Firewall Wizards mailing list archives

Re: FW: OK, I've been hacked, now what?

From: Cohen Liota <cohen_liota () securecomputing com>
Date: Thu, 13 May 1999 17:20:16 -0400

Tripwire on various unicies is typically run as a cron job every week, day, 
or whatever number of hours the admin feels is practical for them to monitor.
By "everyday system usage" do you mean changing config files on a daily basis
(on unix say, /etc/resolv.conf or on NT a system driver in
WINNT\system32\).  I 
personally haven't tried the version for NT although I would very much like
to.
As far as being able to intelligently distinguish between authorized user
behavior
versus an unauthorized user with malicious intent tripwire can't do that
just yet.
Take for example the following scenario: An attacker will typically sniff a
user 
id and passwd pair as someone is logging into a server using clear text and
now 
have access to the server where tripwire is installed, all of the subsequent 
changes to system files like that new 0:0 entry in /etc/passwd could
potentially
be ignored if this was trusted by tripwire to do no harm.  Tripwire will
notify 
the admin whenever it runs and finds a file with a different checksum and
signature
then what is in its latest build of the tripwire database and fortunately
it is 
anomaly based so you don't get 5000 lines of files match.  You will get 
sendmail.cf has changed and its up to the admin to remember or document if
they made 
any changes to it.  Also keep the database tripwire generates on read only
media.  
Tripwire is available for unicies and there is supposed to be a version for
NT from http://www.tripwiresecurity.com/

Cheers,
Cohen

At 06:40 PM 5/12/99 +0100, you wrote:

I assume that Tripwire tracks changes to files.  How does it
distinguish between normal,
everyday system usage and unauthorised access?  Is it available
for NT Server 4, NT
Workstation 4, DEC Unix, Solaris?

Kevin Sheldrake
CCIS Prototypes and Demonstrations
British Aerospace Defence Systems
[+44 | 0] 1202 408035, kevin.sheldrake () baedsl co uk


--
Cohen Liota                             
Information Security Specialist         416.815.3041 - v
Secure Computing Corporation            416.815.3001 - f
cohen_liota () securecomputing com              http://www.securecomputing.com/

Current thread:

RE: OK, I've been hacked, now what?, (continued)
- RE: OK, I've been hacked, now what? Scott, Richard (May 07)
- RE: OK, I've been hacked, now what? Chris Tobkin (May 10)
- RE: OK, I've been hacked, now what? kevin . sheldrake (May 11)
  - RE: OK, I've been hacked, now what? dbell (May 12)
- RE: OK, I've been hacked, now what? Peter Mayne (May 12)
- FW: OK, I've been hacked, now what? kevin . sheldrake (May 13)
  - Re: FW: OK, I've been hacked, now what? Asmodeus (May 16)
  - Re: FW: OK, I've been hacked, now what? Joseph S D Yao (May 16)
  - Re: FW: OK, I've been hacked, now what? Crispin Cowan (May 16)
  - Re: FW: OK, I've been hacked, now what? Lance Spitzner (May 16)
  - Re: FW: OK, I've been hacked, now what? Cohen Liota (May 16)
  - Re: FW: OK, I've been hacked, now what? dreamwvr (May 16)