[Snort-users] Intrusion S/W detection tools?

shawn . moyer shawn at ...1184...
Wed Mar 21 12:06:22 EST 2001


SWilcoxon at ...1386... wrote:
 
> What I was think is something that can be used after the fact for detection
> for the poor soles that may not be running tripwire or similar products.

Sorta like the poor souls who forgot to update their Bind, Sendmail,
Apache, etc.? They got 0wned. Sorry. 
 
> I agree that some detection can be done using RPM to see if a normal file
> was installed. But other tools create their own executables. Those users
> wouldn't know where to look to see if they were compromised.

Those users shouldn't be putting Unix servers on the Internet, and their
vendors shouldn't be shipping OS's that are insecure by default. Anyway,
Chris Green posted a link for rkdet, which may do the trick. 

But for the most part (I know I sound unsympathetic -- I am), if you
drive without a seatbelt, and you go through the windshield, I feel bad
for you, but the best measures for a case like that are always
preventive and not after-the-fact. I can tell you how fast you were
going, how hard you hit the glass, and even fix the windshield, but if
you had your seatbelt on in the first place, you'd be a lot better off. 






--shawn

-- 

s h a w n   m o y e r
shawn at ...1184...


The universe did not invent justice; man did.
Unfortunately, man must reside in the universe.

                                        -- Zelazny




More information about the Snort-users mailing list