Re: has chkrootkit caught a problem for anyone?

[tps@unslept.com (tps)]

On Sat, Dec 17, 2005 at 05:43:32PM -0500, Chris Wagner wrote:
> At 02:39 PM 12/16/2005 +1100, Craig Sanders wrote:
> >one of the best tools for intrusion detection is tripwire. it's a minor
> >PITA in that you have to remember to update tripwire's database (and
> >type in your tripwire encryption password) every time you run an upgrade
> >or install new software or libraries or edit any monitored config files
> >but it WILL tell you when a file or program has been modified. well
> >worth the effort to learn and use it.
> 
> Since u mentioned tripwire, I'll jump in here.  Tripwire, indeed any
> on-system IDS, cannot be totally relied on to reveal an attacker.  Once a
> box is compromised, every file on there, including the tripwire executable
> and database, is no longer trustworthy.  A clever hacker just has to scan
> for IDS's and root those as well.  It will, though, catch on to any script
> kiddies which is mostly what we face anyway.  The truly determined hacker
> almost can't be stopped.  To get truly trustworthy IDS it has to be
> off-system, meaning CD-ROM executables and db's or remote inspection of the
> physical disk. (the latter for 100% confidence) Ain't countermeasures fun? :)

That's why we use Osiris. The DB is on the management machine, which is
(at least in our case) dedicated to the task, and heavily IPTabled. I've
not figured out a way to compromise osirisd and not have it fubar the 
local key, which gets reported.

Tim

-- 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>> Tim Sailer (at home)             ><  Coastal Internet, Inc.          <<
>> Network and Systems Operations   ><  PO Box 726                      <<
>> http://www.buoy.com              ><  Moriches, NY 11955              <<
>> tps@unslept.com/tps@buoy.com     ><  (631)399-2910  (888) 924-3728   <<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<