Re: rootkit and trojan hunting

["Return C" <return.c () gmail com>]

hi Terry,
             I am currently coding this tool using gcc, MySql and
Openssl. I use MySql server for database and Openssl for cryto related
functions.
             For storing hashes I have two solutions. One, I will
follow the same as tripwire, like storing the hashes in encrypted
format (basically encrypting sql fields) and store it in non-writable
media (like CD-ROM). Second, I will bind the database detailes along
with the binary (a.out) of the hashing engine. So that my tool will
have the executable binary as well as the hash values. I will not
store these hash values anywhere else in the fs.
            Also I would like to give web interface functionality for
the alerts and monitoring (like ACID). I can code this in php. only
thing is, the serve needs top open Apache server. Since, this would
not be a good solution, as to open MySql and Apache server on a
production server, Iam planning to implement it as centralized
database server, isolated Web console and agents which will capture
and monitor systems. But once I started to think all this, it looks
like a big product and code base increases more which i never dreamt
off !
           But anyway I will do this as I enjoy coding in Linux, C and ASM :)

return C;

return C;

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------