At 04:56 AM 5/26/01 +0000, you wrote:
>running tripwire and other ids are good and bad...
>- - bad because its too late...they got in
>- - bad to use tripwire..because youdont have the original
> version ... tripwire tells you the binary been tampered
Tripwire is not a panacea. Its primary purpose, telling
you what file has been disturbed, is plenty.
>- - tripwire will flag more false "possible attacks" than
> it does in catching the hacker in the act
bs
>- - good because you MIGHT find them but probably not...
> - tripwire typically runs once a day...
> - it only takes say 5 minutes to get into the
> server and hide yourself..
On the contrary, there is nowhere to hide when the Tripwire
binary and its config file are installed and mounted on a
read only device BEFORE the machine is attached to the network.
Tripwire is not designed to catch the attacker in the act.
It is designed to tell the admin exactly which files have
been touched in some way. If these files are the usual
suspects (ls, et al), then the system gets disconnected,
investigated and rebuilt as appropriate.
On a reasonably fast machine, running tripwire more
often is not prohibitive IMO. A less thorough version
(config that looks at only the usual suspects) should
probably be run often. When something dastardly is found,
the tripwire with a comprehensive config is run that
reveals the file system state in detail. This procedure,
followed by the bringing the machine's network down could
easily be scripted and executed by cron or other
daemon.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
