c

Introduction

Tripwire is a reliable intrusion detection system. It is a software tool that checks

to see what has changed in your system. It mainly monitors the key attribute of
your files , by key attribute we mean the binary signature, size and other related
data. Tripwire has a powerful feature which pinpoints the changes that has taken
place, notifies the administrator of these changes, determines the nature of the
changes and provide you with information you need for deciding how to
manage the change.

Tripwire Integrity management solutions monitor changes to vital system and

configuration files. Any changes that occur are compared to a snapshot of the
established good baseline. The software detects the changes, notifies the staff
and enables rapid recovery and remedy for changes.
If you can identify the key subsets of these files and monitor them on a daily
basis, then we will be able to detect whether any intrusion took place. Tripwir e
is an open source program created to monitor the changes in a key subset of
files identified by the user and report on any changes in any of those files. When
changes made are detected, the system administrator is informed.
Tripwire¶s principle is very simple, the system administrator identifies key files
and causes tripwire to record checksum for those files. Any changes, addition or
deletion, are reported to the administrator. The administrator will be able to
determine whether the changes were permitt ed or unauthorized changes. If it
was the earlier case the n the database will be updated so that in future the same
violation would not be repeated. In the latter case then proper recovery action
would be taken immediately.
îcope

. Increase security
Tripwire software immediately detects and pinpoints unauthorized change -
whether malicious or accidental, initiated externally or internally. Tripwire
provides the only way to know, with certainty, that systems remains
uncompromised.

2. Instill Accountability
Tripwire identifies and reports the sources of change, enabling IT to manage by
fact. It also captures an audit trail of changes to servers and network devices.

3. Gain Visibility
Tripwire software provides a centralized view of changes across the e nterprise
infrastructure and support multiple devices from multiple vendors.

4. Ensure Availability
Tripwire software reduces troubleshooting time.

TripWire

.Reliable intrusion detection system.

2.Tool that checks to see what changes have been made in your system.
Pinpoints, notifies, determines the nature, and provides information on the
changes on how to manage the change.

3.Mainly monitors the key attributes(like binary signature, size and other
related data) of your files.

4.Changes are compared to the established good baseline.

 5.Security is compromised, if there is no control over the various operations
taking place.

6.Security not only means protecting your system against various atta cks but
also means taking quick and decisive actions when your system is attacked.

7.Elements of tripwire
A tripwire database
A policy file

Working of TripWire

.First, a baseline database is created storing the original attributes like binary
values in registry.

2. If the host computer is intruded, the intruder changes these values to go

undetected.

3.The TripWire software constantly checks the system logs to check if any
unauthorized changes were made.

4.If so, then it reports to the user.

5.User can then undo those changes to revert the system back to the original
state.
Where is TripWire used?

. Tripwire for Servers(TS) is software used by servers.

2.Can be installed on any server that needs to be monitored for any changes.

3.Typical servers include mail servers, web servers, firewalls, transaction

server, development server.

4.It is also used for Host Based Intrusion Detection System(HIDS) and also for
Network Intrusion Detection System(NIDS).

5.It is used for network devices like routers, switches, firewall, etc.
If any of these devices are tampered with, it can lead to huge losses for the
Organization that supports the network.

TripWire For Network Devices

‡ Tripwire for network devices maintains a log of all significant actions

including adding and deleting nodes, rules, tasks and user accounts.

‡ Automatic notification of changes to your routers, switches and firewalls.

‡ Automatic restoration of critical network devices.

‡ Heterogeneous support for today¶s most commonly used network devices.

Ñser authentication levels

.c  Monitors´ are allowed only to monitor the application. They cannot
make changes to Tripwire for Network Devices or to the devices that the
software monitors.

J c . Users´ can make changes to Tripwire for Network Devices, such as add
routers, switches. Groups, tasks, etc., but they cannot make changes to the
devices it monitors.

3 c  Powerusers´ can make changes to the software and to the devices it

monitors.

4 c  Administrator´ can perform all actions, plus delete violations and log
messages as well as add, delete, or modify user accounts

Tripwire for servers

For the tripwire for server¶s software to work two important things should be
present ±the policy file and the database.

The Tripwire for server¶s software conducts subsequent file checks

automatically comparing the state of system with the baseline database.

Any inconsistencies are reported to the Tripwire manger and to the host system
log file.

Reports can also be emailed to an administr ator.

Improper Change Detection

Detects improper change, including additions to, deletions from and

modifications of file systems. It also determines what changed and where and
when the change was made. In addition, it helps support change management
processes, audits and data forensics by identifying the source of improper
change through correlating event logs to Tripwire integrity reports.
Identifies Source of Improper Change by correlating event logs to Tripwire
integrity reports, helping support change management processes, audits and data
forensics.

½asy Management of Change Monitoring Policies

Simplifies and eases management of change monitoring policies with an

intuitive interface that allows rapid set -up and "noise" reduction from non-
critical alerts. It also lets users easily add, delete, or modify policies.

Improper Change Alerts

Alerts to improper change when and where needed with alerts sent in multiple
ways±email, syslog, SNMP traps, XML and HTML output to the Tripwire
Manager console±to ensure IT receives them.

Appropriate Detail Level of Information

Provides just the right level of information with high -level views that provide
management with a picture of overall health and drill down to details that help
technical staff remediate issues.

Automated Rollback

Supports automated rollback by triggering custom command line scripts that

automatically restore files to the last known good state. Support for command
line scripts can also extend reporting and notification capabilities.

Broad Platform îupport

Offers broad platform support, monitoring machines ±even virtual machines±

running Windows, Linux, Solaris, HP-UX, and AIX. And when used with
Tripwire Manager, Tripwire for Servers provides a single point of control to
manage change to servers and desktops across the enterprise.
Types Of Tripwire Manager

There are two types of Tripwire Manager

.Active Tripwire Manager

2.Passive Tripwire Manager

.This active Tripwire Manager gives a user the ability to update the database,
schedule integrity checks, update and distribute policy and configuration files
and view integrity reports.

2.The passive mode only allows to view the status of the machines and
integrity reports.

How do you install and use TripWire

. Install Tripwire and customize the policy file.

2.Initialize the Tripwire database.
3.Run a Tripwire integrity check.
4.Examine the Tripwire report file.
5.Take appropriate security measures.
6.Update the Tripwire database file.
7.Update the Tripwire policy file.
Benefits of TripWire

.Increase security
Immediately detects and pinpoints unauthorized change.

2.Instill Accountability
Tripwire identifies and reports the sources of chan ge.

3. Gain Visibility
Tripwire software provides a centralized view of changes across the enterprise
infrastructure and supports multiple devices from multiple vendors.

4.Ensure Availability
Tripwire software reduces troubleshooting time, enabling ra pid discovery and
recovery. Enables the fastest possible restoration back to a desired, good state.

What are the chances of TripWire

.The main attractive feature of this system is that the software generates a
report about which file has been violated, when the file has been violated and
also what information in the files have been changed.

2. If properly used it also helps to detect who made the changes.

3. Proper implementation of the system must be done with a full time manager
and crisis management department.
îystem Requirements For TripWire

À


Versions

Ãc Windows Server 2003 (SP, SP2) & R2 (32-bit and 64-bit)

Ãc Windows Server 2008 (SP) & Server Core (32-bit and 64-bit)
Ãc Windows Server 2008 R2 (64-bit)

Hardware

Ãc 3.0 GHz x86 processor

Ãc 4GB RAM
Ãc 2 SATA or SCSI hard drives
Ãc 3.2GB free disk space
Ãc 4GB data storage space
Ãc 256 color display



 

Versions

Ãc Red Hat Enterprise Linux 5.2, 5.3, 5.4, 5.5, 6.0 (x86 and x64)
Ãc SUSE Linux Enterprise Server 0.2, . (x86 & x64)

Hardware

Ãc 3.0 GHz x86 processor or compatible

Ãc 2GB RAM, 4GB for 64-bit
Ãc 2 SATA or SCSI hard drives
Ãc 3.2GB free disk space
Ãc 4GB data storage space
Ãc 256 color display


c

 

Versions

Ãc Solaris 0 Global & Non-Global Zone (SPARC)

Hardware

Ãc â00 MHz UltraSPARC III processor

Ãc 2GB RAM
Ãc 2 SATA or SCSI hard drives
Ãc 3.2GB free disk space
Ãc 4GB data storage space
Ãc X-Windows capable display
Ãc 256 color display

TripWire Backend îupported Databases

c

Ãc 
c
 c c  c
Ãc
c
cc
c c
Ãc [
cccc

TripWire îupported Web Browsers

Versions

Ãc Internet ½ plorer 7 latest

Ãc Internet ½ plorer 8 latest
Ãc Firefo 3 latest

Limitations of TripWire

. History Mechanism
The single most important time efficiency issue with Tripwire is the lack of a
report history mechanism, which would drastically reduce the number of
reports.

2. Report Formats
Although the commercial Tripwire product has five repor t formats, none of
them offers a maximally-abbreviated single-line format that provides violation
type, filename, and changed attribute keys in a single line.

3. Lack of Regular Expressions

The Tripwire policy file allows complete exclusion or lower security policies on
directory trees.

4. E-Mail Report Minimization

Tripwire now allows e-mail reporting to go to different addresses for different
portions of a machine's file systems.

5. Ease of Maintenance
Tripwire database and policy file maintenance are made easier if the Tripwire
admin does not have to remember argument switches and long filenames.

Conclusion

Although having some limitations ;Tripwire is a reliable intrusion detection

system. It is a software that can be installed in any type of system where
damaged files are to be detected. The main attractive feature of this system is
that the software generates a report about which file have been vi olated, when
the file have been violated and also what in the files have been changed. To
some extend it also helps to detect who made the changes. New versions of
Tripwire is under research and development. The latest version under research
is the Tripwire for Open Source.