Host Intrusion Detection The host intrusion detection directory contains software which provides integrity checks on information of various types. The failure of an integrity check is a useful indicator of possible system intrusion or tampering. o AIDE AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire which uses a configuration file, a database and a number of message digest algorithms to carry out integrity checks on file contents, file attributes etc. o ifstatus ifstatus is a tool that will generate alerts about network interfaces that have been placed in promiscuous mode. o Integrit Integrit is another alternative to tripwire and aide that works by generating a database of cryptographic hashes of a "known-good" system for comparison at some later stage to determine whether an intruder has modified the files on the system in any way. o Osiris Osiris is a file integrity verification system that can be used to monitor changes to a file system over time. Osiris consists of a pair of applications, osiris and scale. The first application, osiris, is used to collect specific data from the local filesystem and store that data into a database. The second application, scale, is then used to analyze, and/or compare the differences between two databases. o Sentinel Sentinel is a fast file/drive scanning utility similar to the Tripwire and Viper.pl utilities available. It uses a database similar to Tripwire, but uses a RIPEMD-160bit MAC checksumming algorithm (no patents) which is more secure than the patented MD5 128 bit checksum. o sxid sxid tracks any changes in your s[ug]id files and folders. If there are any new ones, ones that aren't set any more, or they have changed bits or other modes then it reports the changes. It also tracks s[ug]id files by md5 checksums. This helps detect if a root kit has been installed which would not show under normal name and permissions checking. Directories are tracked by inodes. o TARA Tiger Analytical Research Assistant (TARA) is an upgrade to the TAMU 'tiger' program. tiger was a set of scripts that scan a Un*x system looking for security problems, in the same fashion as Dan Farmer's COPS. o Tripwire Tripwire is a tool that checks to see what has changed on your system. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc. The hard part is doing it the right way, balancing security, maintanence, and functionality. (Note: This list of software and information available at Wiretapped is not exhaustive. Users are encouraged to browse and search the archive and read any available "-README.txt" files that are available.)