[Snort-users] Intrusion S/W detection tools?
franck.veysset at ...1629...
Wed Mar 21 12:55:46 EST 2001
I don't want to play the devil advocate, but that's why my car have
good seatbelts and airbags... :-)
If you don't (that's bad) use tripwire, or similar crypto tools,
check this one...
rkscan might be for you.
rkscan is a kernel-based module rootkit scanner for Linux, it detects
Adore (v0.14, v0.2b and v0.24) and knark (v0.59).
"shawn . moyer" a écrit :
> SWilcoxon at ...1386... wrote:
> > What I was think is something that can be used after the fact for detection
> > for the poor soles that may not be running tripwire or similar products.
> Sorta like the poor souls who forgot to update their Bind, Sendmail,
> Apache, etc.? They got 0wned. Sorry.
> > I agree that some detection can be done using RPM to see if a normal file
> > was installed. But other tools create their own executables. Those users
> > wouldn't know where to look to see if they were compromised.
> Those users shouldn't be putting Unix servers on the Internet, and their
> vendors shouldn't be shipping OS's that are insecure by default. Anyway,
> Chris Green posted a link for rkdet, which may do the trick.
> But for the most part (I know I sound unsympathetic -- I am), if you
> drive without a seatbelt, and you go through the windshield, I feel bad
> for you, but the best measures for a case like that are always
> preventive and not after-the-fact. I can tell you how fast you were
> going, how hard you hit the glass, and even fix the windshield, but if
> you had your seatbelt on in the first place, you'd be a lot better off.
> s h a w n m o y e r
> shawn at ...1184...
> The universe did not invent justice; man did.
> Unfortunately, man must reside in the universe.
> -- Zelazny
Franck Veysset E-mail: franck.veysset at ...1629...
http://www.INTRANODE.com - Tel: +33 (0)2 23 45 55 04
-- Security Lab Engineer --
O ascii ribbon campaign against html
|\ email and Microsoft attachments.
More information about the Snort-users