IDS mailing list archives

Re: rootkit and trojan hunting

From: "\"Zow\" Terry Brugger" <zow () acm org>
Date: Wed, 26 Mar 2008 11:34:33 -0700

     i am developing a small host integrity scanner / checker, to hunt
 rootkits and trojans. offcourse, i need to add more methods /
 techniques to detect. I am currently hashing out important files like
 kernel, /boot dir and System.map files. Is there any other possible
 way to code it better and anyother suggestion would be really helpful
 in my coding.


Don't reinvent the wheel -- just use Tripwire.
http://sourceforge.net/projects/tripwire/ for the open source version,
or http://www.tripwire.com/products/ for the commercial version if you
need something beefier. Based on what you've said in your message, it
sounds like the open source version will work just fine.

Cheers,
Terry

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

rootkit and trojan hunting Return C (Mar 26)
- Re: rootkit and trojan hunting "Zow" Terry Brugger (Mar 26)
  - Re: rootkit and trojan hunting Jeff D (Mar 26)
  - Re: rootkit and trojan hunting Nuno Treez (Mar 28)
    - Re: rootkit and trojan hunting "Zow" Terry Brugger (Mar 28)
    - Re: rootkit and trojan hunting Return C (Mar 28)
    - Re: rootkit and trojan hunting "Zow" Terry Brugger (Mar 28)
- RE: rootkit and trojan hunting oherrera (Mar 27)