60 likes | 265 Views
Advanced Intrusion Detection Environment. AIDE http://www.cs.tut.fi/~rammer/aide.html. AIDE. Uses regular expression rules to check file integrity Replaces Tripwire Constructs a database of directories specified in configuration file Database consists of file attributes
E N D
Advanced Intrusion Detection Environment AIDE http://www.cs.tut.fi/~rammer/aide.html
AIDE • Uses regular expression rules to check file integrity • Replaces Tripwire • Constructs a database of directories specified in configuration file • Database consists of file attributes • Creates a cryptographic checksum of each file
Simple Sample AIDE Configuration File /oracle p
Creating a New Database root@neptune:/usr/local/etc: # aide –i AIDE, version 0.10 ### AIDE database initialized. root@neptune:/usr/local/etc: # ls aide.conf aide.db.new root@neptune:/usr/local/etc: # mv aide.db.new aide.db root@neptune:/usr/local/etc: # aide –check AIDE, version 0.10 ### All files match AIDE database. Looks okay!
Altering the File System and Checking Again root@neptune:/oracle: # ls -l … -r--r--r-- 1 root other 143111 Jun 2 10:26 saudimap.gif … root@neptune:/oracle: # chmod 777 saudimap.gif root@neptune:/oracle: # aide –check AIDE found differences between database and filesystem!! Start timestamp: 2005-06-22 14:00:50 Summary: Total number of files=18,added files=0,removed files=0,changed files=1 Changed files: changed:/oracle/saudimap.gif Detailed information about changes: File: /oracle/saudimap.gif Permissions: -r--r--r--, -rwxrwxrwx