Hi Julien (not Julian, sorry for the mistake in my latest mail ), Thank you, I think the new description is better.
One more thing, as you can see here http://www.unhide-forensics.info/?Linux we implement six techniques Please don't hesitate to leave a message if you've got some problems with Unhide (I have added myself to this maillist anyway) Cheers 2011/10/24 Julien Valroff <[email protected]>: > Hi Yago, > > Le dimanche 23 oct. 2011 à 19:59:00 (+0200 CEST), Yago Jesus a écrit : >> Hi Julian (and all Debian Forensics team) >> >> First, I want to thank you for your quick response. >> >> I like the new description but, I have a doubt. >> >> Why 10 times faster? Who made this test? Is always 10x faster? is it >> in both 32 and 64 bits enviroments? >> >> Im agree Unhide.rb is faster (due to the less deep tests) but I don't >> know exactly how much. > > You are right, I haven't tested it myself. > Then, what about just stating "much" faster? > >> Moreover if you want to highlight this feature I think it is also fair >> to highlight the question about static binaries VS non static Ruby >> Binary. >> >> With a security point of view, I think the fact that Unhide should be >> compiled and shipped in static mode makes Unhide inmune to the most >> popular rootkits (based in LD_PRELOAD). On the other hand Unhide.rb >> due to their Ruby dependency could be compromised. So, yes Unhide is >> more secure than Unhide.rb > > Here is a new proposal: > > Unhide.rb is a forensic tool to find processes hidden by rootkits. > . > It looks for active processes in many different ways. Processes found by > some means but not others are considered to be "hidden", and are reported > to the user. > . > Unhide.rb is a tentative of rewrite in Ruby of the original Unhide, which > is written in C. While being much faster, it does not implement all the > diagnostics of the original version. It is also less secure as it cannot > be statically compiled. > . > This package can be used by rkhunter in its daily scans. > > FYI, here is the current description of the unhide package: > > Unhide is a forensic tool to find processes and TCP/UDP ports hidden by > rootkits, Linux kernel modules or by other techniques. It includes two > utilities: unhide and unhide-tcp. > . > unhide detects hidden processes using three techniques: > * comparing the output of /proc and /bin/ps > * comparing the information gathered from /bin/ps with the one gathered from > system calls (syscall scanning) > * full scan of the process ID space (PIDs bruteforcing) > . > unhide-tcp identifies TCP/UDP ports that are listening but are not listed in > /bin/netstat through brute forcing of all TCP/UDP ports available. > . > This package can be used by rkhunter in its daily scans. > >> I understand your perspective about reporting. Unhide.rb is more >> compact but I think it is more important the fact about finding the >> exact hidden command (and in some scenarios, the path where >> rogue-binary lives) But it is subjective > > I consider both tools as complementary and not as competitors, depending on > the use case. > > Cheers, > Julien > > -- > .''`. Julien Valroff ~ <[email protected]> ~ <[email protected]> > : :' : Debian Developer & Free software contributor > `. `'` http://www.kirya.net/ > `- 4096R/ E1D8 5796 8214 4687 E416 948C 859F EF67 258E 26B1 > _______________________________________________ forensics-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel
