[EMAIL PROTECTED] wrote:
On Thu, 17 Mar 2005 11:28:55 MST, Dave King said:
Also, this is not just like tripwire. If the kernel is compromised
and reporting false data to tripwire then tripwire can run along merrily
thinking every thing's great. This is why booting to a trusted kernel
is important for the process. Exploiting Software by Hoglund and McGraw
has a discussion on these types of rootkits. Tripwire, however does
great at detecting other sorts of intrusions.
Actually, the "prior art" *is* tripwire. If you run tripwire on the live
system, then run it while booted from a CD, and they produce different
results, you have a problem.
And that's what they're doing by doing a 'dir /a /s' on the live system,
then booting the Windows PE CD, and looking for differences....
Ok, this is true. I guess what I meant by what I said was running
tripwire as a cron job daily or whatever on a system without booting to
a known good kernel could yeild incorrect results if the kernel has been
compromised. A similar result can be had using tripwire on the system
then booting to a known good kernel and running it again.
Laters,
Dave King CISSP
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
