[Snort-users] Intrusion S/W detection tools?

Franck Veysset franck.veysset at ...1629...
Wed Mar 21 12:55:46 EST 2001


I don't want to play the devil advocate, but that's why my car have
good seatbelts and airbags... :-)

If you don't (that's bad) use tripwire, or similar crypto tools, 
check this one... 
http://www.hsc.fr/ressources/outils/rkscan/index.html.en

rkscan might be for you.
rkscan is a kernel-based module rootkit scanner for Linux, it detects 
Adore (v0.14, v0.2b and v0.24) and knark (v0.59). 

-Franck

"shawn . moyer" a écrit :
> 
> SWilcoxon at ...1386... wrote:
> 
> > What I was think is something that can be used after the fact for detection
> > for the poor soles that may not be running tripwire or similar products.
> 
> Sorta like the poor souls who forgot to update their Bind, Sendmail,
> Apache, etc.? They got 0wned. Sorry.
> 
> > I agree that some detection can be done using RPM to see if a normal file
> > was installed. But other tools create their own executables. Those users
> > wouldn't know where to look to see if they were compromised.
> 
> Those users shouldn't be putting Unix servers on the Internet, and their
> vendors shouldn't be shipping OS's that are insecure by default. Anyway,
> Chris Green posted a link for rkdet, which may do the trick.
> 
> But for the most part (I know I sound unsympathetic -- I am), if you
> drive without a seatbelt, and you go through the windshield, I feel bad
> for you, but the best measures for a case like that are always
> preventive and not after-the-fact. I can tell you how fast you were
> going, how hard you hit the glass, and even fix the windshield, but if
> you had your seatbelt on in the first place, you'd be a lot better off.
> 
> --shawn
> 
> --
> 
> s h a w n   m o y e r
> shawn at ...1184...
> 
> The universe did not invent justice; man did.
> Unfortunately, man must reside in the universe.
> 
>                                         -- Zelazny
-- 
Franck Veysset  E-mail: franck.veysset at ...1629...
http://www.INTRANODE.com  -  Tel: +33 (0)2 23 45 55 04
            -- Security Lab Engineer --

      O   ascii ribbon campaign against html
      |\    email and Microsoft attachments.




More information about the Snort-users mailing list