Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensics: Tripwire Project Report Conor Harris Parth Jagirdar Zheng Fang.

Published byPaulina Heath Modified over 9 years ago

Similar presentations

Presentation on theme: "Forensics: Tripwire Project Report Conor Harris Parth Jagirdar Zheng Fang."— Presentation transcript:

1 Forensics: Tripwire Project Report Conor Harris Parth Jagirdar Zheng Fang

2 What We’ve Done Setup Tripwire ▫yum install tripwire ▫twadmin –m G –S./site.key ▫twadmin –m G –L./$HOSTNAME-local.key Configure Policy ▫Remove all “file/dir not exists” warnings ▫Change “scan the individual reports” to “yes” ▫Add rule: check ‘/’ recursively, mode=SEC_CRIT ▫Remove all rules that conflict with the added rule

3 What We’ve Done (Cont.) Initialize ▫twadmin --create-cfgfile –S site.key twcfg.txt ▫twadmin --create-polfile –S site.key twpol.txt ▫delete twcfg.txt and twpol.txt ▫chmod 0600 tw.cfg tw.pol ▫tripwire –init Backup ▫key, cfg, pol, database.

4 Alert Policy File is NOT Secure!!! ▫even if “twpol.txt” is deleted can be retrieved using “twadmin –print-polfile” without any password. Of course, we’ve got all the others’ policy file. And did a little analysis.

5 Damages Made on All Create /media/canyouseeme Create /lost+found/.history Change modification time of /etc/yp.conf "05:27:09 " Change file /var/log/maillog-20081116 ▫change a "localhost" to "l0calhost" and keep the original modification time.

6 +Damage Made on 129.63.16.75 Add 'cat' to /var/lib/tripwire/report/...20081119- 041402.twr chmod 777 /etc/X11 Installed Kate

7 +Damage Made on 129.63.16.91 Add 'cat' to /var/lib/tripwire/report/...20081112-041455.twr chmod 777 /etc/X11

8 +Damage Made on 129.63.16.93 Change modificatoin time of /var/log/samba/old "05:27:09" Change a "session" to "s3ssion" in /var/log/secure-20081029 and keep the original modification time Change "=" to "-" in /etc/xml/catalog

9 Changes Found on Our Machine All files in “/etc/tripwire” are gone ▫rm –f *.* “localhost.localdomain.twd” changed ▫add “forensics” “.bash_profile” changed ▫add “/tmp/ttyconsole&” Create shortcut./cdrom ▫ln -s /usr/bin/./cdrom Added a new user called “helpless” ▫useradd helpless

10 Changes Found on Our Machine (Cont.) Installed airsnort.i386 and all of its dependencies ▫yum install airsnort.i386 Changed permissions on etc directory to 757 ▫chmod 757 etc/ Made directory /root/.enlightenment Added file /root/.enlightenment/.IgnoreMe! ▫wrote the date to this file

11 Changes Found on Our Machine (Cont.) Installed lrk4 and all of its dependencies Added /var/tmp/... Added /var/tmp/.../.... Added/etc/... Added /etc/.../.... Added /tmp/... Added /tmp/.../.... Added /tmp/tty-console Added /tmp/.. Added /... Added /.../....

12 Changes Found on Our Machine (Cont.) Added: /home/... Added: /home/.../.... Added: /home/user1/... Added: /home/user1/.../.... Added: /var/lib/tripwire/report/... Added: /var/lib/tripwire/report/.../.... Added fake report: /var/lib/tripwire/report/localhost.localdomain- 20081123-235523.twr Added fake report: /var/lib/tripwire/report/.localhost.localdomain- 20081123-235523.twr

13 Changes Found on Our Machine (Cont.) Added: /root/.tmp Added: /root/d--------- Threw “lrk4.src.tar.gz” into Trash Added: /root/d--------- Deleted: /var/lock/subsys/sendmail

14 Other Changes Installation of programs also modified system logs and configuration files. Create new user also automatically generate a list of files by system. Using gnome environment (Firefox, etc.) created and modified lots of log and configuration files, leaving some stuff in the cache.

Download ppt "Forensics: Tripwire Project Report Conor Harris Parth Jagirdar Zheng Fang."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
Operating System Customization

Operating System Customization
Installation and Deployment in Microsoft Dynamics CRM 4.0

Installation and Deployment in Microsoft Dynamics CRM 4.0
POP QUIZ!!! What kind of software is Medisoft? Name ONE of the 4 things that you can do to data in Medisoft. What is the Medisoft Program Date? What key.

POP QUIZ!!! What kind of software is Medisoft? Name ONE of the 4 things that you can do to data in Medisoft. What is the Medisoft Program Date? What key.
Git/Unix Lab March 2015. Version Control ●Keep track of changes to a project ●Serves as a backup ●Revert to previous version ●Work on the same files concurrently.

Git/Unix Lab March Version Control ●Keep track of changes to a project ●Serves as a backup ●Revert to previous version ●Work on the same files concurrently.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Computer & Network Forensics

Computer & Network Forensics
2004, Jei Tripwire An Intrusion Detection Tool Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei Tripwire An Intrusion Detection Tool Information Networking Security and Assurance Lab National Chung Cheng University.
Security SIG: Introduction to Tripwire Chris Harwood John Ives.

Security SIG: Introduction to Tripwire Chris Harwood John Ives.
11 MANAGING USERS AND GROUPS Chapter 13. Chapter 13: MANAGING USERS AND GROUPS2 OVERVIEW  Configure and manage user accounts  Manage user account properties.

11 MANAGING USERS AND GROUPS Chapter 13. Chapter 13: MANAGING USERS AND GROUPS2 OVERVIEW  Configure and manage user accounts  Manage user account properties.
SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.

SETUP AND CONFIGURATIONS WEBLOGIC SERVER. 1.Weblogic Installation 2.Creating domain through configuration wizard 3.Creating domain using existing template.
Virtual Machine and UNIX. What is a VM? VM stands for Virtual Machine. It is a software emulation of hardware. By using a VM, you can have the same hardware.

Virtual Machine and UNIX. What is a VM? VM stands for Virtual Machine. It is a software emulation of hardware. By using a VM, you can have the same hardware.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.

Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.
T RIP W IRE Karthik Mohanasundaram Wright State University.

T RIP W IRE Karthik Mohanasundaram Wright State University.
1 Host – Based Intrusion Detection “Working of Tripwire”

1 Host – Based Intrusion Detection “Working of Tripwire”
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.
Version Control. What is Version Control? Manages file sharing for Concurrent Development Keeps track of changes with Version Control SubVersion (SVN)

Version Control. What is Version Control? Manages file sharing for Concurrent Development Keeps track of changes with Version Control SubVersion (SVN)

Similar presentations

Ads by Google