On Fri, 18 Mar 2005, dk wrote:
> Ron DuFresne wrote:
>
> > If the kernel is modified, on a windows or *nix system, you are going to
> > have a clear clue upfront; the system will have rebooted. Course, a
>
> That's a dangerous position to believe, at least with the linux kernel
> (man insmod). A
On Fri, 18 Mar 2005, Todd Towles wrote:
>
> Dave wrote:
>
> > About Tripwire, I understand what it does. It basically
> > runs a file integrity check on certain files and reports the
> > differences from the last (hopefully known good) scan. Say
> > that Tripwire is running on a system that'
Ron DuFresne wrote:
If the kernel is modified, on a windows or *nix system, you are going to
have a clear clue upfront; the system will have rebooted. Course, a
That's a dangerous position to believe, at least with the linux kernel
(man insmod). Aside from just loading a kernel module that wraps
Dan wrote:
> I agree that that this can be done currently with open
> source (or at least free) tools currently. Basically what
> GhostBuster was meant to do as far as I can tell, was to
> simply automate currently available tools.
> With Linux it would be simple to come up with a comple
Todd Towles wrote:
But could this not be bypassed by running Tripwire from a bootable CD?
The modified keneral would be inactive and therefore you would see the
two separate files are opposed to just one. This is the idea that this
new Microsoft products uses, but as people have stated, this can be
Dave wrote:
> About Tripwire, I understand what it does. It basically
> runs a file integrity check on certain files and reports the
> differences from the last (hopefully known good) scan. Say
> that Tripwire is running on a system that's been compromised
> by a rootkit that's been de
Ron DuFresne wrote:
If the kernel is modified, on a windows or *nix system, you are going to
have a clear clue upfront; the system will have rebooted. Course, a
failing system that reboots or blue screens every few weeks rather then
runs stable unless there is a total power outage or a maint wind
If you can't see that paper go to the wayback machine (tm):
http://web.archive.org/web/20031006165433/http://vx.netlux.org/lib/vsc07.html
On Thu, 17 Mar 2005 19:38:49 -0800, Jeremy Bishop <[EMAIL PROTECTED]> wrote:
> On Thursday 17 March 2005 17:58, Ron DuFresne wrote:
> > If the kernel is modifi
On Thursday 17 March 2005 17:58, Ron DuFresne wrote:
> If the kernel is modified, on a windows or *nix system, you are going
> to have a clear clue upfront; the system will have rebooted.
From way back in '98, a paper on patching a (running) kernel on a linux
system.
http://vx.netlux.org/lib/vs
On Thu, 17 Mar 2005, Dave King wrote:
> [EMAIL PROTECTED] wrote:
>
> >On Thu, 17 Mar 2005 11:28:55 MST, Dave King said:
> >
> >
> >
> >>Also, this is not just like tripwire. If the kernel is compromised
> >>and reporting false data to tripwire then tripwire can run along merrily
> >>thinking
[EMAIL PROTECTED] wrote:
On Thu, 17 Mar 2005 11:28:55 MST, Dave King said:
Also, this is not just like tripwire. If the kernel is compromised
and reporting false data to tripwire then tripwire can run along merrily
thinking every thing's great. This is why booting to a trusted kernel
is
11 matches
Mail list logo