Home page logo
/

basics logo Security Basics mailing list archives

Re: What files to watch??
From: Geoffrey Shorter <geoffreyshorter () hotmail com>
Date: 21 May 2003 16:12:36 -0000

In-Reply-To: <Law15-F100zGNsokLQ800000f5e () hotmail com>

Chris:

I'd be most interested in a copy of your scanner, as you have generously 
offered in your post.

Also, there is a free tool for Windows, GFI LANguard System Integrity 
Monitor: http://www.gfi.com/lansim/index.html

We set up the Integrity Monitor on a workstation and a test server. It 
stopped working on the workstation for some reason (a workstation that had 
a server security template applied to it by an overzealous admin, oops!), 
but continues to feed reports from the server.

So, it's worth testing, I think. 

Thanks.

geof
OCPDBA, MCSD, MCSE+I, MCDBA, MCPSB
Server Group Manager
geoffreyshorter () hotmail com




From: "Chris Berry" <compjma () hotmail com>
Subject: What files to watch??
I'm trying to upgrade our security setup, and one of the things we didn't 
have was an integrity scanner (like tripwire).  I looked around and 
couldn't 
find anything free since we're using windows (well there was a product 
called languardian, but they looked pretty commercial, and I have no 
budget 
now or later).  Lacking funds and a GPL alternative, I went ahead a wrote 
a 
scanner using perl and the Digest::Md5 module.  I've got the system 
working 
and have set it up to run nightly, everything seems to be working fine.  
My 
problem is that it's generating WAY too much information, and I don't 
have 
time to wade through the logs every day trying to see if there is 
something 
significant in there.  I've cut down some of the chatter by telling it to 
ignore certain files and directories that change alot, but I'm not sure 
how 
to proceed from here.  Anyone have a good idea on how to get it to 
produce 
more useable detections?  By the way, if anyone wants a copy, I'd be 
happy 
to give them one, I'm releasing it GPL, but be warned it's only alpha 
quality at the moment (though I haven't had any trouble with it).

Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

---------------------------------------------------------------------------
Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities-- 
http://www.securityfocus.com/Vigilar-security-basics
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]