Intrusion Detection system

Our client was seeking a TripWire alternative. When it comes to security projects, “Security by Obscurity” is the wrong approach. However, there’s always some benefit found in stacking the deck in your favor.

The client wanted to avoid a well known security tool where everyone knew how it worked, where it saved the data dictionary, and what it weaknesses were.

Since the platform was a Sun box, the solution was to write a tool using Perl5 which traversed the directory tree and created hashes of each file. The system needed a way to exclude files or entire directory branches — something the user could configure. For simplicity’s sake, we agreed to put the list of exclusions in a human editable text file that the IDS read at startup.

The target machine served as the company’s web presence as well as the e-mail server.

To protect the data dictionary, we wrote the md5 hashes to a CD-R. disk. This has meant that the tool has had to be run with the “write” option whenever system files have changed.

The system used e-mail, syslog, and dedicated port alert mechanisms. The last one required a listening PC server, written in Visual Basic (VB) on the local network.

This system tested well and the client was very happy with the added security.

Languages: Visual Basic (VB), Perl using dedicated ports
Platforms: Windows, SunOS