Problem solve Get help with specific problems with your technologies, process and projects.

Snort, Nessus and Tripwire: Benefits beyond cost

Snort, Nessus and Tripwire are must-have open source security tools for value-added resellers and consultants.

I'm sure you've thought about it, or you should have. Why should a customer pay you money for something that they can get for free on the Web? It's the VA in VAR (value-added reseller), value added. You are providing additional features and/or services that the client cannot get on their own. These extras might be improvements in the code, enhanced support or installation set-up. To succeed in this market, you need to make a strong case for the extras that you bring to the table.

IT security folks are generally pretty savvy and not inclined to pay for something they can get for free. You might be wary about recommending open source security tools and devices to clients, even though you have already provided added value to network management solutions such as Nagios or OpenNMS. My advice to you is to wake up and smell the coffee! The time is ripe for getting your customers on board, and there is money to be made if you show that you can provide the customer with the right solution, regardless of what it originally cost.

Even better, wake up and look at the applications. In this tip, I discuss the pros and cons of the open source security tools that work on the Red Hat Enterprise Linux 4.0 (RHEL4) platform. These include Snort (intrusion detection), Nessus (security scanning software) and Tripwire (host-based operating system intrusion detection).


My favorite tool is Tripwire, which is used for Linux (or Unix) hosts to monitor changes that might be made on the system. Everyone knows the old hacking trick of copying over phony versions of commands, like passwd or ls, in an effort to hijack the system. Trojan horses, look out, because Tripwire will not allow this!

Not all changes are done for devious purposes, and Tripwire will even help pinpoint accidental changes. The way Tripwire works is that it compares files and directories against a database of file locations, dates they were modified and other types of data. This database contains your customer's baseline, which is a snapshot of the directory structure at a given point in time. You need to run this baseline snapshot, before the system is at risk, for it to really work. Essentially, it will always compare the system to a baseline and report back any modifications, additions or deletions.

There is a commercial version of the product and also the open source product. I have used the latter for years. The open source version is intended for monitoring a small number of servers where centralized control and reporting is not necessary. The two commercial versions, Tripwire for Servers and Tripwire Enterprise, have centralized management tools with detailed reporting.

Tripwire Enterprise can respond to audit changes across Linux, Unix and Windows, and even your desktops. The company has more than 4,500 commercial customers, and its solutions are recognized by many of the leading security, auditing and compliance certification organizations.

While Tripwire is not officially supported by Red Hat, it does run on RHEL4, and the Tripwire Web site lists RHEL4 as a supported commercial platform. Red Hat acknowledges Tripwire as the most popular host-based IDS for Linux, but took out support in 2001 because of inactivity in the upstream development. I don't see this as a problem with Tripwire, because it works.


Snort is an awesome open source network intrusion prevention and detection system. It combines the benefits of signature-, protocol- and anomaly-based inspection methods.

Snort is probably the most widely-deployed intrusion detection and prevention technology in existence. It has developed through the years into a mature, feature-rich technology that has essentially become a standard in intrusion detection and prevention.

Unfortunately, the Sourcefire-provided RPMs do not install on RHEL4 systems without using third-party tools. You can build your own RPMs. The procedure works fine, though it is not for the gun-shy. Alternatively, you can also download RPM packages.


No open source security article can be written without talking about Nessus. It is in use in more than 75,000 unique organizations worldwide. Its scanners can be distributed throughout an enterprise, inside DMZs and across physically separate networks. It includes more then 9,000 types of vulnerability checks that can also be made available for ad-hoc scanning, daily scans and quick-response audits.

What's great about Nessus is that, unlike traditional network security scanners that focus on the services listening on the network, Nessus also focuses on the local hosts. It can even determine whether there are missing patches, whether they are running Windows, Unix or RHEL4. And yes, it will run on RHEL4.

These are just a few of the great open source security products available. (Don't forget the granddaddy of them all, Bastille Linux.) Don't ever rule out open source, even for security. Especially for security!

About the author
Ken Milberg is the founder of Unix-Linux Solutions. He is also a board member of Unigroup of NY, the oldest Unix users group in NYC. Ken regularly answers user questions on Unix and Linux interoperability issues as a site expert on

This tip originally appeared on

Dig Deeper on Managed network services technology