[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Tripwire vs rootkit Hunter



Quoting John <isofroni@xxxxxxxxx>:
>
> Which is best?
> Has anyone tried both these tools?
>

As far as I'm aware, these are two completely different tools that do completely
different things.

Tripwire is an intrusion detection system.  It lets you know when something has
changed your files.  Assuming you hadn't done it yourself, you know someone is
misbehaving.

Rootkit Hunter, as its name implies, scans your computer for known rootkits that
someone may have left there.

Tripwire has the advantage of letting you know what files have changed, and can
thus detect all rootkits, not just known ones.  On the downside, it requires
more effort to keep its DB up to date.  You'll have to run it after every
security update.  Rootkit Hunter will also find rootkits that have been placed,
but not yet activated.  For instance, if one of your users puts a rootkit in
their home directory, tripwire wouldn't alert you until it's activated.

Consider it in terms of building security, tripwire is just like a tripwire,
anyone breaking in sets it off.  Rootkit Hunter is like a security guard, it
has a chance of seeing the undesirable before the actual breakin, but has to
already know what the thief looks like.

Personally, I prefer tripwire.

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here