File Integrity Checkers and related tools
Certain sure signs of a successful system intrusion or attack appear when sensitive files are altered, back-doored, or have Trojans inserted. Likewise, when new files show up in system or other privileged directories where such additions should occur only when new software is installed, or updates or service packs are applied, it’s often a sign of potential trouble as well. A category of software that’s called a file integrity checker permits administrators to take snapshots of their file systems to create reference baselines (right after installation and upgrades, for example, when a system should be both pristine and correct) and compares that data to snapshots taken at regular intervals thereafter.
By gathering all kinds of information about files and objects they check–including file properties, related registry properties (if applicable), and calculating various signatures, message digests, checksums, or hashes on files, these tools can detect even miniscule changes in files over time. Many such tools can also detect and report on new files that show up in certain key system or binary directories as well (usually configured by default recognition of operating system, and customizable to add noteworthy local or proprietary directories), thereby alerting administrators to potential signs of trouble.
Perhaps the best-known tool in this category is TripWire, originally developed as part of a research program at Purdue University. Available in both Open Source and commercial versions, the TripWire FAQ describes this system as follows: “Tripwire is a tool that checks to see what has changed on your system. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc.” Ample information on the Open Source version is available online at http://www.tripwire.org ; commercial versions are covered at http://www.tripwire.com.
The key to using a file integrity checker correctly is regular, repeated use (typically, as part of an ongoing intrusion detection regime, or as an integral part of regularly scheduled security scans on key systems and software). Most such tools may be scheduled and run from within IDS systems; manual operation and other scheduled uses for security scans are commonplace as well.
Table 1: File/signature checking tools
TripWire for Servers, Routers,…
LANGuard System Integrity Monitor