Re: Info HIDS

[Don Voss <voss () albany edu>]

Carlos,

Just a lurker here .. but I think I can answer this one.

You have a misunderstanding of HIDS in this context. Host Intrusion 
detection system with tripwire.

Tripwire must be installed on the target host.
It should be installed and configured on a clean host, before it is 
exposed to jeopardy.

Quote:

"Tripwire1 is a file system integrity-checking program for UNIX 
operating systems. To use it, you first must build a configuration file 
that designates the directories and files that you want to verify and 
the attributes you want to have verified for each. You then run Tripwire 
(with the initialize option) to create a database of cryptographic 
checksums that correspond to the files and directories specified in the 
configuration file.

To protect the Tripwire program, configuration file, and initialized 
database against corruption, be sure to transfer them to a medium that 
can be designated as physically write-protected, such as a disk or 
CD-ROM. This read-only version then becomes the authoritative reference 
program, configuration, and data, which you can reliably use to test the 
integrity of directories and files on your system.

In addition to one or more cryptographic checksums representing the 
contents of each directory and file, the Tripwire database also contains 
information that allows you to verify:

    * access permissions and file mode settings, including effective 
execution settings
    * inode number in the file system
    * number of links
    * user ID of the owner
    * group ID of the group of users to which access may be granted
    * size of the item
    * date and time the item was last accessed, the last modification 
made to the item, and the creation date and time associated with the 
item's inode

For any system, you want to verify the integrity of all critical 
operating system directories and files, plus any other directories and 
files that you consider sensitive or that have no reason to change under 
normal conditions. Pay particular attention to executable programs, 
daemons, scripts, and the libraries and configuration files associated 
with them. ..."

End Quote.

The above is shamelessly stolen from a CERT description/install guide 
for tripwire. I am sure it applies to you.

http://www.cert.org/security-improvement/implementations/i002.02.html

regards,

/don



Carlos H wrote:
> Hello list,
>
> recently I have been deployment a DMZ.  I'm trying to install and 
> configure an HIDS (tripwire) to get intrusion's information about a Web 
> Server (WebServer1).
>
> Looking on Tripwire's manual i found that is necesary (i`m not really 
> sure!!!) that Tripwire run on the same machime to be monitored.  I mind, 
> Tripwire must be installed on WebServer1.  That is not good for me!  The 
> question is: Exist another way to configure Tripwire (or other HIDS) 
> looking for detecting a remote host? Is possible to install Tripwire in 
> a diferent host to WebServer1?
>
> Carlos H.
--

__________________________________________________________________
Donald W. Voss                                     voss () albany edu
Sr.Systems Analyst
GIS Geography Department AS218
The University at Albany
Albany, NY, USA 12222

OK, the jokes is over, you can bring back the constitution now.

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------