Looking for a host-based IDS comparable to tripwire. Preferably one that allows centralized management. Right now I use tripwire and though it works management and reporting through a central server would be ideal. I'm looking for recommendations that have actually been used and not just google results. Thanks!
-
Product and service recommendations are off topic per the updated [FAQ](http://serverfault.com/faq). – sysadmin1138 Aug 22 '12 at 00:33
4 Answers
We use OSSEC as HIDS and Splunk to analyze the results. OSSEC provides:
- File integrity
- Log monitoring
- Rootkit detection
- Configuration analysis
There is a free Splunk App, called Splunk for OSSEC which works great to manage OSSEC alerts (there are dashboards, queries, etc.). We use free Splunk.
You can also use the OSSEC WebUI, but it is much more limited.
To give you an idea of how it is, have a look at this screenshot.
- 7,270
- 3
- 29
- 43
-
1I like tools that do one job and do it well. I'm hesitant to use something with so many features I don't care about. Can I use just the file integrity component? How do you like the WebUI for file integrity? Any issues experienced since your initial answer? Thanks! – CarpeNoctem Oct 10 '11 at 23:06
OSSec provides an IDS similar to Tripwire, amongst other host monitoring. It's centrally managed, with all the logs arriving into a single collector. If you've got a server to spare then you could also use OSSim which provides IDS as well as network monitoring and penetration testing tools.
- 5,290
- 2
- 23
- 20
If you are using Windows systems, a good alternative to Tripwire is Verisys. Like Tripwire it does file integrity monitoring and has a central administration console for reporting etc, but it's a whole lot easier to use than Tripwire. And cheaper :)
It's Windows only though, so not much use if you are using Linux...
- 623
- 5
- 16
Give a try to Prelude (http://www.prelude-technologies.com/en/development/community/index.html). I wanted to test it too, it seems much better than normal HIDS.
- 1,591
- 8
- 6