Re: has chkrootkit caught a problem for anyone?
On Sat, Dec 17, 2005 at 05:43:32PM -0500, Chris Wagner wrote:
> At 02:39 PM 12/16/2005 +1100, Craig Sanders wrote:
> >one of the best tools for intrusion detection is tripwire. it's a minor
> >PITA in that you have to remember to update tripwire's database (and
> >type in your tripwire encryption password) every time you run an upgrade
> >or install new software or libraries or edit any monitored config files
> >but it WILL tell you when a file or program has been modified. well
> >worth the effort to learn and use it.
>
> Since u mentioned tripwire, I'll jump in here. Tripwire, indeed any
> on-system IDS, cannot be totally relied on to reveal an attacker. Once a
> box is compromised, every file on there, including the tripwire executable
> and database, is no longer trustworthy. A clever hacker just has to scan
> for IDS's and root those as well. It will, though, catch on to any script
> kiddies which is mostly what we face anyway. The truly determined hacker
> almost can't be stopped. To get truly trustworthy IDS it has to be
> off-system, meaning CD-ROM executables and db's or remote inspection of the
> physical disk. (the latter for 100% confidence) Ain't countermeasures fun? :)
That's why we use Osiris. The DB is on the management machine, which is
(at least in our case) dedicated to the task, and heavily IPTabled. I've
not figured out a way to compromise osirisd and not have it fubar the
local key, which gets reported.
Tim
--
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>> Tim Sailer (at home) >< Coastal Internet, Inc. <<
>> Network and Systems Operations >< PO Box 726 <<
>> http://www.buoy.com >< Moriches, NY 11955 <<
>> tps@unslept.com/tps@buoy.com >< (631)399-2910 (888) 924-3728 <<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Reply to: