Fitsum ristu lakew tripwire for intrusion detection

Post on 18-Dec-2014

1.389 views 1 download



Transcript of Fitsum ristu lakew tripwire for intrusion detection


How Tripwire software is effective to automate the process of

verifying file system integrity on a machine.


INFA – 630

Prof. Jeff Clark

November 21, 2010






Main Body:

Functional Applicability


Installing Tripwire

Activating Tripwire




How Tripwire software is effective to automate the process of verifying file

system integrity on a machine.


Security in computer systems is vital in protecting the integrity of stored

information. The file system provides a mechanism that can be used for storage

purposes. This mechanism can also be used to access data and programs in a

computer system. Information residing on a file system is valuable and should be

monitored for unauthorized and unexpected changes to protect the system

against intrusion. In a network platform, monitoring these changes becomes quite

a daunting task. Tripwire is a tool that aids UNIX system administrators to check

for any changes that are made on a selective set of files, directories, and

databases (Northcutt & Novack, 2002). It notifies the system administrator

whenever files have been altered or corrupted. This enables the system

administrator can take action in a timely manner. This paper will describe the

intrusion detection mechanism provided by Tripwire. It will also outline the design

and implementation of Tripwire. It will explore the advantages of using Tripwire to

automate the process of verifying file system integrity on a machine. It will also

explore the software’s limitations. This paper will prove Tripwire’s effectiveness in

detecting altered or corrupted files.



Tripwire refers to software that confirms the integrity of a system. It is a

utility that compares the properties of specific files and directories against data

that has been stored in an archive. Tripwire creates software that allows users to

edit and configure a system’s overall security. Bejtlich (2005) argues that Tripwire

is a toll that can be used to detect corrupted files. Tripwire can also serve as an

archive for files and folders that have been disorganized. Tripwire is a tool that

informs the user about changes in the system (Northcutt & Novack, 2002).

Reports from the software are usually sent in an XML or HTML format

(Northcutt & Novack, 2002). This enables a user to access the data from a web


Tripwire took 12 months to develop. Open Source Tripwire was an original

version of the software. It was created using a code that was designed by

Tripwire Incorporated (Bejtlich, 2005). It was initially free. Police officers and

private security firms use it. It is still used to alert people about file changes that

occur in a wide variety of systems. Private organizations can also use tripwire. It

can be used to keep track of privately owned servers. It can update the user

through daily e-mail.


Functional Applicability

Tripwire can be used as an intrusion detection system that is governed by

a host. Network bases do not restrict it. It notifies the user concerning the

changes that may occur in file system objects (Bejtlich, 2005).

Tripwire lets the user know whether the server has been compromised. It

employs the use of an e-mail alert system this system is activated once the

software detects a problem. Tripwire detects specific anomalies in the system. It

allows the user to determine the specific files that may have been compromised

(Northcutt & Novack, 2002). Administrators will know which actions to take once

Tripwire alerts them about changes in the system. Servers that have been

corrupted can therefore be removed from the network.

“The single most important time efficiency issue with Tripwire is the lack of a

report history mechanism, which would drastically reduce the number of reports.

For instance, a dozen systems being checked three times per day can result in

over 1000 reports per month, any one of which could contain the critical

information the tool is supposed to detect. Even the most careful tuning cannot

prevent this; for instance, the installation or modification of a large software

package may suddenly result in a large report that will continue until the

administrator has time to do a database update.” (Arnold, 2001)


Tripwire allows users to monitor the progress of their servers. It can be

used to detect the installation of unauthorized software (Bejtlich, 2005). Trost

(2009) asserts that Tripwire can also verify a system’s compliance with regard to

the user’s security policy. The software can operate as an archive. Tripwire’s

archive can be compared with other systems for the sake of compatibility.

Northcutt & Novack (2002) state that tripwire can be used to recover lost files

and folders. It can also be used to assess the damage that may have been

caused within a given server. Tripwire provides the user with options that are

based on the changes that have been detected within a given system. The

information retrieved from Tripwire’s damage report can be used to prepare the

user for similar problems in the future.

Once Tripwire has been activated, it scans all the files within a given

database. Tripwire employs cryptographic hashes in order to detect anomalies in

a file. These hashes are used to filter components of the file that may not be


A user can access particular files and folders by adjusting the tripwire

configuration. Tripwire can be tweaked to target particular files in the system’s

database. This process operates like a filter. A user can customize the scanning

process in order to save time and resources.

Tripwire can be used on specific servers. It can be applied to an entire

network. It can also run as a centralized system (Trost, 2009). It can also be


used to test the integrity of Windows VFAT file systems like FAT 32 AND FAT 16

(Bejtlich, 2005).

Tripwire is not restricted to a particular format. It is portable and dynamic. It

runs on several UNIX variations. Its programs can therefore be shared among

different systems. Tripwire’s database files are easy to read. This is because

they are encoded using a standard ASCII format (Trost, 2009). The ASCII format

enables files to be read on different platforms.

Tripwire is a form of self-sufficient software. A user can run Tripwire

program without the use of outside programs (Bejtlich, 2005). This enables

administrators to secure the privacy of their customers.

Host-based intrusions can be detected by monitoring changes within the

file system (Trost, 2009). Tripwire is therefore the best software a user can

employ to detect anomalies within a given system. Administrators can also use

the software to take note of unauthorized modifications within a given network

(Bejtlich, 2005).

Hackers are hardly ever detected. Tripwire can be used to alert

administrators whenever the system’s security is compromised. Myers (2000)

states the following:

Intrusion Detection involves detecting unauthorized access and

destructive activity on your computer system. Intrusion Detection is a clear

requirement for all e-commerce merchants. According to the annual study


released March 22, 2000 by the Computer Security Institute and the FBI,

90% of the survey respondents detected a computer security breach

within the last twelve months. The study showed that the most serious

financial losses were caused by activities that concern e-commerce

merchants directly: theft of proprietary information (e.g., stealing customer

credit card numbers), and financial fraud (e.g., setting up a bogus


For e-commerce merchants, the focus of Intrusion Detection is on the

web servers, and their associated database management systems. E-

commerce requires that the web servers communicate quickly and

accurately with large databases of product and customer information. To

optimize performance, these critical databases are, in most cases, placed

on the same network segment as the web server, or even on the web

server machine itself. For malicious hackers, this is a tempting prize. For

hard-core cyber criminals, these databases are pay dirt. They will break in

to the web server, gain administrator-level access, locate the database,

and then go to work on breaking into the database and downloading

customer information.

This does happen. As a matter of fact, it happens more often than most of

us will ever know, because the merchants who suffer break-ins often do

not report them, or they report them to law enforcement agencies who do

not publicize information while cases are under investigation. According to


an Associated Press report released March 24, 2000, "Two 18-year-old

boys were arrested in Wales, United Kingdom, on charges of breaking into

electronic commerce Internet sites in five countries and stealing

information on 26,000 credit card accounts, the FBI said today." Such

reports cause me to wonder how many such exploits are not being caught.

And one can only marvel at the use of the term "boys". Why is an 18

year-old who commits armed robbery a  "man", and one who violates the

financial integrity of 26,000 innocents a "boy". The young men who

probably spent many months planning and executing this crime are not

seen as real criminals, just misguided youth. This seems to be a naive


Setting up the most secure website possible is the social, and potentially

legal responsibility of every e-commerce merchant who either solicits,

processes, or stores confidential customer information. Further, and

perhaps more convincing, a secure website  is also a business 

imperative. There is no quicker way to lose customer confidence than to

lose their credit card information (Myers, 2000).


Tripwire reports are long. They are therefore tedious to analyze. Reading

reports from Tripwire can be a cumbersome process. It is a time-consuming

endeavor. Trost (2009) argues that Tripwire is outdated software. Its coding


system is archaic. A server can function effectively without Tripwire. An antivirus

is generally more effective. The user has the option to restore or delete corrupted

files using an antivirus.

Tripwire forces the user to deal with changes that may occur on a frequent

basis. For example, if a file is altered after an auditing session, the Tripwire

software will alert the user. This forced the administrator to deal with trivial

changes to the system. Minor changes can therefore go unnoticed. Arnold (2001)

states the following:

Tripwire is much like the fabled elephant and the blind men: how you feel

about it depends on the perspective from which you approach it. A person

who has successfully used Tripwire to detect cracked binaries and/or

system miss configurations will have nothing but praise for it. On the other

hand, someone who has been "stuck in the trenches" reading through

endless reports in an attempt to find problems, will think that it's a labor-

intensive waste of time. Minimizing the labor required dictates that reports

be as brief, and as infrequent, as they possibly can be made. Using

Tripwire on a day-to-day basis can be an uncreative and essentially boring

activity. On the other hand, if one can reduce the torrent of data that

Tripwire provides, and makes it simpler to use than it is "out of the box",

then using it can become bearable (if not necessarily palatable.)

Fortunately, it is possible to reduce the time and effort required to


administer Tripwire, as the next section of this discussion will illustrate

(Arnold, 2001).

The tripwire database has to be updated on a regular basis (Trost, 2009).

Changes made to a system’s files prompt the user to update the software.

Tripwire restricts users to a strict policy. There are terms and conditions that

must be followed in order to use Tripwire effectively.

The user is forced to resolve the system’s problems without the use of

Tripwire. Tripwire does not remove malicious files. It does not get rid of viruses.

The user is forced to do this without the use of Tripwire.

According to Bejtlich (2005), Tripwire is fallible. Computer hackers can still

access private files under the right circumstances. Tripwire does not serve the

user as an antivirus. Trost (2009) argues that tripwire is not a firewall. It only

compliments other security solutions. It cannot be used to restore a computer’s

operating system (Bejtlich, 2005).

Tripwire auditing must be done on a regular basis. It is a time-consuming

process. The user is forced to do the work manually. File system auditing

requires the use of unauthorized system resources. Tripwire does not allow the

user to access these resources. The system therefore functions at a slower pace.

Tripwire installation is restricted to ‘fresh’ systems. Installing Tripwire on a

network is a long and cumbersome process.


Only one user can install tripwire. This makes the installation process

difficult. Tripwire also forces the administrator to format the system before

installation. Corrupted files can be ignored after Tripwire is installed.

Administrators are therefore forced to install the software twice.

Installing Tripwire

Installing Tripwire is a simple process. There are many ways to install

Tripwire. An administrator can use his distribution’s package manager to

download and install the software (Bejtlich, 2005). An administrator can also

access the software through the Open Source Tripwire Project online.

The installation process is mainly automatic. The user affirmatively clicks

on taskbars in order to authorize the procedure. Linux distributors sometimes

provide a utility that can be used to configure a given system (Bejtlich, 2005).

They provide the user with setup scripts that can be used to install the software.

Activating Tripwire

Tripwire is activated using a ‘check’ key. The process can be automated

by employing an integrity check. The user can then create a chronological job

entry. This ensures that the system is checked regularly. This process requires

the user to edit the system’s directory. Alternatively, the user can add an

appropriate script to the directory (Bejtlich, 2005). The file should then be edited

by adding a line for the execution of a tripwire check.


Tripwire can also be activated if the software is run from another machine

on the same network. This keeps hackers at bay. (Trost, 2009) suggests that the

crontab line should have the following line where the host name is located:

0 2 * * * ssh-n-1 root target-host /usr/sbin/tripwire â€"check

Most scholars advice users to make soft copies of their tripwire binary

(Kohlenberg, Beale & Baker, 2007). The program can be run from the soft copy.

For this procedure, the twcfg.txt file should be edited before the user signs in.

Kohlenberg, Beale & Baker (2007) advise users to make the following changes to

their /etc/twcfg.txt file:




Bejtlich (2005) suggests that this process is only applicable to CDROMs

that mount at mnt/cdrom.

Users should then sign the modified file and generate the Tripwire file. The

CD-R can be removed when the process is complete. Tripwire checks can then

be done by mounting the CD-R that contains the Tripwire binary (Northcutt &

Novack, 2002).


The executable binary should be stored in a non-writable storage device. This

is done to protect the codes. The tripwire database can be updated by issuing

the following commands:

# LASTREPORT=`ls -1t /var/lib/tripwire/report/host-*.twr |head -1`

# tripwire --update --twrfile "LASTREPORT"

Tripwire creates an archive of the most commonly accessed files and

folders in a server (Northcutt & Novack, 2002). The user is therefore able to

compare these files to the ones on his or her hard drive. This process can be

used to identify files that may have been stolen or corrupted.

Tripwire is composed of an Open Source and a commercial version of the

software. It is made up of four major components (Trost, 2009). These include

the policy files, the database, the configuration files and the report files.

The configuration file houses regulations that govern the e-mail notification

system. It also houses the Tripwire files as well as the server’s miscellaneous

data. Tripwire allows the user to customize the software settings. The Tripwire

software can also be used to make notifications based on the user’s settings.

Scanning the system creates report files (Kohlenberg, Beale & Baker, 2007).

These reports inform the user about specific changes to the system.



Trost (2009) argues that despite its limitations, Tripwire is still an effective

tool that that can be used to increase a system’s security. Tripwire is relatively

effective. Administrators should therefore employ the use of an antivirus. Tripwire

cannot get rid of corrupted files without the user’s consent. Kohlenberg, Beale &

Baker (2007) advise administrators to invest in several integrity-auditing tools for

their system. This will ensure that the system runs at optimum efficiency.



Arnold, E. R. (2001). The Trouble with Tripwire. Retrieved from:

Bejtlich, R. (2005). Extrusion Detection. Security Monitoring for Internal

Intrusions, 47(1), 37-107.

Kohlenberg, T., Beale, J., Baker, A. R. (2007). Snort IDS and IPS Toolkit with

CDROM. Intrusion Detection, 10(1), 234-309.

Myers, M. (2000). Intrusion Detection Preliminaries. Sanitizing Your E-Commerce

Web Servers. Retrieved from:


Northcutt, S. & Novack, J. (2002). Network Intrusion Detection. Protecting Your

System, 27(3), 442-512.

Trost, R. (2009). Practical Intrusion. Analysis Prevention for the Twenty-First

Century, 21(1), 230-457.