|
AIDE
(Advanced Intrusion Detection Environment)
|
|
Solaris 2.5.1,2.6,7
Linux 2.2.x,2.0.x
FreeBSD 2.2.8,3.4
Unixware 7.0.1
BSDi 4.1
OpenBSD 2.6
AIX 4.2
TRU64 4.0x
|
|
http://www.cs.tut.fi/~rammer/aide.html
|
|
It creates a
database from the regular expression rules that it finds from the config
file. Once this database is initialized it can be used to verify the
integrity of the files. It has several message digest algorithms
(md5,sha1,rmd160,tiger,haval,etc.) that are used to check the integrity of
the file. More algorithms can be added with relative ease. All of the
usual file attributes can also be checked for inconsistencies. It can read
databases from older or newer versions.
|
|
FREEWARE
|
Information
Updated:26 Sep 2000
|
|
 |
|
chkrootkit
|
|
Linux 2.0.x, 2.2.x,
FreeBSD 2.2.x, 3.x and 4.0, Solaris 2.5.1.
|
Nelson Murilo
|
http://www.chkrootkit.org
|
|
chkrootkit is a tool to locally check for
signs of a rootkit.
[talisker] I used to list all the files
it checked as well as all the rootkits it detected. Nelson has taken this
product to become a huge project with too many features to list please
check out the website !
|
|
FREEWARE
|
Information Updated:01 Dec 03
|
|
FCheck
|
-
AIX
-
BSD
and variants
-
HP/UX
-
Linux
-
SCO
|
-
Solaris
-
SunOS
-
Windows
95/98/NT
-
and
Windows 3.x
|
http://www.geocities.com/fcheck2000/fcheck.html
|
|
FCheck is an
open source PERL script providing intrusion detection and policy
enforcement of Windows 95/98/NT/3.x and Unix server administration through
the use of comparative system snapshots. FCheck can provide notification
of any differences found through use of your event management system,
printer, and/or email when any monitored files or directories are altered,
including any additions and/or deletions.
|
|
Freeware
|
Information
Updated:27 Jul 2001
|
|
|
|
integrit
|
|
*nix
|
|
http://integrit.sourceforge.net/
|
|
integrit is
an alternative to file integrity verification programs like tripwire and
aide. It helps you determine whether an intruder has modified a computer
system.
Without a
system like integrit, a sysadmin can't know whether the tools he/she uses
to investigate a potential break in are trojan horses or not. e.g., If the
machine has a "/tmp/. " directory containing a shell that's
setuid root, and you want to investigate to determine how badly the
cracker has compromised the machine, how do you know that the attacker
hasn't replaced your "find" and "ls" commands with
tampered versions that fail to report the cracker's files?
A system
like integrit works by creating a database that is a snapshot of the most
essential parts of your computer system. You put the database somewhere
safe, and then later you can use it to make sure that no one has made any
illicit modifications to the computer system. In the case of a break in,
you know exactly which files have been modified, added, or removed.
|
|
Freeware
|
Information
Updated:9 Sep 2001
|
|
Data Sentinel |
|
Windows |
Ionx |
http://www.ionx.co.uk/html/products/data_sentinel/index.php |
|
A baseline snapshot of the system is taken, and, specific to your needs,
you schedule times to take further snapshots to compare against this
baseline. Any files and registry entries you choose can be included, and
you can run the integrity check manually, as well as automatically |
|
Commercial |
Information
Updated:21 Jan 2004
|
|
GFI
LANguard System Integrity Monitor |
|
|
GFI Software Ltd |
http://www.gfi.com/adentry.asp?adv=158&loc=3 |
|
GFI LANguard System Integrity Monitor
(formerly GFI LANguard File Integrity Checker) is a utility that provides
intrusion detection by checking whether files have been changed, added or
deleted on a Windows 2000/NT system. If this happens it will alert the
administrator by email. Since hackers need to change certain system files
to gain access, this FREEWARE utility provides a great means to further
secure any servers that can be attacked |
|
Freeware |
Information Updated:21 Jan 2004
|
|
Osiris
|
|
|
|
http://osiris.shmoo.com/
|
|
Osiris is a file integrity management system that periodically monitors
one or more hosts for change. It maintains detailed logs of changes to the
file system, user and group lists, resident kernel modules, and more.
Osiris can be configured to email these logs to the administrator. Hosts
are periodically scanned and, if desired, the records can be maintained
for forensic purposes. Osiris keeps an administrator apprised of possible
attacks and/or nasty little trojans. The purpose here is to isolate
changes that indicate a break-in or a compromised system. Osiris makes use
of OpenSSL for encryption and authentication in all components.
|
|
Freeware
|
Information Updated:20 Jan 2004
|
|
|
|
samhain |
|
|
samhain labs |
http://la-samhna.de/samhain/ |
|
samhain is an open source file integrity and
host-based intrusion detection system for Linux and Unix. It can
run as a daemon process, and and thus can remember file changes
- contrary to a tool that runs from cron,
if a file is modified you will get only one report, while subsequent
checks of that file will ignore the modification as it is already reported
(unless the file is modified again).
|
|
Freeware
|
Information Updated:16 Apr 2003
|
|
Sanctuary
formerly
SecureEXE
|
|
NT4 onwards
|
SecureWave SA
|
http://www.securewave.com/turcana/securewave/sanctuary_ACD.jsp
|
|
Sanctuary preserves the security of your environment
while dramatically minimizing the inherent risks of downloading or
installing new applications. Here's how it works: When a user attempts
to launch a non-centrally authorized executable, a dialogue box will
appear that offers the option to deny or accept the launch. If it comes
from a trusted and known source, the choice, obviously, would be to
authorize. If a dialogue box appears after merely opening an email or an
attachment, the choice would be to deny. No longer can worms and viruses
turn innocent users into unwitting accomplices. No longer do you have to
worry about every download or installation.
|
|
COMMERCIAL
|
Information Updated:17 Dec 2004
|
|
Tripwire
|
|
Loads
|
Tripwire, Inc
|
http://www.tripwire.com/products/index.cfm
|
Establishing State
Tripwire software establishes a "digital inventory" of known good files
and their attributes and uses it as a baseline for monitoring changes.
Discovering State Change
User-scheduled integrity checks monitor files and their attributes,
comparing them against the baseline. Changes are immediately pinpointed
and appropriate IT staff can be notified by email or pager. Change event
information can be integrated with other enterprise management systems and
reporting packages.
Recovering from Undesired Change
Detailed reports and audit logs provide IT with a fast recovery path when
change occurs. If the change is desirable—a scheduled software patch, for
example—Tripwire makes it easy to verify these changes and roll them into
the baseline for future monitoring. If the change is not desired, Tripwire
software enables rapid restoration of files to a known good state.
Controls can also be put in place to not only identify changes but to
automatically restore systems when undesired change occurs.
.
|
|
COMMERCIAL
|
Information Updated:20 Jan 2004
|
|
Veracity
|
|
|
Rocksoft
|
http://www.rocksoft.com/veracity/
|
|
Veracity – provides comprehensive data integrity by
ensuring that critical data and system software have not been corrupted or
altered in any way by viruses, intruders or disk corruption. Veracity
allows the establishment of a secure network configuration baseline and
deviation detection, enabling enterprise-wide configuration lockdown.
Veracity is used to assess the effectiveness of current or desired
security solutions and to protect configurations for firewall and IDS by
detecting whether that software has allowed protected files to be added,
deleted or modified. Veracity now features the integration of Rocksoft’s
powerful new Blocklets storage technology, providing administrators with
rollback functionality that can turn back the clock in the event of
accidental or malicious damage – allowing them to return their systems to
previous states.
|
|
COMMERCIAL
|
Information Updated:05 June 2006
|
|
