James Sparenberg wrote: > > > DrJung, > Your are again as you very often are, correct. However I > suggested Snort because it is a possible intrusion that he has, > not just a changed file. Tripwire doesn't tell you for example > where the intruder is coming from. I find this to be a lot more > useful than just knowing that something changed. The idea of > using both is worthy of a thought. But being the paranoid I am I > usually just pull the drive and do a postmortem wipe it and start > over. Why? Because although Tripwire tells me what has changed in > the files it checks, it doesn't tell me what changed in the files > it doesn't check or didn't exist before. This is by the way where > I find partimage to be very useful. Just image a partition before > connecting the box to the world and after it runs the way I like > then if anything does happen...... wipe and restore from images... > much faster than a full install. And hackers have a hard time > editing things they can't find.... like in my office safe. > > James
James, you are absolutely right, as you tend to be right on many ocassions also, that once a change is detected with tripwire or an intrustion with snort, it is time to put the recovery plan in motion. And everyone should, sure as hell, have just such a plan for just such circumstances.... drjung -- J. Craig Woods UNIX/NT Network/System Administration http://www.trismegistus.net/resume.html Character is built upon the debris of despair --Emerson
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
