On Mon, 2006-02-27 at 12:35 -0500, Neil Schelly wrote:
> On Monday 27 February 2006 11:16 am, Bair,Paul A. wrote:
> > If you have any questions on ftimes, you can email me directly. I
> > support and contribute to the project.
>
> I've always used AIDE myself. I remember looking into it a few years ago and
> found it to be preferable at least to Tripwire, though I understand that
> Tripwire has a few admin GUIs that make it more worthwhile if you want to go
> commercial.
>
> I'm curious what you think though if you're contributing to a project in this
> space. How familiar are you with the other competing projects and what each
> has in terms of strengths/weaknesses. I've never heard of ftimes, but am
> curious about it and others, if you'd care to expound a bit.
> -Neil
Unfortunately, I'm not a great resource for comparing these tools and I
also try not to bash other tools. That said, I use ftimes for these
reasons:
- ftimes is free
- there are several recipes to help you deal with ftimes data:
http://ftimes.sourceforge.net/FTimes/Cookbook.shtml
- ftimes produces nice delimited output, that is easily importable to
a db. I'm not sure if the tripwire output can be parsed that easily.
- ftimes has a 'dig' mode which allows me to search an entire drive
for one or more regular expressions. This makes it nice to search for
known trojan signatures, or IP addresses, etc.
- ftimes has a great 'compare' mode that allows you to compare any
fields it collects. So if you only want to see files who's md5's
changed, you would execute ftimes like this:
# ftimes --compare none+md5 baseline.map snapshot.map
- ftimes works on unix and windows (and it finds Alternate data
streams in windows)
- ftimes url-encodes non-printable characters in the output file which
is very handy when dealing with wacky named files. Malicious programs
tend to create unusually named files.
- while i don't use it often, ftimes also integrates the unix file
magic when scanning files. So, this helps identify the file type
quickly.
- ftimes has a test harness used to validate the tool
(http://cvs.sourceforge.net/viewcvs.py/ftimes/ftimes/tests/)
Later,
Andy
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
