All the Perl that's Practical to Extract and Report
use Perl Log In
ajt (2546)
(email not shown publicly)
http://www.iredale.net/
UK based. Perl, XML/HTTP, SAP, Debian hacker.
- CPAN: ATRICKETT [cpan.org]
- PerlMonks: ajt [perlmonks.org]
- Local LUG: AdamTrickett [lug.org.uk]
- Debian Administration: ajt [debian-adm...ration.org]
- LinkedIn: drajt [linkedin.com]
Tripwire, Snort et al...?
Later this month we are going to replace a Windows NT AdvancedServer box with a Red Hat Linux Enterprise ES box. The machine is in our DMZ with an exposed port 80 to the Internet.
When the change takes place the Linux box will be my responsibility, I don't look after the current NT box. At the same time we'll also be exposing the box to the Interent with an inbound FTP enabled as well.
Officially I'm the web/Perl person, but I'm also the only really knowledgeable Linux admin here. I have passed from the "knowing a little but not how little", to the the "knowing a little more but now knowing how little that is" stage. My paranoia is starting to kick in.
What kind of tools are there for knowing if a machine has been got at? Which ones are worth installing... Where to start?
Or is it a BUG?"
"Let's call it an accidental feature. :-)"
--Larry Wall in <6909@jpl-devvax.JPL.NASA.GOV>
Snort and Nessus (Score:1)
Snort as a Intrusion Detection System it's very powerfull, he scans your DMZ in real time and produces pretty HTML (with snortsnarf for example),, but if your want to sniff all your network DMZ/LANs your do a better job with two or more IDS's (NIDS) one in DMZ and other in your lan, and join the results for a better analise
In this area of IDS's you have another choise very good too, the AIDE.
Tripwire is very nice too but for static contents, it takes a snapshot of your filesystem while out o
Re:Snort and Nessus (Score:2)
-Dom
Re:Snort and Nessus (Score:2)
I Spotted that when I was looking round the Debian site. Though the work box is RHEL-ES3, I run Debian at home, and I have the same paranoid worries there too...
I know there are lots of tools to choose from, it's knowing where to start that is the problem. Thanks for the suggestion, I'll investigate that too.
-- "It's not magic, it's work..."
Re:Snort and Nessus (Score:2)
Most helpful, and your English is fine.
Will do some investigating...
-- "It's not magic, it's work..."
grargh, i hate having to put a subject on replies (Score:2)
In theory, chkrootkit and tripwire can only really be trusted once you've booted from known-good media, and tripwire's database likewise should be on media you trust, such as a CD. This is because an attacker could manipulate the kernel to lie about what's on the disk, and hence tripwire et al would not be giving you a true picture of what's going on. Also an attacker could change tripwire's database if that's stored on the machine that's been compromised. In practice this is
Re:grargh, i hate having to put a subject on repli (Score:2)
Will checkout chkrootkit. It was easy to install on my Debian box at home, I'll have to try it at work tomorrow. I'm quite happy to build the tripwire or AIDE database and then burn it and the binary to CD, and run the application from CD. For home I just want to be safe, it's my money at stake, at work it's a lot more money, but also my job.
Running Apache via a proxy is a good idea, the Apache use on the work system is light and very basic so it could be very easy to do.
-- "It's not magic, it's work..."