[Snort-users] Intrusion S/W detection tools?

Gregor Binder gbinder at ...462...
Thu Mar 22 03:21:38 EST 2001


SWilcoxon at ...1386... on Wed, Mar 21, 2001 at 10:18:08AM -0600:

> What I was think is something that can be used after the fact for detection
> for the poor soles that may not be running tripwire or similar products.

I don't think forensics should rely on known signatures and a few basic
heuristic checks. Also, I don't think there is a single easy way to
check (if you want to be sure that is) if a system has been compromised
and what changes the attacker made if you haven't been creating integri-
ty databases on a regular basis.

The results of the forensic challenge at honeynet should give you some
advice (and time estimates) what you can do. Find them at:

  http://project.honeynet.org/challenge/results/

Be warned that if you thought properly setting up a system was a lot of
work, using the methods described in the participants work will take a
lot longer than that. :)

BTW, pulling a system coredump from a compromised box before you turn it
off can be of good help. I don't think you can do it with out-of-the-box
linux (can you?), but if so, you can use the dump to examine the state
of the system at that point in time on a trusted system with utilities
that the OS provides (ps, netstat, ...). While this will still not show
you modified files, it will help you locating active backdoors and where
they are installed, open ports that shouldn't be open, all that.

greetings,

-- 
Gregor Binder       <gregor.binder at ...462...>      http://sysfive.com/
sysfive.com GmbH               UNIX. Networking. Security. Applications.
PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55




More information about the Snort-users mailing list