IDS mailing list archives

RE: can tripwire be used for sensor integrity???

From: "Matt Foster" <matt.foster () blade-software com>
Date: Mon, 23 Feb 2004 09:39:11 -0000

A simple way to determine if your network IDS or IPS has been tampered with
would be to define a series of attacks which you know should be alerted on and
then run them from a defined source IP on a regular basis, the information can
be filtered out and then you could be alerted if you do not see the results you
expect to.

We have lots of users who use IDS Informer in this way to ensure that the $$
investment they have made in an IDS or IPS deployment is protected and they are
not caught out by a sensor going off line without knowing.

Matt

_____________________________________
Matt Foster
Blade-Software Inc.
www.blade-software.com
Security Verification Management Solutions
______________________________________



-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net]
Sent: 03 February 2004 16:27
To: 'Gaurav_Jindal'; focus-ids () securityfocus com
Subject: RE: can tripwire be used for sensor integrity???


Keep one thing in mind; tripwire does not detect LKM trojans or tampering.
There are tools to deal with this; fnord was the first, I believe, but may
be too narrowly-designed for mass consumption, if I correctly remember what
the creators said at BlackHats '01. Still, they clearly delineate the nature
of kernel integrity protection.

http://www.synacklabs.net/projects/fnord/

-----Original Message-----
From: Gaurav_Jindal [mailto:gaurav_jindal () da-iict org]
Sent: Sunday, February 01, 2004 11:28 AM
To: focus-ids () securityfocus com
Subject: can tripwire be used for sensor integrity???

I got to know that tripwire coudl work to find out the
integrity , can
it be used for integrity of sensors.
As what I read from tripwire that

Tripwire creates a 'secure' (normally kept on a read-only
disk/diskette
along w/ the tripwire executable) database of file and directory
attributes (including, if you want, complex MD5 and snefru
signatures)
which then can be used to compare against to see if a file or
directory
has changed somehow. If a cracker has broken in and replaced
your /bin/date file w/ a trojan horse version, tripwire will let you
know.

do let me know is someone has used some kind of stuff like
this for ids
sensors  to find attack in distributed environment?..

Thanking you,
With Regards,
Gaurav Jindal

--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------



---------------------------------------------------------------------------
---------------------------------------------------------------------------






---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that integrates 
six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------

Current thread:

can tripwire be used for sensor integrity??? Gaurav_Jindal (Feb 02)
- Re: can tripwire be used for sensor integrity??? Wong Chung Yee, Ellis (Feb 02)
- RE: can tripwire be used for sensor integrity??? Rob Shein (Feb 05)
  - RE: can tripwire be used for sensor integrity??? Matt Foster (Feb 24)
- <Possible follow-ups>
- Re: can tripwire be used for sensor integrity??? Chris Kirschke (Feb 02)
  - Re: can tripwire be used for sensor integrity??? Bruce Potter (Feb 04)
- RE: can tripwire be used for sensor integrity??? Teicher, Mark (Mark) (Feb 04)