Mark, System Security Scanner (S3) has a library of md5 checksums that contain good or bad programs. We compare what we find on a system with this library. >From the comparisions, we can determine whether rootkit has been installed. We are also determining whether the system has installed the latest security patches or is it running vulnerable versions of software. Tripwire only takes snap shots of the system and then compares for changes. It does not identify rootkit. It will not identify unpatched systems. It will detect only modifications to the files, not whether they are good or bad files. We are building "tripwire" type baseline md5 checksum technology into S3 as well. A big difference between tripwire and S3 is that S3 is distributed and can be centrally managed. S3 has a built in password tester. S3 checks rhosts, shosts, netrc, host.equiv, sendmail config, promiscuous ("sniffer") mode, and odd account configurations. Tripwire was not designed to do these tests. We have placed an AIX and HPUX version on ftp.iss.net/sss We are currently only supporting Linux, Solaris, SunOs, HPUX, and AIX. S3 requires X windows currently for the GUI. Any feedback or bug reports help us immensely in making newer versions. -- Christopher William Klaus Voice: (404)252-7270. Fax: (404)252-2427 Internet Security Systems, Inc. "Internet Scanner finds Ste. 115, 5871 Glenridge Dr, Atlanta, GA 30328 your network security holes Web: http://iss.net/ Email: cklaus@iss.net before the hackers do."