hi ya rich
yes... tripwire is great to tell us what changed...
( i guess i should never put the comment in about "catching um in the
( act"... as tripwire has nothing to do with it
thanx
alvin
On Sat, 26 May 2001, Rich Johnson wrote:
> At 04:56 AM 5/26/01 +0000, you wrote:
> >running tripwire and other ids are good and bad...
> >- - bad because its too late...they got in
> >- - bad to use tripwire..because youdont have the original
> > version ... tripwire tells you the binary been tampered
>
> Tripwire is not a panacea. Its primary purpose, telling
> you what file has been disturbed, is plenty.
>
>
> >- - tripwire will flag more false "possible attacks" than
> > it does in catching the hacker in the act
>
> bs
>
>
> >- - good because you MIGHT find them but probably not...
> > - tripwire typically runs once a day...
> > - it only takes say 5 minutes to get into the
> > server and hide yourself..
>
> On the contrary, there is nowhere to hide when the Tripwire
> binary and its config file are installed and mounted on a
> read only device BEFORE the machine is attached to the network.
>
> Tripwire is not designed to catch the attacker in the act.
... snipped...
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
