Firewall Wizards mailing list archives
Re: FW: OK, I've been hacked, now what?
From: Cohen Liota <cohen_liota () securecomputing com>
Date: Thu, 13 May 1999 17:20:16 -0400
Tripwire on various unicies is typically run as a cron job every week, day, or whatever number of hours the admin feels is practical for them to monitor. By "everyday system usage" do you mean changing config files on a daily basis (on unix say, /etc/resolv.conf or on NT a system driver in WINNT\system32\). I personally haven't tried the version for NT although I would very much like to. As far as being able to intelligently distinguish between authorized user behavior versus an unauthorized user with malicious intent tripwire can't do that just yet. Take for example the following scenario: An attacker will typically sniff a user id and passwd pair as someone is logging into a server using clear text and now have access to the server where tripwire is installed, all of the subsequent changes to system files like that new 0:0 entry in /etc/passwd could potentially be ignored if this was trusted by tripwire to do no harm. Tripwire will notify the admin whenever it runs and finds a file with a different checksum and signature then what is in its latest build of the tripwire database and fortunately it is anomaly based so you don't get 5000 lines of files match. You will get sendmail.cf has changed and its up to the admin to remember or document if they made any changes to it. Also keep the database tripwire generates on read only media. Tripwire is available for unicies and there is supposed to be a version for NT from http://www.tripwiresecurity.com/ Cheers, Cohen At 06:40 PM 5/12/99 +0100, you wrote:
I assume that Tripwire tracks changes to files. How does it distinguish between normal, everyday system usage and unauthorised access? Is it available for NT Server 4, NT Workstation 4, DEC Unix, Solaris? Kevin Sheldrake CCIS Prototypes and Demonstrations British Aerospace Defence Systems [+44 | 0] 1202 408035, kevin.sheldrake () baedsl co uk
-- Cohen Liota Information Security Specialist 416.815.3041 - v Secure Computing Corporation 416.815.3001 - f cohen_liota () securecomputing com http://www.securecomputing.com/
Current thread:
- RE: OK, I've been hacked, now what?, (continued)
- RE: OK, I've been hacked, now what? Scott, Richard (May 07)
- RE: OK, I've been hacked, now what? Chris Tobkin (May 10)
- RE: OK, I've been hacked, now what? kevin . sheldrake (May 11)
- RE: OK, I've been hacked, now what? dbell (May 12)
- RE: OK, I've been hacked, now what? Peter Mayne (May 12)
- FW: OK, I've been hacked, now what? kevin . sheldrake (May 13)
- Re: FW: OK, I've been hacked, now what? Asmodeus (May 16)
- Re: FW: OK, I've been hacked, now what? Joseph S D Yao (May 16)
- Re: FW: OK, I've been hacked, now what? Crispin Cowan (May 16)
- Re: FW: OK, I've been hacked, now what? Lance Spitzner (May 16)
- Re: FW: OK, I've been hacked, now what? Cohen Liota (May 16)
- Re: FW: OK, I've been hacked, now what? dreamwvr (May 16)