PaulDotCom mailing list archives
File integrity monitoring software
From: rgula at tenablesecurity.com (Ron Gula)
Date: Tue, 16 Mar 2010 08:13:41 -0400
Kennith Asher wrote:Greetings gurus- The company I work for is being pressed to deploy file integrity monitoring tools in our production environment. I've not worked with such tools in the past and am interested in your experiences. I have concerns around noise levels, false positives, how to control file integrity and still keep up with vendor updates (50 hour days anyone?). Anyone have any recommendations? Thanks, Ken
A lot of commercial SIMs and Log Management tools have file integrity
checkers built right into the log collection agent. Tenable's Log
Correlation Engine agents for Windows and Unix can do this. At this past
weekend's CCDC event, we were getting lots of logs like this:
File /bin/bash has been modified. Its MD5 checksum changed from
13a43167bb9374bc4002dd3feb10533e to d2030d439b7e13e57db13b46831eecdc.
You do have false positive and a false negative issues with these
things. Just because a .dll is modified, does not mean you have APT on
your box. And any advanced rootkit or backdoor may hook the OS and a
torjaned file can still be modified but its checksum still reads valid.
With Tenable's solution, we try to look at these events in context of
system management ("I had patches and MD5 checksum errors") or atatcks
("My Snort sensor detected attacks and I had MD5 checksum issues after
that").
--
Ron Gula, CEO
Tenable Network Security
Current thread:
- File integrity monitoring software Kennith Asher (Mar 12)
- File integrity monitoring software Ralph Durkee (Mar 13)
- File integrity monitoring software Brett (Mar 13)
- File integrity monitoring software Ron Gula (Mar 16)
- File integrity monitoring software Robert Miller (Mar 18)
- File integrity monitoring software Michael McGrew (Mar 22)
- <Possible follow-ups>
- File integrity monitoring software Robert Wahl (Mar 14)
- File integrity monitoring software Ralph Durkee (Mar 13)