Dear Return, > I appreciate your valuable comments. One thing I forgot > to tell in my previous post is that, I solely develop this tool for > academic purpose and nothing to make it like Tripwire or so and so > softwares. I always enjoy coding in Linux and C and try to learn new > things by coding myself rather installing a tool and learning it.
Yes -- as Nuno set me straight. If you're just doing some hands on learning for your own edification, that's awesome, and I certainly don't want to discourage anyone from learning. So -- how are you going to protect the hashes? Are you planning on building these hashes on a per-host basis, or maintaining a central store of hashes for all systems running a common set of software? If the running kernel is infected, how do you know that the data you're reading off the disk (and calculating the hashes by) is actually what's on the disk, and not just what the rooted kernel wants you to see? Are you targeting any particular distro, which might have hashes for the files of interest in its package management database? Sorry I'm more questions than answers, but hopefully thinking about these things will point you in a promising direction. Cheers, Terry ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
