It sounds like you are talking about packet analysers, you could have a look at www.snort.org there is some info with configuring snort with iptables to create an active firewall.
Tripwire is pretty much useful to inform you after the fact that someone has modified a file on you system, as long as you have stored the files created by tripwire on a floppy, probably best if you have tripwire binary on the floppy as well. You'll never know how good (or bad) a cracker/worm wants too be. > Various firewalls for Windows(TM) have a feature that identify, permit, and > deny packets sent by authorised applications. (I use Kerio Personal Firewall > [www.kerio.com]). These firewalls use a method for creating and checking MD5 > signatures on applications that attempt to access the low-level network > layers or device drivers. This feature exists to prevent trojans or > unauthorised replacement of binaries eg. a trojaned httpd, that tries to > access/bypass the firewall. > > I know that IPChains and IPTables are packet filtering firewalls, and > basically work on src/dest:port [protocol] IP headers, but these internet > daemons eg. httpd can be configured to use different ports ... > > My question is, does IPTables support identifying packets sent from specific > applications, or any MD5 checksums on applications or even verifying full > path and filename details of any binary that accesses the kernel networking > layer ? This would atleast help in identifying what processes are trying to > access the firewall. > > Should checksums be left to file system integrity programs like Tripwire ? -- Kevin Saenz <[EMAIL PROTECTED]> -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
