Host Intrusion Detection


        The host intrusion detection directory contains software which provides
        integrity checks on information of various types. The failure of an
        integrity check is a useful indicator of possible system intrusion or
        tampering.

          o AIDE
            AIDE (Advanced Intrusion Detection Environment) is a free
            replacement for Tripwire which uses a configuration file, a
            database and a number of message digest algorithms to carry out
            integrity checks on file contents, file attributes etc.
            

          o ifstatus
            ifstatus is a tool that will generate alerts about network
            interfaces that have been placed in promiscuous mode.
            

          o Integrit
            Integrit is another alternative to tripwire and aide that works by
            generating a database of cryptographic hashes of a "known-good"
            system for comparison at some later stage to determine whether an
            intruder has modified the files on the system in any way.
            

          o Osiris
            Osiris is a file integrity verification system that can be used to
            monitor changes to a file system over time. Osiris consists of a
            pair of applications, osiris and scale. The first application,
            osiris, is used to collect specific data from the local filesystem
            and store that data into a database. The second application, scale,
            is then used to analyze, and/or compare the differences between two
            databases.
            

          o Sentinel
            Sentinel is a fast file/drive scanning utility similar to the
            Tripwire and Viper.pl utilities available. It uses a database
            similar to Tripwire, but uses a RIPEMD-160bit MAC checksumming
            algorithm (no patents) which is more secure than the patented MD5
            128 bit checksum.
            

          o sxid
            sxid tracks any changes in your s[ug]id files and folders. If there
            are any new ones, ones that aren't set any more, or they have
            changed bits or other modes then it reports the changes. It also
            tracks s[ug]id files by md5 checksums. This helps detect if a root
            kit has been installed which would not show under normal name and
            permissions checking. Directories are tracked by inodes.
            

          o TARA
            Tiger Analytical Research Assistant (TARA) is an upgrade to the
            TAMU 'tiger' program. tiger was a set of scripts that scan a Un*x
            system looking for security problems, in the same fashion as Dan
            Farmer's COPS.
            

          o Tripwire
            Tripwire is a tool that checks to see what has changed on your
            system. The program monitors key attributes of files that should
            not change, including binary signature, size, expected change of
            size, etc. The hard part is doing it the right way, balancing
            security, maintanence, and functionality.
            

        

        (Note: This list of software and information available at Wiretapped is
        not exhaustive. Users are encouraged to browse and search the archive
        and read any available "-README.txt" files that are available.)