presentation

TRIPWIRE INTRUSION DETECTION AND

PREVENTION SYSTEM

SRI RAMAKRISHNA ENGINEERING COLLEGE(An Autonomous Institution, Affiliated to Anna University Coimbatore)

Vattamalaipalayam,Coimbatore - 22

DEPARTMENT OF INFORMATION TECHNOLOGY

PAPER PRESENTATION ON:

Submitted By: S.Mithila A.Akalya

INTRODUCTION TO TRIPWIRE

SECURITY MEASURES INCLUDES:• Prevention Techniques• Detection Techniques

Tripwire Intrusion Detection System(IDS) is used for detection of intrusion

DEFINITION Tripwire IDS monitors and analyzes the internals of

computing system. According to polices following steps are taken:

▪ Detect unauthorized access▪ Report changes through audit logs and e-mails

TYPES OF TRIPWIRE

OPEN SOURCE TRIPWIRE▪ Monitors small number of servers ▪ Provides centralized control

TRIPWIRE FOR SERVERS▪ Detailed reporting▪ Optimize centralization using Server Manager

TRIPWIRE ENTERPRISE▪ Audit configuration across Linux,UNIX,and

Windows servers.

DESIGN AND IMPLEMENTATION

Creation of configuration file

Generating dB at regular intervals

Comparing newly created dB wid the old one according to the policy

Log files and e-mails reported according to changes in data

OPERATIONAL MODES OF TRIPWIRE

INITIALIZATION MODE

INTEGRITY CHECKING/UPDATE MODE

DATABASE UPDATE MODE

INTERACTIVE DATABASE UPDATE MODE

TRIPWIRE INPUT

1. CONFIGURATION FILE tw.config-contains list of files and directories

with selection mask

2. DATABASE FILE Describes each file as Name of the file Inode attribute values Signature information

TRIPWIRE ALGORITHM-I

Tripwire includes two types of files:▪ Data file▪ Configuration file

# Tripwire Binaries(rulename = "Tripwire Binaries", severity = $(SIG_HI)){$(TWBIN)/siggen -> $(ReadOnly);$(TWBIN)/tripwire -> $(ReadOnly);$(TWBIN)/twadmin -> $(ReadOnly);$(TWBIN)/twprint -> $(ReadOnly);}

TRIPWIRE ALGORITHM-II

Tripwire Data Files includes Configuration Files, Policy Files Keys, Reports, Databases

(rulename = "Tripwire Data Files", severity = $(SIG_HI)){$(TWDB) -> $(Dynamic) -i;$(TWPOL)/tw.pol -> $(SEC_BIN) -i;$(TWBIN)/tw.cfg -> $(SEC_BIN) -i;$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;$(TWSKEY)/site.key -> $(SEC_BIN) ;$(TWREPORT) -> $(Dynamic) (recurse=0);}

REPORT GENERATION

===================================================

Report Summary:============================================

=======Host name: HOSTADMINHost IP address: 127.0.0.1Host ID: 10c0d020Policy file used: /opt/TSS/policy/tw.polConfiguration file used: /opt/TSS/bin/tw.cfgDatabase file used: /opt/TSS/db/somehost.twd

Detection of changes:2 files2011-feb-14 4:05:09 (c: /java/class.java) change detected2011-feb-14 4:05:09 (e:/entertainment) change detected

Denial of access:1 file2011-feb-14 4:05:09 (d: /account details) service stopped

PROS AND CONS

PROS Portable Reliability of data Detection from 3rd party

CONS Single user mode during dB installation Pre-existing files cannot be protected Prevention of unauthorized access is not

possible Hacking of tripwire software itself in open

network

OUR IMPLEMENTATION

STAGE I-PREVENTION IN IDS

New attack SIGATURES are downloaded to prevent newly discovered attacks(worms, viruses).

Patches for vulnerabilities are downloaded and applied for critical software and run regression testing

OUR IMPLEMENTATION

STAGE II-PROTECTION TO TRIPWIRE Compressing and Encrypting the

Tripwire software into a password protected .exe file

Renaming the tw.config file

STAGE III-PRE-EXISTING FILE PROTECTION

Backup of files in portable devices Replacing back the files after

installation of Tripwire software

PERFORMANCE VS SECURITY

BEFO

RE TR

IPW

IRE

AFTE

R TRIP

WIR

E

OUR IMPL

EMEN

TATI

ON0

0.5

1

1.5

2

2.5

3

3.5

DATA SECURITYNETWORK SECURITYPORTABILITYRELIABILITY

questions

Thank you