427 Botnet fm qxd

Tripwire
Tripwire is an integrity management tool that was originally created by
Professor Eugene Spafford and Gene Kim in 1992 at Purdue University,
though the project is no longer supported there. In 1997, Gene Kim
cofounded Tripwire Inc. (www.tripwire.com) to develop the product com-
mercially, and the company continues to be a leading player in commercial
change-auditing software for the enterprise, monitoring changes and feeding
reports through enterprise management systems. However, the Open Source
Tripware project at Sourceforge (http://sourceforge.net/projects/tripwire/) is
based on code contributed by Tripwire Inc. in 2000 and is released under
Gnu General Public License (GPL), so there is a clear line of succession from
the original academic source release (ASR). See www.cerias.purdue.edu/
about/history/coast/projects/ for more on the origins of Tripwire at
Computer Operations Audit and Security Technology (COAST).
The original product has been described as an integrity-monitoring tool,
using message digest algorithms to detect changes in files.This is under the
assumption that such changes are likely to be due to illegal access by an
intruder or malicious software. Although it was originally intended for UNIX
systems and is widely used on Linux systems, Mac OS X, and so forth, it has
been ported commercially to other platforms, notably Windows. Open Source
Tripwire, however, is available only for POSIX-compliant platforms and has a
more restricted range of signing options, for example.The commercial
product range is nearer an integrated integrity management system.
Tripwire is also sometimes claimed to be an intrusion detection system. In
a general sense, it is, though the tripwire detection concept is strictly reactive.
It can tell you that there’s been a change that might be due to malicious
action, but only once the change has been made.
The idea is to create a secure database (ideally kept on read-only media)
of file “signatures.” In the midst of discussion about attack signatures, this use
of the term 
signature
might be confusing. It doesn’t refer here to attack signa-
tures, the usual use of the term in intrusion detection. Instead, it refers to a set
of encoded file and directory attribute information called a 
digital signature
.
The information is captured as a “snapshot” when the system is in a presumed
clean state, the “signature” is in the form of a CRC, or cryptographic
checksum.

Download 6,98 Mb.

Do'stlaringiz bilan baham: