> I've never tried Tripwire (Mandrake's msec gives you > "tripwire lite"), but snort is an absolute bear to commission. I've used Tripwire quite a bit. It's not _too_ bad to configure once you figure out how to manage the encrypted configuration and database files. You start out with a lot of false positives and tweak it until you are happy with what it complains about. It's not a port sniffer though. It's an "after the fact" thing as the name implies. It scans your system files for changes. inods, sizes, growing or shrinking, access times, etc. The idea being to inform you soon after your system has been compromised or when users are doing things they shouldn't be. -Tom On Sun, 2003-04-20 at 13:49, rpgoldman at real-time.com wrote: > Mark Courtney writes: > > Is there any way to detect if ports are being probed/sniffed? I've seen > > programs like Snort, etc. Does anyone have any opionions about intrusion > > detection systems? Are they effective? Are there other ways to manually > > detect intrusion? > > Depends. The tradeoff in configuring Tripwire + Snort versus > rebuilding if you're rooted may well not be in favor of Tripwire + > Snort. I've never tried Tripwire (Mandrake's msec gives you > "tripwire lite"), but snort is an absolute bear to commission. You'll > spend an age filtering out the rules that give you pointless false > positives. > > R > > _______________________________________________ > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > http://www.mn-linux.org tclug-list at mn-linux.org > https://mailman.real-time.com/mailman/listinfo/tclug-list _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list