[SUMMARY] Info/suggestions on Tripwire (commercial vs. open-source)

Wanted info on the differences between the commercial
(www.tripwire.com) and open-source (www.tripwire.org)
versions of tripwire.

Turns out there is a third version, called Tripwire-ASR
(Academic Source Release), which will compile on most UNIX
systems. The open-source version is for Linux only. The
commercial version runs on many flavors of UNIX and Windows,
and they even have support for routers and network devices.

People generally favored the free version because:

  1) Have used it for years, no serious problems. It works.
  2) Free
  3) Open-source support and availability/scrutinizability of code
The advantages of the commercial version:

  1) Commercial support
  2) Management software available to make it much easier to
     monitor many systems simultaneously. One comment that this
     was not very impressive.
  3) Support for Windows.
  4) Added features. See the following for a feature comparison 
     between the commercial and ASR version:

Disadvantages to the commercial version:

  1) Commercial support!
  2) PRICE (100 servers and management software runs about $60,000)
One person suggested AIDE. The website claims it does more than
Tripwire, but lists two people as its "support". This version may
be more snazzy now, but I think I'll stick with Tripwire.


General comments:

  1) Default configurations were lacking, you should do some serious
     customization or you will get lots of "false-positives", and
     more seriously important files/dirs will not be checked.
  2) Use YASSP or JASSP for securing systems initially.
  3) The Tripwire salesdroids seem to like telling people that
     the open-source version is for Linux only; apparently they
     don't remember the academic version that you can download from
     their own website!
  4) Price isn't an issue?  Are you all hiring? :) 
Thanks to:

Steve Mickeler
Jennifer Stults
Christopher L. Barnard
Mike Salehi
Thomas M. Payerle
Vern Kyle
Roy Rapoport

> Looking to install Tripwire on our systems, and noticed both
> an open-source (www.tripwire.org) and commercial (www.tripwire.com)
> version.
> Can anyone provide information on the differences between these
> products...gotchas...suggestions...horror stories?
> Price isn't really an issue, but if we can get what we need from
> a free product that always makes my boss happy!
> Thanks, and of course I'll summarize.
> Dave

