RE: Registry and File Monitoring Programs for Windows Honeypots

["Mark E. Donaldson" <markee () bandwidthco com>]

Although it was made for cloning Windows systems, the W2K Resource Kit
Utility "Sysdiff" is excellent for detecting "any" change that occurs in a
Windows machine.  You could say it is the Windows equivalent of "Tripwire".
It is also quite easy to use as well.

-----Original Message-----
From: Hines, Eric [mailto:ehin4 () allstate com]
Sent: Friday, August 29, 2003 3:47 PM
To: honeypots () securityfocus com
Subject: Registry and File Monitoring Programs for Windows Honeypots


List:

I am building a Windows honeypot and am very interested in to hear what sort
of software programs some of you might be using to monitor registry and
files changes. Sure, sure, I know their is regmon and filemon, but I use
those more for when I'm sitting in front of the machine and purposely
executing a worm to see what registry entries and files it creates or
changes. Are all of you just using regmon or filemon and logging to a file?

Eric Hines

=============================================
Eric Hines
Senior Intrusion Analyst
Allstate Information Security
---------------------------------------------
[e] ehin4 () allstate com
[c] (847) 830-2883
[a] 1075818 () skytel com
---------------------------------------------
3075 Sanders Road
Suite G2E
Northbrook, IL 60062
=============================================