2. What is Tripwire?
Reliable intrusion detection system.
Tool that checks to see what changes
have been made in your system.
Pinpoints, notifies, determines the
nature, and provides information on
the changes on how to manage the
Mainly monitors the key attributes(like
binary signature, size and other
related data) of your files.
3. Changes are compared to the
established good baseline.
Security is compromised, if there is no
control over the various operations
Security not only means protecting
your system against various attacks
but also means taking quick and
decisive actions when your system is
5. First, a baseline database is created
storing the original attributes like
binary values in registry.
If the host computer is intruded, the
intruder changes these values to go
The TripWire software constantly
checks the systemlogs to check if any
unauthorized changes were made.
If so, then it reports to the user.
User can then undo those changes to
revert the system back to the original
6. Where is Tripwire Used
? Tripwire for Servers(TS) is software used by
Can be installed on any server that needs to be
monitored for any changes.
Typical servers include mail servers, web
servers, firewalls, transaction server,
It is used for network devices like routers,
switches, firewall, etc.
If any of these devices are tampered with, it
can lead to huge losses for the Organization
that supports the network.
7. Tripwire for Network Devices
Tripwire for network devices maintains a
log of all significant actions including
adding and deleting nodes, rules, tasks
and user accounts.
Automatic notification of changes to your
routers, switches and firewalls.
Automatic restoration of critical network
Heterogeneous support for today’s most
commonly used network devices.
8. User Authentication Levels
“Monitors” are allowed only to monitor
the application. They cannot make
changes to Tripwire for Network Devices
or to the devices that the software
“Users” can make changes to Tripwire
for Network Devices, such as add
routers, switches, groups, tasks etc. but
they cannot make changes to the
devices it monitors
“Power users” can make changes to the
software and to the devices it monitors.
“Administrator” can perform all actions,
plus delete violations and log messages
9. There are two types of Tripwire Manager
Active Tripwire Manager
Passive Tripwire Manager
This active Tripwire Manager gives a
user the ability to update the database,
schedule integrity checks, update and
distribute policy and configuration files
and view integrity reports.
The passive mode only allows to view
the status of the machines and integrity
10. How to install and use
Initialize the Tripwire database
Schedule Check using cron
Set up Email notifications
11. What is the benefit of
Increase security: - Immediately detects and
pinpoints unauthorized change.
Instill Accountability :- Tripwire identifies and
reports the sources of change.
Gain Visibility:- Tripwire software provides a
centralized view of changes across the
enterprise infrastructure and supports
multiple devices from multiple vendors
Ensure Availability:- Tripwire software
reduces troubleshooting time, enabling rapid
discovery and recovery. Enables the fastest
possible restoration back to a desired, good
Ineffective when applied to frequently
Higher learning curve to install, edit,
and maintain the software.
Tripwire for Servers(used as
Tripwire for Host Based Intrusion
Detection System(HIDS) and also for
Network Based Intrusion Detection
Tripwire for Network Devices like
Routers, Switches etc.
Gene H. Kim and Eugene H. Spafford, 1994.
Experiences with Tripwire: Using Integrity checkers for
Intrusion Detection, Purdue Technical Report CSD-TR-
93-071, Coast Laboratory, Department of Computer
Sciences, Purdue University.
Gene H. Kim and Eugene H. Spafford, 1994.Design and
Implementation of Tripwire: A file system integrity
checker, Purdue Technical Report CSD-TR-93-071,
Coast Laboratory, Department of Computer Sciences,