# anti hacker tools like tripwire

## Ozymandias

Hi there,

I run a gentoo server, but would like to have something like tripwire and a log reporter. What should I use?

greetz Ozy

----------

## delta407

Why not use tripwire?

----------

## Nitro

Try running snort + ACID.  Snort is an IDS (intrustion detection system) and ACID shows the snort logs in a readable form.  :Smile: 

Snort: http://www.snort.org/

ACID: http://acidlab.sourceforge.net/

It isn't just an install and be done.  You have to read the results, and edit the rules.  If I say '/bin/bash' (whoops I just said it huh?) snort will log that it is a WEB-MISC bash expoit.  Oh well, if someone hammers the heck outta your server you will see that too.  :Smile: 

----------

## Ozymandias

I looked into snort a while ago, it looks a bit extensive for my use, but maybe I'll give it a try.

greetz ozy

----------

## elcesar

 *Ozymandias wrote:*   

> Hi there,
> 
> I run a gentoo server, but would like to have something like tripwire and a log reporter. What should I use?
> 
> greetz Ozy

 

As a log reporter y suggest you to use "metalog" replacing your old syslog. It's regular expresion search through the log files will do what you want.

----------

## Xor

[quote="delta407"]Why not use tripwire?[/quote]

seems tripwire is finally gpl  :Smile: ... anyway... aide is also quite good  :Smile: 

----------

## Chris W

For a not-quite-GPL option you could also look at PureSecure from Demarc.

It requires registration to download and is free (beer) for home use.  Makes use of MySql, Apache, perl and snort, and produces pretty WWW pages from them.

----------

## argent

Well, on the subject of IDS's....

There are two kinds, Network IDS (or NIDS) like snort, etc. And there are Host IDS (or HIDS) like Tripwire.

NIDS are good for logging hack attempts against your network, like syn-attacks, or Code Red attacks. But they won't tell you if your host has been compromised.

HIDS are good to tell if any files have been modified on your system, which *could* tell you if your system may have been hacked. But they won't tell you if anyone's trying to get in.

So, you need to figure out what you want to watch for, and choose accordingly.

argent

----------

