Re: noob question about the CVE-2010-3081 exploit



On 09/20/2010 09:21 PM, Bit Twister wrote:
On Mon, 20 Sep 2010 20:19:33 +0000, tuuttuuttuut@xxxxxxx wrote:

But the thing is... does TripWire see the kernel (and its headers and
stuff) also as 'files' to monitor

As you stated the question, yes. TripWire can tell you when any file/directory
it has been told to monitor changes.

or is it 'just for rootkits'?

In the context of this discussion, there are two types of rootkits.
One is where the rootkit runs only in memory. Tripwire will not see it
because it is not found on the disk. You reboot the system and the
rootkit disappears. The other type would be on the disk and could only
hide from tripwire if tripwire does not scan the directory where it resides.

I mean can tripwire keep me save from the CVE-2010-3081 exploit?

A poor analogy, follows. I think you are viewing tripwire as a burglar
alarm when in reality it is a smoke detector.

IF it smells smoke, it goes off. No smoke, no alarm. Was/is there a fire?
Could be. :(

You have to understand how tripwire works. It builds a database of
file names based on where you told it to scan/watch. If files are
added/deleted/changed then tripwire reports it.

Where would the cracker put malware? Anywhere you told tripwire not to
scan/watch.

What a real rootkit does becomes the real question. If the
person/malware gets into you system, the possibility exists that it
might make enough changes to sneak by you. Example, take shapshot of
logs, insert rootkit, install backdoor(s), tell tripwire to rebuild
database to pick up added/changed files, restore snapshot of logs to
hide malware activity and hope you miss any tripwire complaint about a
log file goes unnoticed by you.

Expand your mind, read 4'th paragraph at
http://en.tldp.org/LDP/LG/issue36/kuethe.html

I read your answer and the whole article (it was quite interesting) an I think I got it.

Thanks a lot Bit Twister!
.



Relevant Pages

  • Re: [Full-disclosure] Microsoft GhostBuster Opinions
    ... >failing system that reboots or blue screens every few weeks rather then ... >Of course, I'm not sure you understand what tripwire is or does, further ... you have a rootkit. ...
    (Full-Disclosure)
  • RE: tripwire failed???
    ... It uses a client server architecture for the deployment of scanning agents ... Subject: tripwire failed??? ... The rootkit is a way to REMAIN in, not a way to get entry. ... with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: tripwire failed???
    ... You should also hunt for the way IN, otherwise you will never shut out ... The rootkit is a way to REMAIN in, not a way to get entry. ... How are you running tripwire, ... with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: noob question about the CVE-2010-3081 exploit
    ... TripWire can tell you when any file/directory ... it has been told to monitor changes. ... One is where the rootkit runs only in memory. ... database to pick up added/changed files, restore snapshot of logs to ...
    (comp.os.linux.security)
  • RE: [Full-disclosure] Microsoft GhostBuster Opinions
    ... > runs a file integrity check on certain files and reports the ... > by a rootkit that's been designed to evade file integrity ... > checkers such as tripwire. ... new Microsoft products uses, but as people have stated, this can be done ...
    (Full-Disclosure)