[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Tripwire vs rootkit Hunter



Yes, Tripwire looks to be more necessary :)



----- Original Message ----- 
From: <suse@xxxxxx>
To: <suse-security@xxxxxxxx>
Sent: Monday, September 13, 2004 5:59 PM
Subject: Re: [suse-security] Tripwire vs rootkit Hunter


> Quoting John <isofroni@xxxxxxxxx>:
> >
> > Which is best?
> > Has anyone tried both these tools?
> >
>
> As far as I'm aware, these are two completely different tools that do
completely
> different things.
>
> Tripwire is an intrusion detection system.  It lets you know when
something has
> changed your files.  Assuming you hadn't done it yourself, you know
someone is
> misbehaving.
>
> Rootkit Hunter, as its name implies, scans your computer for known
rootkits that
> someone may have left there.
>
> Tripwire has the advantage of letting you know what files have changed,
and can
> thus detect all rootkits, not just known ones.  On the downside, it
requires
> more effort to keep its DB up to date.  You'll have to run it after every
> security update.  Rootkit Hunter will also find rootkits that have been
placed,
> but not yet activated.  For instance, if one of your users puts a rootkit
in
> their home directory, tripwire wouldn't alert you until it's activated.
>
> Consider it in terms of building security, tripwire is just like a
tripwire,
> anyone breaking in sets it off.  Rootkit Hunter is like a security guard,
it
> has a chance of seeing the undesirable before the actual breakin, but has
to
> already know what the thief looks like.
>
> Personally, I prefer tripwire.
>
> -- 
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>



-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here