Dear Return,

> I appreciate your valuable comments. One thing I forgot
> to tell in my previous post is that, I solely develop this tool for
> academic purpose and nothing to make it like Tripwire or so and so
> softwares. I always enjoy coding in Linux and C and try to learn new
> things by coding myself rather installing a tool and learning it.

Yes -- as Nuno set me straight. If you're just doing some hands on
learning for your own edification, that's awesome, and I certainly
don't want to discourage anyone from learning.

So -- how are you going to protect the hashes?

Are you planning on building these hashes on a per-host basis, or
maintaining a central store of hashes for all systems running a common
set of software?

If the running kernel is infected, how do you know that the data
you're reading off the disk (and calculating the hashes by) is
actually what's on the disk, and not just what the rooted kernel wants
you to see?

Are you targeting any particular distro, which might have hashes for
the files of interest in its package management database?

Sorry I'm more questions than answers, but hopefully thinking about
these things will point you in a promising direction.

Cheers,
Terry

------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------

[ reply ]