IDS mailing list archives
Re: rootkit and trojan hunting
From: "Return C" <return.c () gmail com>
Date: Tue, 1 Apr 2008 15:58:27 +0530
hi Terry, I am currently coding this tool using gcc, MySql and Openssl. I use MySql server for database and Openssl for cryto related functions. For storing hashes I have two solutions. One, I will follow the same as tripwire, like storing the hashes in encrypted format (basically encrypting sql fields) and store it in non-writable media (like CD-ROM). Second, I will bind the database detailes along with the binary (a.out) of the hashing engine. So that my tool will have the executable binary as well as the hash values. I will not store these hash values anywhere else in the fs. Also I would like to give web interface functionality for the alerts and monitoring (like ACID). I can code this in php. only thing is, the serve needs top open Apache server. Since, this would not be a good solution, as to open MySql and Apache server on a production server, Iam planning to implement it as centralized database server, isolated Web console and agents which will capture and monitor systems. But once I started to think all this, it looks like a big product and code base increases more which i never dreamt off ! But anyway I will do this as I enjoy coding in Linux, C and ASM :) return C; return C; ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: rootkit and trojan hunting Return C (Apr 01)