On Monday, 2005-01-03 at 00:45:02 +0100, jorge salamero wrote: > on Sun, 2 Jan 2005 07:30:33 -0600 > [EMAIL PROTECTED] (J.A. de Vries) wrote:
> > Read this page to compare the most popular IDSes. It is written by the > > author of samhain, but it still is useful as a reference: > > http://www.la-samhna.de/library/scanners.html > it seems that samhain is the most complete. > any other comparations or users comments about missing features in this > article ? I did a comparison once, and here are the things I checked that that comparison does not cover: - Attributes: Tripwire and AIDE have the most comprehensive set, with (from the twpolicy manpage): a Access timestamp b Number of blocks allocated c Inode timestamp (create/modify) d ID of device on which inode resides g File owner's group ID i Inode number l File is increasing in size (a "growing file") m Modification timestamp n Number of links (inode reference count) p Permissions and file mode bits r ID of device pointed to by inode (valid only for device objects) s File size t File type u File owner's user ID This information is missing from my samhain entry. The samhain manual lists these: * the inode of the file, * the type of the file, * owner and group, * access permissions, * on Linux only: flags of the ext2 file system (see man chattr), * the timestamps of the file, * the file size, * the number of hard links, * minor and major device number (devices only) * and the name of the linked file (if the file is a symbolic link). - List of available checksums. - Can filenames be specified with regular expressions? - Are multiple overlapping filespecs possible? - Is macro substitution supported, for what? - Which notification mechanisms are supported? - Is the level of detail in these notifications configurable? - For which platforms is the tool supported/packaged? HTH, Lupe Christoph -- | [EMAIL PROTECTED] | http://www.lupe-christoph.de/ | | Ask not what your computer can do for you | | ask what you can do for your computer. | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
