[Snort-users] Intrusion S/W detection tools?

Andrew R. Baker andrewb at ...1150...
Wed Mar 21 12:40:49 EST 2001


There are lots of simple commands you can use depending on how good the
hacker
was.  Using find to locate directories that should not exist and files
that
have been changed recently.  Comparing output of ps against /proc (only
in linux), etc.  
These are very rudimentary and will not find some rootkits, but they
still work well 
in the general case.  As far as pre-built tools, I have not used any.  I
just keep 
writing more scripts ;)

-A

SWilcoxon at ...1386... wrote:
> 
> Allow me to clarify a little more.
> 
> What I was think is something that can be used after the fact for detection
> for the poor soles that may not be running tripwire or similar products.
> 
> I'm just thinking of all the Linux users that didn't think they needed to do
> something like that and aren't sure if they were compromised or not.
> 
> I agree that some detection can be done using RPM to see if a normal file
> was installed. But other tools create their own executables. Those users
> wouldn't know where to look to see if they were compromised.
> 
> S.W.
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list