S3

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Guido van Rooij: "Re: searching logs for key phrases"
• Previous message: Christopher Klaus: "Rootkit Detection Program [info]"

Mark,

System Security Scanner (S3) has a library of md5 checksums that contain good
or bad programs.  We compare what we find on a system with this library.
>From the comparisions, we can determine whether rootkit has been installed.  We
are also determining whether the system has installed the latest security
patches or is it running vulnerable versions of software.

Tripwire only takes snap shots of the system and then compares for changes.
It does not identify rootkit. It will not identify unpatched systems.  It
will detect only modifications to the files, not whether they are good or
bad files.  We are building "tripwire" type baseline md5 checksum technology
into S3 as well. A big difference between tripwire and S3 is that S3 is
distributed and can be centrally managed.

S3 has a built in password tester. S3 checks rhosts, shosts, netrc,
host.equiv, sendmail config, promiscuous ("sniffer") mode, and odd
account configurations. Tripwire was not designed to do these tests.

We have placed an AIX and HPUX version on ftp.iss.net/sss
We are currently only supporting Linux, Solaris, SunOs, HPUX, and AIX.
S3 requires X windows currently for the GUI.

Any feedback or bug reports help us immensely in making newer versions.

--
Christopher William Klaus            Voice: (404)252-7270. Fax: (404)252-2427
Internet Security Systems, Inc.                        "Internet Scanner finds
Ste. 115, 5871 Glenridge Dr, Atlanta, GA 30328     your network security holes
Web: http://iss.net/  Email: cklaus@iss.net            before the hackers do."

• Next message: Guido van Rooij: "Re: searching logs for key phrases"
• Previous message: Christopher Klaus: "Rootkit Detection Program [info]"