Tripwire vs AIDE

Posted by UpGuard

Tripwire vs AIDE

Fee versus free, how do the two compare when it comes to intrusion detection? Specifically, how does the open source Advanced Intrusion Detection Environment (AIDE)—commonly referred to as the free Tripwire replacement—stack up against Tripwire Enterprise, the longstanding leader in this category? 

Portland-based Tripwire also offers an open source version of its flagship intrusion detection/protection (IDPS) and security configuration management (SCM) platform named—appropriately enough—Tripwire Open Source. For this comparison we'll be comparing the flagship IDPS/SCM platform with its enterprise bells and whistles (and enterprise price tag to boot) to the minimalist, highly popular AIDE offering.

Tripwire

Tripwire Enterprise shares much of its basic IDPS functionality with Tripwire Open Source—different users/group alerts based on detected change type, compromised file/directory severity assessment, and syslog reporting, among others. However, the platform is geared for large organizations with sizeable IT infrastructures; this is manifest in advanced features and capabilities such as support for Windows and a variety of *nix flavors, centralized management and reporting of multiple Tripwire installations, and out-of-the-box policies for adherence to compliance measures such as PCI and NIST, among others. Vulnerability management (Tripwire IP360) and log intelligence (Tripwire Log Center) add-ons round out the the platform's capabilities, at a cost. 

tripwire_enterprise.jpg
The Tripwire Enterprise UI. Source: softwareasia.com.

AIDE

AIDE was created in 2010 as a Tripwire replacement for baseline control, change detection, and rootkit detection. Using regular expression (regex) rules detailed in configuration files, it creates a database for validating the integrity of files. The tool is strictly command-line (CLI) driven and scheduled/triggered via cron to run system scans for detecting changes in directories and files to be monitored.

Screen Shot 2016-10-27 at 10.03.15 AM.png

The AIDE interface. Source: theurbanpenguin / YouTube.com.

 

Side-by-Side Scoring: Tripwire vs. AIDE

1. Capability Set

Under the hood, both offerings create cryptographic hashes of critical system files, store the values in a database, and reference the data store for reporting and other purposes. Overall, Tripwire posseses more robust monitoring and compliance features as well as advanced capabilities at a cost (e.g., cloud-based scanning, compliance assessment, and more). Simple yet powerful, AIDE is certainly the more barebones of the two offerings.

Tripwire score_4.png
AIDE score_3.png

2. Ease of Use

Tripwire offers an enterprise GUI console for visual management while AIDE is strictly CLI-based. That said, Tripwire is notoriously difficult to configure/tune and maintain—especially when it comes to managing policies and customizations. Aside from its lack of a visual interface, AIDE's plain-text configuration files and database make it fairly straightfoward to manage for those with a decent grasp of the command line and regex.

Tripwire score_3.png
AIDE score_4.png

3. Community Support

Tripwire doesn't provide/host any product forums or community portals—only white papers and case studies off its corporate websiteEnterprise users are therefore relegated to Reddit or StackExchange for answers. In contrast, AIDE users have several community support resources at their disposal: Aid-devel (current/future AIDE development), the AIDE mailing list, and more. Check out its full range of community support resources on its SourceForge page.

Tripwire score_1.png
AIDE score_4.png

4. Release Rate

Tripwire's release rate is difficult to ascertain from its website—Enterprise is currently on version 8.5, while its open source version hasn't been updated since 2013. Despite being less opaque when it comes to releases, AIDE is at version 0.16 with a 6-year delta between the current and previous stable release (0.15.1 / September 10, 2010).

Tripwire score_3.png
AIDE score_3.png

5. Pricing and Support

Tripwire Enterprise's pricing is even less opaque than its release rate—notwithstanding, the solution is by any measure prohibitively expensive for non-enteprise shops and SMBs. Additionally, opting for components and add-ons such as cloud-based monitoring and compliance management will make deploying the platform a costly endeavor. Paid-for support options and professional services are available from the vendor. AIDE is a free, open-source offering with support options available from the project's SourceForge page.

Tripwire score_2.png
AIDE

score_3.png

6. API and Extensibility

As stated on the Tripwire website, “scripts and third-party software can use Tripwire Enterprise's SOAP API or command line interface to invoke functionality, including integrity checks, change reconciliation, version promotion, and report generation.” AIDE offers no API out-of-the-box, though—as an open source solution—it can be extended by modifying the source code directly

Tripwire score_4.png
AIDE score_3.png

7. 3rd Party Integrations

Tripwire integrates with various third-party systems, from change and incident management systems to SIEM solutions (e.g., ServiceNow, Splunk, and Lastline, to name a few). Unfortunately, AIDE offers no third-party integrations out-of-the-box.

Tripwire score_4.png
AIDE score_0.png

8. Companies that Use It

As a longstanding leader in enterprise IDPS/SCM solutions, Tripwire boasts a long and illustrious customer list that includes many of the world's most recognizable brands and Fortune 500s. As a Linux-only tool, AIDE is a popular free option for small/single deployments—that said, it's unknown how many or which prominent organizations are using it for intrusion detection.

Tripwire score_570.png
AIDE score_2.png

9. Learning Curve

Both solutions have a steep learning curve in store for non-advanced users; in the case of Tripwire, proper set up/configuration, tuning, and policy refinement is not for the technologically faint-of-heart. Similarly, AIDE requires moderate proficiency with Linux, the CLI, and other shell-based tools.

 

Tripwire score_570.png
AIDE score_3.png

10. CSTAR

Tripwire scores an average 694 CSTAR score—similarly, AIDE's SourceForge page also nets a mediocre 608 CSTAR score. Lack of HTTP strict transport Security, disabled DNSSEC, and server header information leakage are ailments that plague both websites' perimeter security.

Tripwire

Screen Shot 2016-10-27 at 10.06.08 AM.png

AIDE

Screen Shot 2016-10-27 at 10.07.46 AM.png

 

Scoreboard and Summary

  Tripwire AIDE
Capability Set score_570.png score_3.png
Ease of Use score_570.png score_570.png
Community Support score_1.png score_570.png
Release Rate score_570.png score_570.png
Pricing and Support score_570.png score_570.png
API and Extensibility score_570.png score_3.png
3rd Party Integrations score_570.png score_0.png
Companies that Use It score_570.png score_2.png
Learning Curve score_570.png score_570.png
CSTAR

Screen Shot 2016-10-27 at 10.06.08 AM.png

Screen Shot 2016-10-27 at 10.07.46 AM.png

Total  3.2 out of 5  3 out of 5

While its true that traditional cybersecurity solutions like endpoint protection tools and IDPS platforms cannot provide comprehensive protection in and of themselves, they nonetheless comprise a critical layer of an enterprise's layered continuous security framework. UpGuard's resilience platform gives organizations the ability to validate that all IT assets in their environments—Tripwire/AIDE deployments, security devices, switches, IoT devices, web apps, and more—are configured optimally and free from vulnerabilities. Try UpGuard today, it's free for the first 10 nodes.

Get the Digital Resilience eBook

More Articles

Datadog vs. New Relic

Monitoring tools have come a long way since the early days of Big Brother. Today's solutions have evolved into powerful software troubleshooting and performance analytics platforms capable of deconstructing and analyzing the entire application stack—infrastructure up—for bugs and issues.

 

 

Cisco vs. FireEye for Continuous Security

Who provides better continuous security: the world's largest maker of networking equipment or the first cybersecurity firm certified by the U.S. Department of Homeland Security?

Read Article >

AlienVault vs. Tenable for Continuous Security

As perimeter-based cyber protection falls to the wayside, a new breed of continuous security solutions are emerging that combine traditional endpoint protection with newer technologies like security information and event management (SIEM) and crowdsourced threat intelligence.

Read Article 

 

Topics: vulnerabilities, continuous security

UpGuard customers