Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [suse-security] Tripwire vs rootkit Hunter
Date: Mon Sep 13 2004 - 09:59:19 CDT
Quoting John <isofronicc.uoi.gr>:
> Which is best?
> Has anyone tried both these tools?
As far as I'm aware, these are two completely different tools that do completely
Tripwire is an intrusion detection system. It lets you know when something has
changed your files. Assuming you hadn't done it yourself, you know someone is
Rootkit Hunter, as its name implies, scans your computer for known rootkits that
someone may have left there.
Tripwire has the advantage of letting you know what files have changed, and can
thus detect all rootkits, not just known ones. On the downside, it requires
more effort to keep its DB up to date. You'll have to run it after every
security update. Rootkit Hunter will also find rootkits that have been placed,
but not yet activated. For instance, if one of your users puts a rootkit in
their home directory, tripwire wouldn't alert you until it's activated.
Consider it in terms of building security, tripwire is just like a tripwire,
anyone breaking in sets it off. Rootkit Hunter is like a security guard, it
has a chance of seeing the undesirable before the actual breakin, but has to
already know what the thief looks like.
Personally, I prefer tripwire.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here