Security Basics mailing list archives

Re: What files to watch??

From: Geoffrey Shorter <geoffreyshorter () hotmail com>
Date: 21 May 2003 16:12:36 -0000

In-Reply-To: <Law15-F100zGNsokLQ800000f5e () hotmail com>

Chris:

I'd be most interested in a copy of your scanner, as you have generously 
offered in your post.

Also, there is a free tool for Windows, GFI LANguard System Integrity 
Monitor: http://www.gfi.com/lansim/index.html

We set up the Integrity Monitor on a workstation and a test server. It 
stopped working on the workstation for some reason (a workstation that had 
a server security template applied to it by an overzealous admin, oops!), 
but continues to feed reports from the server.

So, it's worth testing, I think. 

Thanks.

geof
OCPDBA, MCSD, MCSE+I, MCDBA, MCPSB
Server Group Manager
geoffreyshorter () hotmail com

From: "Chris Berry" <compjma () hotmail com>
Subject: What files to watch??
I'm trying to upgrade our security setup, and one of the things we didn't 
have was an integrity scanner (like tripwire).  I looked around and

couldn't

find anything free since we're using windows (well there was a product 
called languardian, but they looked pretty commercial, and I have no

budget

now or later).  Lacking funds and a GPL alternative, I went ahead a wrote

scanner using perl and the Digest::Md5 module.  I've got the system

working

and have set it up to run nightly, everything seems to be working fine.

My

problem is that it's generating WAY too much information, and I don't

have

time to wade through the logs every day trying to see if there is

something

significant in there.  I've cut down some of the chatter by telling it to 
ignore certain files and directories that change alot, but I'm not sure

how

to proceed from here.  Anyone have a good idea on how to get it to

produce

more useable detections?  By the way, if anyone wants a copy, I'd be

happy

to give them one, I'm releasing it GPL, but be warned it's only alpha 
quality at the moment (though I haven't had any trouble with it).

Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates


---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------

Current thread:

What files to watch?? Chris Berry (May 21)
- Re: What files to watch?? Drew Flickema (May 22)
- RE: What files to watch?? Jeffrey Rivero (May 22)
  - lan statistic tool Dejan (May 23)
    - Re: lan statistic tool Daniel Cid (May 26)
- <Possible follow-ups>
- Re: What files to watch?? Geoffrey Shorter (May 22)
  - LanGuard Problem Louie (May 23)
- Re: What files to watch?? H Carvey (May 22)
- RE: What files to watch?? Chris Berry (May 23)
- Re: What files to watch?? Chris Berry (May 23)