[clue-tech] Rootkit Hunter
David Anselmi
anselmi at anselmi.us
Fri Dec 31 09:44:08 MST 2004
Jed S. Baer wrote:
> Anyone used this?
>
> http://www.rootkit.nl/projects/rootkit_hunter.html
>
> At first glance, it sounds as if it'd be redundant with Tripwire. But
> maybe multiple scanning tools would be good -- the "belt and suspenders"
> approach.
I haven't used it, but it's only a useful addition if it doesn't share
failure modes with Tripwire. For example, if both run from cron and
attackers typically disable Tripwire by disabling cron then you haven't
really gained anything. Obviously that's simplistic but it's worth
thinking about.
I'd recently heard about osiris (http://osiris.shmoo.com/) as a better
tripwire. Might be worth looking at.
Dave
More information about the clue-tech
mailing list