Security Basics mailing list archives

Re: What files to watch??

From: "Chris Berry" <compjma () hotmail com>
Date: Thu, 22 May 2003 11:41:37 -0700

From: H Carvey <keydet89 () yahoo com>
>Lacking funds and a GPL alternative, I went ahead a
wrote a
>scanner using perl and the Digest::Md5 module.
I'd like to applaud your initiative.  I've done the
same, and have written some pretty cool monitoring and
analysis tools, in Perl for the Win32 systems.

I'd be happy to trade, I've also written a software inventory system thatqueries the registry of all the machines listed in DNS and returns a reportof all the programs we have installed network wide.

> Anyone have a good idea on how to get it to produce
>more useable detections?
Well, that really sort of depends on your
infrastructure, policies, etc., doesn't it?

We're small enough that I'm the one who makes those decisions and I'm stillin the process of creating them, any suggestions?

However, here are some things you might consider:

1.  Malware tends to target files in %WINDIR%, as well
as the system32 directory.

That's what tripwire does, I was thinking of maybe creating some sort ofstatistical analysis/database combo instead.

2.  Something to add to the monitoring program might be
checking of the contents of the Run key, as well as others.

Not up to checking registry keys yet, trying to get useful file monitoringfirst.

3.  You might consider explicitly looking at
application files, such as those located in the Program
Files directory.

Right now it checks everything, then filters out stuff I don't want to lookat.


Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"All I want is a few minutes alone with the source code for the universe anda quick recompile."


_________________________________________________________________

Add photos to your e-mail with MSN 8. Get 2 months FREE*.http://join.msn.com/?page=features/featuredemail



---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes: Security +, Check Point,Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!--UP TO 30% off classes in select cities--http://www.securityfocus.com/Vigilar-security-basics

----------------------------------------------------------------------------

Current thread:

What files to watch?? Chris Berry (May 21)
- Re: What files to watch?? Drew Flickema (May 22)
- RE: What files to watch?? Jeffrey Rivero (May 22)
  - lan statistic tool Dejan (May 23)
    - Re: lan statistic tool Daniel Cid (May 26)
- <Possible follow-ups>
- Re: What files to watch?? Geoffrey Shorter (May 22)
  - LanGuard Problem Louie (May 23)
- Re: What files to watch?? H Carvey (May 22)
- RE: What files to watch?? Chris Berry (May 23)
- Re: What files to watch?? Chris Berry (May 23)