[Snort-users] Intrusion S/W detection tools?
Andrew R. Baker
andrewb at ...1150...
Wed Mar 21 12:40:49 EST 2001
There are lots of simple commands you can use depending on how good the
was. Using find to locate directories that should not exist and files
have been changed recently. Comparing output of ps against /proc (only
in linux), etc.
These are very rudimentary and will not find some rootkits, but they
still work well
in the general case. As far as pre-built tools, I have not used any. I
writing more scripts ;)
SWilcoxon at ...1386... wrote:
> Allow me to clarify a little more.
> What I was think is something that can be used after the fact for detection
> for the poor soles that may not be running tripwire or similar products.
> I'm just thinking of all the Linux users that didn't think they needed to do
> something like that and aren't sure if they were compromised or not.
> I agree that some detection can be done using RPM to see if a normal file
> was installed. But other tools create their own executables. Those users
> wouldn't know where to look to see if they were compromised.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users