Broadband Tech > Security > Security > Looking for a Sniffer & Integrtiy Checker Programs

reply to amark

Re: Looking for a Sniffer & Integrtiy Checker Programs

• CERT-recommended authentication applications


• OS utilities


• Other payware products


• Freeware/Shareware products

• TripWire This is primo and the standard against which nearly everything else is evaluated. If you read up on this and decide to go with it, we only want a 10% finder's fee. Browse the site at http://www.tripwire.com/ for tons of information. There is, apparently, an open-source version of Tripwire for some lucky *NIX users.


• Integrity Master from Stiller Research, for those with somewhat more limited financial means. You can find the Integrity Master website at http://www.stiller.com/ . Those who think that file authentication is primarily a firewall responsibility would be well advised to read the information at http://www.stiller.com/trojan.htm . (No, I didn't write that one.) This is a very succinct explanation of why file authentication is more important than just the threat of a Trojan deciding to masquerade as an application identified in your firewall ruleset.

• Windows 98/98SE Search for System File Checker or SFC.EXE using "Exact Phrase" with both Technet and the KnowledgeBase categories checked. Then, on the "Search with Results" tab, enter "Windows 98". One document you should find (but it's sort of misleading as to the full power of SFC.EXE) is http://support.microsoft.com/support/kb/articles/q185/8/36.asp . SFC is user-customizable as to which files it checks. The problem is that you have to sit in front of your PC the entire time it is working (and it works SLOW). At the current time, I have SFC examining 275 folders for 2659 files and set to identify files added, files deleted, and files changed.


• Windows ME Search for System File Protection or SFP using "Exact Phrase" with both Technet and the KnowledgeBase categories checked. Then, on the "Search with Results" tab, enter "Windows ME". One document you should find is http://support.microsoft.com/support/kb/articles/Q274/0/90.ASP . I don't have a Win ME box, but I understand the default settings in SFP check about 800 files. The problem is that SFP silently restores these files without your knowledge if they have been changed in an unauthorized manner. I am unclear as to whether you can add other files for authentication.


• Windows 2000 Search for Windows File Protection or WFP using "Exact Phrase" with both Technet and the KnowledgeBase categories checked. Then, on the "Search with Results" tab, enter "Windows 2000". One document you should find is http://support.microsoft.com/support/kb/articles/Q222/1/93.ASP . Win 2000 will check and silently restore up to 2700 files (if you've set the buffer to accommodate this.) Again, I'm somewhat unsure as to whether you can add additional files to be authenticated.


• Windows XP (By now, you may be getting the bizarre idea that Microsoft renames this feature with every verion of its OSs -- you would be right, of course.) There's not much available on what's going to be done in Windows XP, but you might want to bookmark the site at http://www.microsoft.com/windowsxp/ for some tantalizing hints.

• AVP Inspector (trialware) obtainable as an integral part of AVP Gold, IIRC -- for money, natch. This is quite fast, but you only get the full advantage if you already have AVP. It looks like AVP Inspector only uses CRC-32, however, and this is easily compromised. (Documentation doesn't clarify this issue.) But AVP Inspector also apparently provides registry monitoring. AVP Inspector also provides some rather novel features to allow an end-user to protect themselves from having the program or its data files corrupted by an intelligent Trojan.
  
  You can find a write-up on AVP Inspector at http://www.avp.ru/products.asp?tgroup=0&pgroup=11&id=32 . There is a trialware version, but the URL does not seem to be publicly accessible at the moment.


• NAV 2001 Symantec has restored (apparently) some sort of file authentication in the latest version of NAV 2001. Unfortunately, exactly what they've done is not well documented in the provided end-user documentation. Nor can I tell you precisely where this functionality is hidden in the NAV configuration options. Anybody help me out here? All I know is that it's currently driving me nuts.


• There is also at least one other AV product on the market that still checks some sort of hash on executables before loading them into RAM or allowing them to be executed. Unfortunately, I don't recall what it is. Can anybody help me out here?

• Win Interrogator (freeware) This old version of this application was extremely fast and provided a wealth of information unmatched by any other application on executable files. Results are presented in a *.csv file that can easily be read into many spreadsheet applications. However, the old version produced non-standard results for the hash and no option to compare for version changes. The more recent versions produce a standard hash, but are now considerably slower. (They've also added some new file description fields to what was already an overwhelming list.)
  You'll find a line for a download of WinInterrogate about half-way down this page: http://sourceforge.net/projects/winfingerprint/
  .


• Floke Integrity (freeware) This is almost a freeware version of TripWire -- but it has a non-standard (text file) output that is difficult to directly review. What it does do however, is identify changed files , new files , and missing files
  automatically. It has some operational anomalies in how it works and the author is out of circulation until Sep 2001 -- so don't expect any serious enhancements in the near future. You can find Floke Integrity at http://www.angelfire.com/wi/wickmann/floke.html
  .


• MD5 Sumer (freeware) I'm going to have to check back on this one. There was something I didn't like and I never used it. (No, it wasn't the fact that it relied on MD5 hashes.) MD5Sumer is at: http://download.cnet.com/downloads/0-10096-100-3728229.html .
  Don't confuse this with MD5Summer, which you will find at: http://homepages.ihug.co.nz/~floydian/md5/
  .


• NISCRC-32 (freeware) This is Albert Janssen's originally released product (back before Symantec released leaktest-patched versions for NIS/NPF 2.0x and 2.5x). Albert's old program is, of course, available from http://members1.chello.nl/~a.m.janssen/niscrc.htm
  Albert has now produced a far more enhanced version that can utilitize RIPEMD160, SHA1, and/or HAVAL hashes. Using the 'Check Files' option automatically identifies any of the selected applications that have changed since the last run. Furthermore the (new) version can be set (at the user's discretion) to only scan the exectuables in the AG/NIS/NPF firewall ruleset or ALL applications on the user's hard drive. (which means it's no longer AG/NIS/NPF specific). The latest publicly released version of this is called NIS FileCheck Beta 1007 and you can download it from »members1.chello.nl/~a.m.janssen/···1007.zip .

I could take about six hours and clean that up and update it, but the important thing right now is the list of URLs.

Some of these products have changed significantly in the past month or so since that text was last edited. Consequently, don't take my narrative descriptions as necessarily being correct now. Check out the URLs yourself.

Albert Janssen now has a public beta of NIS FileCheck 1007 (I believe that's the published version) that you can download from »members1.chello.nl/~a.m.janssen/···1007.zip .) This will be freeware. And, no, you don't need to use NIS/NPF or AtGuard in order to use this application. Just read the (now rather dated) help file.
--
Regards,
Joseph V. Morris

reply to jvmorris
I was thinking of trying to port the open source tripwire to MPE/iX... seems like the premo file integrity product on the market. Was also considering using it on some F5 appliances (BSDi based).