Monitors activity on host machine Primarily used for critical servers Ensures the integrity of critical system files and directories
4
What is Tripwire Host-based IDS Software that identifies changes made to specified files and directories Detects intrusions by analyzing logs of operating systems and applications, resource utilization, and other system activity
5
Why use Tripwire Intrusion detection Damage assessment Track system changes Speed recovery from a break-in by reducing the number of files you must restore to repair the system.
6
Monitors Unix File System Permissions Inode number Number of links (i.e. inode reference count) User ID of owner Group ID of owner File type File size File is expected to grow Device number of the disk on which the inode is stored Device number of the device to which the inode points. Number of blocks allocated Access timestamp Modification timestamp Inode creation / modification timestamp CRC-32 hash of the data MD5 hash of the data SHA hash of the data HAVAL hash of the data
7
Monitors Windows NT/2000 File System Archive flag Read only flag Hidden flag Offline flag Temporary flag System flag Directory flag Last access time Last write time Create time File size MS-DOS 8.3 name NTFS Compressed flag Registry Maximum length of data for any value in the key Security descriptor control Size of security descriptor Last write time Registry type: key or value Type of value data Length of value data CRC-32 hash of the value data MD5 hash of the value data SHA hash of the value data HAVAL hash of the value data Type of value data
8
How does Tripwire work Protects Itself with El Gamal 1024-bit asymmetric cryptography Message-digest algorithms used to insure data integrity MD5 Haval SHA/SHS CRC 32 Authentication and Encryption Between Manager and Server All data transmission uses SSL (Secure Socket Layer) 168 Triple DES Encryption
9
How does Tripwire work Generates a baseline by taking a snapshot of specified files and directories Then compares files and directories against the baseline database And reports any modifications, additions, or deletions.
10
How does Tripwire work Tripwire files are signed or encrypted using site and local keys These protect the configuration, policy, database, and report files from being viewed or altered except by users who know the site and/or local passphrases. This means that, even if an intruder can obtain root access to your system, they will not be able to alter the Tripwire files to hide their tracks unless they also know the passphrases.
11
How does Tripwire work
12
Using tripwire Update the Tripwire policy file — If you need to change the list of files Tripwire monitors or how it treats integrity violations, you should update your sample policy file Build a database of critical system files to monitor based on the contents of the new, signed Tripwire policy file Run a Tripwire integrity check — Compare the newly-created Tripwire database with the actual system files, looking for missing or altered files. Examine the Tripwire report file — View the Tripwire report file using twprint to note integrity violations.
13
Policy File Contains comments, rules, directives, and variables to check your system Each rule in the policy file specifies the files and directories you wish to monitor Encrypted to prevent unauthorized modifications
14
Why change the policy file? to actually change the files Tripwire records in its database modify the severity in which violations are reported Changes are made to a text policy file (twpol.txt) which is then is encrypted and becomes active (tw.pol)
15
Using tripwire for windows Update the Tripwire policy file — Change twpol.txt then load new policy twadmin --create-polfile "C:\Program Files\Tripwire\TFS\Policy\twpol.txt "
16
Initialize and Check database The database file is a baseline snapshot of the system in a known secure state. Tripwire compares this baseline against the current system to determine what changes have occurred. This comparison is called an integrity check.
17
Using tripwire for windows Build a database of critical system files to monitor - tripwire-- init --verbose Messages are printed when specific objects are not found
18
Using tripwire for windows Run a Tripwire integrity check — tripwire –check Examine the Tripwire report
19
Using tripwire for windows Examine the report Identify any threats and take action
20
Summary Tripwire used for Intrusion detection Damage assessment Identifies changes, regardless of source or intent Expands options to manage risk from threats and vulnerabilities
21
How Does Tripwire Work? SSL Tripwire Manager Email Syslog SNMP 1. Take digital snapshot of existing files 2. Take a second digital snapshot later in time to compare 3. Any integrity violations are reported in various formats
22
Other programs Intact www.pedestalsoftware.com/www.pedestalsoftware.com/ Veracity www.rocksoft.com/veracity/www.rocksoft.com/veracity/ Data Sentinel www.ionx.co.uk/www.ionx.co.uk/ Microsoft SFC - system file checker
23
Sources www.windowsecurity.com/ www.tripwire.com(.org) Text Book
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.