Rootkit signatures?

Seth Cohn sethcohn at gnuhampshire.org
Thu Jun 25 11:14:58 EDT 2009


Kenny, you've answered your own question why the rootkit detectors are
all aged badly: Tripwire does this, without the need for updating
rootkit signatures.

You need to just go back and answer the initial request with:

This was already implemented on XX/XX/200X by the installation of
Tripwire on our system(s), which performs checks on all major files on
all servers in question.

On Thu, Jun 25, 2009 at 9:59 AM, Kenny Lussier<klussier at gmail.com> wrote:
> I probably should have listed the rootkit detection systems that I
> have looked at. chkrootkit is one of them. The last release was Dec.
> 2007. I have also looked at OSSEC, rkhunter, and about 40 others that
> all suffer from age and incompleteness. Another problem with all of
> these is that they run locally and report locally. If I were to write
> a rootkit, the first thing that I would do is check for rootkit
> detectors and neutralize it if I found it. With Tripwire, or any other
> remote scanner, the ability to modify the check is eliminated.
>
>
> Thanks,
> Kenny
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>


More information about the gnhlug-discuss mailing list