or you can modify tripwire so that it tells you everything is always ok..:)
Printable View
or you can modify tripwire so that it tells you everything is always ok..:)
Many have spent time and money investing and exploring ways to improve and expand on intrusion detection systems but none have caught my eye like honeynet.org and their eloquent views on honeypots.
The idea of letting interested parties think they broke in so you can observe them in a controlled environment makes me chuckle a lot.
Honeypots are a great approach if you have spare hardware and lots of time on your hands. Passive Fingerprinting is what this link is all about:
http://project.honeynet.org/papers/finger/
Kwi
Just a quick note on WFP. To my understanding the WFP calculates the file checksum and verifies it against the checksum located in the header of the PE file.
So in order to make WFP happy, whenever you alter a PE file(.dll .sys .exe..), call the
MapFileAndCheckSum() function located in imagehlp.dll this will give you a new file checksum. Then open the PE file in hex editor and replace the checksum. Replacing the checksum value located in the header will not alter the checksum of the PE file. I tried this on XP and w2k.