Section 11.5. Resources

  1. Amoroso, Ed. Intrusion Detection. Sparta, NJ: Intrustion.Net Books, 1999.

    Excellent introduction to the subject.


    Card, Rémy, Theodore Ts'o, and Stephen Tweedie. "Design and Implementation of the Second Extended Filesystem."

    Excellent paper on the LinuxEXT2 filesystem; the section entitled "Basic File System Concepts" is of particular interest to Tripwire users.

  3. Northcutt, Stephen and Judy Novak. Network Intrusion Detection: An Analyst's Handbook. Indianapolis: New Riders Publishing, 2001.

    A very practical book with many examples showing system log excerpts and configurations of popular IDS tools.


    Home of the chkrootkit shell script and an excellent source of information about how to detect and defend against rootkits.


    Project pages for Tripwire Open Source. The place to obtain the very latest Tripwire Open Source code and documentation


    Tripwire Open Source Manual and the Tripwire Open Source Reference Card in PDF format. Required reading! (If this link doesn't work, try


    Home page for Tripwire Open Source. Binaries for Linux available here.


    Tripwire Academic Source Release download site.


    Article on using Tripwire Academic Source Release, by Jay Beale (principal developer of Bastille Linux).


    Official web site for the Advanced Intrusion Detection Environment (AIDE).


    Official web site for FCheck, an extremely portable integrity checker written entirely in Perl.

  12. Ranum, Marcus J. "Intrusion Detection & Network Forensics."

    Presentation E1/E2 at the Computer Security Institute's 26th Annual Computer Security Conference and Exhibition, Washington, D.C., 17-19 Nov 1999.


    Official Snort web site: source, binaries, documentation, discussion forums, and amusing graphics.


    The Analysis Console for Intrusion Databases (ACID) is a PHP application that analyzes IDS data in real time. ACID is a popular companion to Snort because it helps make sense of large Snort data sets; this is its official home page.


    Home of the Oinkmaster auto-Snort rules update script.


    Security news, tools, and the arachNIDS attack signature database (which can be used to update your SNORT rules automatically as new attacks are discovered).


    The Linux Intrusion Detection System (LIDS) web site. LIDS is a kernel patch and administrative tool that provides granular logging and access controls for processes and for the filesystem.