Trip wire intrusion detection systems

1. SRI RAMAKRISHNA ENGINEERING COLLEGE
(An Autonomous Institution, Affiliated to Anna University Coimbatore)
Vattamalaipalayam,Coimbatore - 22
DEPARTMENT OF INFORMATION TECHNOLOGY
PAPER PRESENTATION ON:
TRIPWIRE INTRUSION DETECTION
AND PREVENTION SYSTEM
Submitted By:
S.Mithila
A.Akalya

2.  SECURITY MEASURES INCLUDES:
• Prevention Techniques
• Detection Techniques
Tripwire Intrusion Detection System(IDS) is used for
detection of intrusion
 DEFINITION
 Tripwire IDS monitors and analyzes the internals of
computing system.
 According to polices following steps are taken:
▪ Detect unauthorized access
▪ Report changes through audit logs and e-mails

3.  OPEN SOURCE TRIPWIRE
▪ Monitors small number of servers
▪ Provides centralized control
 TRIPWIRE FOR SERVERS
▪ Detailed reporting
▪ Optimize centralization using Server Manager
 TRIPWIRE ENTERPRISE
▪ Audit configuration across Linux,UNIX,and Windows
servers.

4.  Creation of configuration file
 Generating dB at regular intervals
 Comparing newly created dB wid the old one
according to the policy
 Log files and e-mails reported according to
changes in data

5.  INITIALIZATION MODE
 INTEGRITY CHECKING/UPDATE MODE
 DATABASE UPDATE MODE
 INTERACTIVE DATABASE UPDATE MODE

6. 1. CONFIGURATION FILE
 tw.config-contains list of files and directories with
selection mask
2. DATABASE FILE
 Describes each file as
 Name of the file
 Inode attribute values
 Signature information

7.  Tripwire includes two types of files:
▪ Data file
▪ Configuration file
#Tripwire Binaries
(rulename = "Tripwire Binaries", severity = $(SIG_HI))
{
$(TWBIN)/siggen -> $(ReadOnly);
$(TWBIN)/tripwire -> $(ReadOnly);
$(TWBIN)/twadmin -> $(ReadOnly);
$(TWBIN)/twprint -> $(ReadOnly);
}

8.  Tripwire Data Files includes
 Configuration Files, Policy Files
 Keys, Reports, Databases
(rulename = "Tripwire Data Files", severity = $(SIG_HI))
{
$(TWDB) -> $(Dynamic) -i;
$(TWPOL)/tw.pol -> $(SEC_BIN) -i;
$(TWBIN)/tw.cfg -> $(SEC_BIN) -i;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
$(TWSKEY)/site.key -> $(SEC_BIN) ;
$(TWREPORT) -> $(Dynamic) (recurse=0);
}

9. ===================================================
Report Summary:
===================================================
Host name: HOSTADMIN
Host IP address: 127.0.0.1
Host ID: 10c0d020
Policy file used: /opt/TSS/policy/tw.pol
Configuration file used: /opt/TSS/bin/tw.cfg
Database file used: /opt/TSS/db/somehost.twd
Detection of changes:2 files
2011-feb-14 4:05:09 (c: /java/class.java) change detected
2011-feb-14 4:05:09 (e:/entertainment) change detected
Denial of access:1 file
2011-feb-14 4:05:09 (d: /account details) service stopped

10.  PROS
 Portable
 Reliability of data
 Detection from 3rd party
 CONS
 Single user mode during dB installation
 Pre-existing files cannot be protected
 Prevention of unauthorized access is not possible
 Hacking of tripwire software itself in open network

11.  STAGE I-PREVENTION IN IDS
 New attack SIGATURES are downloaded to
prevent newly discovered attacks(worms,
viruses).
 Patches for vulnerabilities are downloaded and
applied for critical software and run regression
testing

12. STAGE II-PROTECTION TO TRIPWIRE
 Compressing and Encrypting the Tripwire
software into a password protected .exe file
 Renaming the tw.config file
STAGE III-PRE-EXISTING FILE PROTECTION
 Backup of files in portable devices
 Replacing back the files after installation of
Tripwire software

13. 3.5
3
2.5
2
1.5
1 DATA SECURITY
0.5 NETWORK SECURITY
0 PORTABILITY
RELIABILITY

14. questions
Thank you