snort or tripwire, which is best?

For a relative novice using Mandriva linux, which would be better, snort
or tripwire, for me to install and configure on my system? (Desktop PC
used for browsing, news, email, home office, etc., NOT for Apache server,
etc).

On 06.09.2005, Proteus <proteus@uselessemail.net> wrote:
> For a relative novice using Mandriva linux, which would be better, snort
> or tripwire, for me to install and configure on my system? (Desktop PC
> used for browsing, news, email, home office, etc., NOT for Apache server,
> etc).

Neither. You don't need them.

--
Feel free to correct my English
Stanislaw Klekot

Proteus <proteus@uselessemail.net> wrote:
> For a relative novice using Mandriva linux, which would be better, snort
> or tripwire, for me to install and configure on my system? (Desktop PC
> used for browsing, news, email, home office, etc., NOT for Apache server,
> etc).

They don't do the same thing. snort listens to live packets on
your network interface while tripwire scans your filesystems.


--
pa at panix dot com

Stachu 'Dozzie' K. wrote:

> On 06.09.2005, Proteus <proteus@uselessemail.net> wrote:
>> For a relative novice using Mandriva linux, which would be better, snort
>> or tripwire, for me to install and configure on my system? (Desktop PC
>> used for browsing, news, email, home office, etc., NOT for Apache server,
>> etc).
>
> Neither. You don't need them.
>

Is that supposed to be in jest?

This is exactly the sort of system that needs a host based IDS (i.e.
tripwire/AIDE/L5...). If Stachu is asking the question then he probably
does not have a local server for files nor any backup system. If he gets
rootkitted, his only viable option is to reformat/restore.

C.

On 07.09.2005, Colin McKinnon <colin.deletethis@andthis.mms3.com> wrote:
> Stachu 'Dozzie' K. wrote:
>
>> On 06.09.2005, Proteus <proteus@uselessemail.net> wrote:
>>> For a relative novice using Mandriva linux, which would be better, snort
>>> or tripwire, for me to install and configure on my system? (Desktop PC
^^^^^^^^^^
>>> used for browsing, news, email, home office, etc., NOT for Apache server,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> etc).
>>
>> Neither. You don't need them.
>>
>
> Is that supposed to be in jest?
>
> This is exactly the sort of system that needs a host based IDS (i.e.
> tripwire/AIDE/L5...). If Stachu is asking the question then he probably
> does not have a local server for files nor any backup system. If he gets
> rootkitted, his only viable option is to reformat/restore.

Which word from the underscored part don't you understand? This won't be
any server, just desktop (probably home, since OP tries to compare two
programs doing different things).

And how would you like to make sure you don't have rootkits when you get
one? Removing manually? Or maybe restore from backup?

--
Feel free to correct my English
Stanislaw Klekot

On 07.09.2005, Colin McKinnon <colin.deletethis@andthis.mms3.com> wrote:
> Stachu 'Dozzie' K. wrote:
>
>> On 06.09.2005, Proteus <proteus@uselessemail.net> wrote:
>>> For a relative novice using Mandriva linux, which would be better, snort
>>> or tripwire, for me to install and configure on my system? (Desktop PC
^^^^^^^^^^
>>> used for browsing, news, email, home office, etc., NOT for Apache server,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> etc).
>>
>> Neither. You don't need them.
>>
>
> Is that supposed to be in jest?
>
> This is exactly the sort of system that needs a host based IDS (i.e.
> tripwire/AIDE/L5...). If Stachu is asking the question then he probably
> does not have a local server for files nor any backup system. If he gets
> rootkitted, his only viable option is to reformat/restore.

Which word from the underscored part you don't understand? This won't be
any server, just desktop (probably home, since OP tries to compare two
programs doing different things).

And how would you like to make sure you don't have rootkits when you get
one? Removing manually? Or maybe restore from backup?

--
Feel free to correct my English
Stanislaw Klekot

On Tue, 06 Sep 2005 23:32:49 +0000, Pierre Asselin wrote:
...
> They don't do the same thing. snort listens to live packets on
> your network interface while tripwire scans your filesystems.

So snort will not log or notify me (as would tripwire) if a system file is
altered by an intrusion?

In article <pan.2005.09.07.14.30.31.31799@uselessemail.net> ,
Proteus <proteus@uselessemail.net> writes:
>
> On Tue, 06 Sep 2005 23:32:49 +0000, Pierre Asselin wrote:
> ..
>> They don't do the same thing. snort listens to live packets on
>> your network interface while tripwire scans your filesystems.
>
> So snort will not log or notify me (as would tripwire) if a system file is
> altered by an intrusion?

Correct. Snort *might*, though, alert you to an intruder BEFORE the
intruder has a chance to alter that system file. Whether or not Snort does
this depends on how Snort is configured and how the intruder attempts to
break in.

For a home or small office system (which is what it sounds like yours is,
although you didn't say explicitly), your single best security step is to
put your computer(s) behind a NAT router. This device will block incoming
connection attempts unless you explicitly enable them. AFAIK, such access
attempts are the main source of compromise for Linux systems (as opposed
to the e-mail worms that run rampant in Windows-land). Snort and Tripwire
are certainly useful, but they're also a bit of a pain to set up and use,
and they're both monitoring tools -- they can't block accesses the way a
NAT router or even local firewall rules can do.

--
Rod Smith, rodsmith@rodsbooks.com
http://www.rodsbooks.com
Author of books on Linux, FreeBSD, and networking

On Wed, 07 Sep 2005 15:39:09 +0000, Rod Smith wrote:
...
> Correct. Snort *might*, though, alert you to an intruder BEFORE the
> intruder has a chance to alter that system file. Whether or not Snort does
> this depends on how Snort is configured and how the intruder attempts to
> break in.
>

I think I will skip then installing tripwire or snort (just returned Snort
book to Barnes and Noble)-- I figure I know just enought to install them
and likely harm my system somehow. I have enough to learn just learning
firewall, NAT router, nmap, nessus, etc.

> For a home or small office system (which is what it sounds like yours is,
> although you didn't say explicitly), your single best security step is to
> put your computer(s) behind a NAT router. This device will block incoming
> connection attempts unless you explicitly enable them. AFAIK, such access
> attempts are the main source of compromise for Linux systems (as opposed
> to the e-mail worms that run rampant in Windows-land). Snort and Tripwire
> are certainly useful, but they're also a bit of a pain to set up and use,
> and they're both monitoring tools -- they can't block accesses the way a
> NAT router or even local firewall rules can do.

I have a LinkSys Wireless-B router, plus Guarddog software firewall. I
also ran bastille to harden my system somewhat. I am not exactly sure what
a NAT router is-- is that something I should buy to replace my Linksys
router, and if so any recommended brand/models?

Proteus <proteus@uselessemail.net> wrote:

> I am not exactly sure what
> a NAT router is-- is that something I should buy to replace my Linksys
> router, and if so any recommended brand/models?

NAT == Network Address Translation. Ten to one that your Linksys router
is a NAT router. If it lets several computers share a single cable
or modem without paying for multiple IP addresses, it's a NAT router.


--
pa at panix dot com