139#TRIPWIRE

ABSTRACT

Tripwire is an intrusion detection system. It is a software tool that checks to see what has changed on your system. The program monitors the key attributes of files that should not change, including the size, binary signature, expected change of size, and other related important datas. Tripwire is an open source program created to monitor changes in a key subset of files identified by the user and report on any changes in any of those files. When changes are detected the system Administrator can determine whether those changes occurred due to normal, permitted activity, or whether they were caused by a breakin. If the former, the administrator can update the system baseline to the new files. If the latter, then repair and recovery activity begins. Tripwire’s principle is simple enough. The system administrator identifies key files and causes Tripwire to record checksum for those files. Administrator also puts a cron job to scan those files at intervals(daily or more frequently), comparing to the original checksum. Any changes, addition, or deletion are reported, so the proper action can be taken.