The following is a comparison of two leading open-source host-based intrusion detection systems (HIDS): Open Source Tripwire and OSSEC. Both are competent HIDS offerings with distinct benefits and drawbacks that warrant further analysis.
OSSEC
OSSEC is a free, open source HIDS. It runs on all major OS platforms: Linux, Windows (agent only), most Unix flavors, and Mac OS. Originally developed by Daniel Cid and made public in 2004, the project was acquired in 2008 by Third Brigade, which in turn was acquired by Trend Micro in 2009. As it stands today, Trend Micro continues to extend commercial support for OSSEC while simultaneously maintaining the open-source version.
Because of its breadth of abilities and features, OSSEC is suitable as an enterprise HIDS tool-- though it can also be deployed in standalone mode if desired, in addition to the standard server-agent setup. The server and agents communicate securely on UDP port 1514 via messages encrypted using the Blowfish algorithm and compressed using zlib. Check out the OSSEC features page for a full list of OSSEC features.
OSSEC consists of the following sub-parts:
- Main Application: the central manager for monitoring and receiving information from agents, syslog, databases and even agentless devices. It also stores the file integrity database and the log and event files. It must be installed on Linux, Solaris, BSD, or MacOS – no Windows support is available.
- OSSEC Agent: small programs installed on the nodes to be monitored. In a server-agent setup it collects and sends real-time information to the OSSEC server about the state of the node on which it’s installed. There is also a special Windows agent that runs only in the server-agent mode.
- Web Interface: the GUI for managing tasks and monitoring functions. Unfortunately, OSSEC's well-developed GUI does work on Windows platforms.
OSSEC also has an advanced log analysis engine that can analyze logs from multiple devices in several different formats such as FTP servers (ftpd, pure-ftpd), databases (PostgreSQL, MySQL), web servers (Apache, IIS, Zeus), mail servers (imapd, Postfix, Sendmail, Exchange, vpopmail), firewalls (iptables, Windows firewall, Cisco PIX, ASA) and even some competing NIDS solutions (Cisco IOS, Snort IDS) and Windows event logs.
Despite its perks, OSSEC has some notable drawbacks. Transitioning to newer versions of the platform can be difficult, as any previously defined rules are overwritten by default values upon upgrading. This means that existing rules must be exported and re-imported after the upgrade, with no telling what may occur while the system is temporarily using default rules. Miscoordination with pre-shared keys can also be problematic-- OSSEC’s client and server communicate via a Blowfish-encrypted channel, and occasionally-- key sharing is initiated prior to the creation of said channel, which can make for a frustrating experience.
Tripwire Open Source
Unlike OSSEC, Tripwire is available as both an open source offering and a full-fledged enterprise version. Since OSSEC is open-source, the comparison here will be to Tripwire’s open-source version. Check out Tripwire Open Source vs. Tripwire Enterprise to learn more about the differences between those two.
A pioneer in host-based intrusion detection, Tripwire has its origins in a 1992 project by Purdue University graduate student Gene Kim and his professor Dr. Eugene Spafford. Indeed, many of Tripwire’s early techniques and features became de facto standards for IDS solutions at large.
Tripwire Open Source only runs on Linux and *nix systems-- there is no Windows support, although (no surprise) it’s available in the commercial enterprise version. The open source version of course has less features than enterprise, though it’s thankfully not as bare-bones as typical freemium offerings. What the open source version lacks most greatly are enterprise features such as the aforementioned multi-platform support, centralized control and reporting, a master-agent configuration mode, advanced automation features and professional corporate support-- albeit, this last option is offered by parent company Tripwire Inc.
Tripwire Open Source agents monitor Linux systems to detect and report any unauthorized changes to files and directories. It first creates a baseline of all files in an encrypted file (encryption protects it from malware tampering) then monitors the files for changes, including permissions, internal file changes, and timestamp details. Cryptographic hashes are employed to detect changes in a file without storing its entire contents in the database. While useful for detecting intrusions after they’ve occurred, Tripwire Open Source can also serve many other purposes, such as integrity assurance, change management and policy compliance.
One of Tripwire Open Source’s major shortcomings is that it does not generate real-time alerts upon intrusion detection – the details are only saved in a log file for later perusal. And it also cannot detect any intrusions already in the system prior to installation. It’s thus advisable to install Tripwire Open Source immediately after OS installation.
Summary
Both OSSEC and Tripwire are excellent open source HIDS tools. Both have unique strengths and weaknesses, though OSSEC boasts a richer features than Tripwire Open Source. That said, Tripwire Enterprise is available-- at a cost-- if extra enterprise bells and whistles are needed. The table below is a summarized comparison of the two.
| Pros | Cons | |
| OSSEC | Can be used in both serverless and server-agent mode Offers almost all features in the open source version Open source version supported on all major OS platforms | Upgrade process overwrites existing rules with out-of-the-box rules Pre-sharing keys can be problematic Windows supported in server-agent mode only |
| Tripwire Open Source | Excellent for small, decentralized Linux setups Good integration with Linux and *Nix | Only runs on Linux/*Nix Requires at least intermediate Linux administration proficiency, as no corporate support is available Some useful advanced features not available in open-source version No real-time alerts |
References
http://www.iraj.in/journal/journal_file/journal_pdf/3-27-139087836726-32.pdf
