Security – Recommend alternative to tripwire

Several years ago I reviewed several intrusion prevention systems .

I wanted to deploy something between a couple of locations and the corporate network.
The system was to provide an easy to manage and monitor (something that could be handed off to a second tier help desk person). Automated alarming and reporting were also needed.

The system that I ended up choosing was the IPS from Tipping Point. We still like it after being in place for several years. Our implementation includes the subscription to their Digital Vaccine, which pushes out vulnerability and exploit rules weekly.

The system has been very useful to watch what is going on (alert but take no action) as well as automatically block or quarantine systems.

This ended up being a very useful tool for locating and isolating malware infected computers as well as blocking bandwidth hogging or security policy related traffic without having to work with router access control lists.

http://www.tippingpoint.com/products_ips.html

I think your assumptions are okay.

There is nothing interesting in proc to watch for, and they change every time. /dev is also a good question. I used to have that line, but now with udev I am not so sure.

You still have this line, do you?

/var -> $(SEC_INVARIANT) (recurse = 0) ;

My real problem with tripwire is, that it requires regular attention to keep it up-to-date. When I had the time it worked great, but not anymore.

Maybe it is worth to take a look at Samhain. It only reports once then learns the changes. It has other great features (maybe I will extend this later).