LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-14-2007, 08:49 PM   #1
ComputerHermit_
LQ Newbie
 
Registered: Feb 2007
Distribution: Ubuntu 7.10 Mint 4.0
Posts: 23

Rep: Reputation: 15



what one is better chkrootkit or rkhunter
I run chkrootkit, rkhunter I was reading its better to run rkhunter on a floppy I don't know if this is true or not
or can you use both? I assume you can! it's look's to me they both do the same thing...
 
Old 04-15-2007, 03:02 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
//Moved post to new thread. Please don't tack on to exisiting threads if your questions do not address the OP's questions.

Generally speaking (and I mean very generally speaking) Chkrootkit (CRT) and Rootkit Hunter (RKH) both are host-based, passive, post-incident auditing tools meant to check for signs of malicious activity. While they have some in common, they have different features. Best compare CRT with RKH-s upcoming 1.3.0 release: see RKH's CVS at Sourceforge, since a lot will change (and I do mean a *lot*). Running any audit tool from a LiveCD is a "best practice" approach when the target system is suspected tampered with or outright can't be trusted. I also added a short doc to the 1.3.0 branch about runing RKH with Webjob. While it's usage doesn't seem that widespread it could be used as an alternative to running a LiveCD in some situations. Running both CRT and RKH causes some overlap in tests but isn't bad since it allows for a second opinion which in some cases can be a good thing. Finally don't forget running CRT or RKH alone does *not* constitute proper system hardening or system auditing. There's more you need to do. See the LQ FAQ: Security references for more nfo.
 
Old 04-15-2007, 12:54 PM   #3
Zention
Member
 
Registered: Mar 2007
Posts: 119

Rep: Reputation: 16
Run both.

It is hard to determine which is better than the other, it does not make much sense when we are dealing with only two fairly full featured root kit finders. If there are things that don't fall into the intersection of the two (or more) then you will want to run those that give you the largest collection of hits.

If there were a hundred then it might make sense to to compare and contrast to find the optimum speed against maximum detection. Still, things tend to niche at that point, and you will have to make comparison depending upon your position.
 
Old 04-16-2007, 01:57 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by Zention
It is hard to determine which is better than the other, it does not make much sense when we are dealing with only two fairly full featured root kit finders.
No it's not hard. It just takes knowledge and time. BTW, there's two more tools in the field I know of: OSSEC and Zeppoo.


Quote:
Originally Posted by Zention
If there are things that don't fall into the intersection of the two (or more) then you will want to run those that give you the largest collection of hits.
The amount of "hits" is of lesser consequence than the accuracy IMNSHO, and having a large amount of "hits" doesn't imply greater accuracy. RKH can generate a fair amount of FP's, and CRT's chkproc will sometimes generate FP's too. FP's are for the user to verify.


Quote:
Originally Posted by Zention
If there were a hundred then it might make sense to to compare and contrast to find the optimum speed against maximum detection. Still, things tend to niche at that point, and you will have to make comparison depending upon your position.
I think it's too easy to say "make comparison depending upon your position". How about some solid criteria?
 
Old 04-16-2007, 01:18 PM   #5
Zention
Member
 
Registered: Mar 2007
Posts: 119

Rep: Reputation: 16
Quote:
I think it's too easy to say "make comparison depending upon your position". How about some solid criteria?
On what, some theoretical time in the future where there are 100 or so rootkit checkers?

The idea of the niche will probably show in appliance, so say you have a rootkit checker designed for a web server, or a handheld or mobile phone, they will be similar probably feeding off a couple of centralized vulnerability sources, but purposed optimally for the environment.

Quote:
No it's not hard. It just takes knowledge and time. BTW, there's two more tools in the field I know of: OSSEC and Zeppoo.
And yet you don't make a comparison

The question was:

what one is better chkrootkit or rkhunter

There is only two there?

The question was not:

what is the best root kit checker?

Quote:
The amount of "hits" is of lesser consequence than the accuracy IMNSHO, and having a large amount of "hits" doesn't imply greater accuracy. RKH can generate a fair amount of FP's, and CRT's chkproc will sometimes generate FP's too. FP's are for the user to verify.
Hits was not quoted (") by me, hits mean just that hits, not misses or false positives, those are both misses, false positives being the worse miss. Hits can be thought of as ambiguous, but in the context of what I said was in determining vulnerability detection set size. Taking your idea that a hit is anything, 'oh look he hit some air to the right of the target' we get absurd comments like that. A hit is if you hit the target not if you miss it.

Anyway, my position stands it is very very hard to determine which is best, not only is it a moving target, the vulnerability catchment will differ, and that is the thing you are mainly interested in.

It is a good thing at least two fully featured root kit detectors exist, they act as a failsafe for each other, so looking to see which is best is not that productive (not only being hard to determine, you do want to use both) and that is the essence of my point.

Last edited by Zention; 04-16-2007 at 01:24 PM.
 
Old 04-16-2007, 05:06 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
All I asked you was to clarify, for the benefit of the OP, by adding objective criteria instead of unloading back onto him. Maybe brush up on your practical knowledge of GNU/Linux-based rootkits and detection methods first though.
 
Old 04-16-2007, 07:24 PM   #7
Zention
Member
 
Registered: Mar 2007
Posts: 119

Rep: Reputation: 16
>>> All I asked you was to clarify, for the benefit of the OP, by adding objective criteria instead of unloading back onto him. Maybe brush up on your practical knowledge of GNU/Linux-based rootkits and detection methods first though.

You didn't actually, but you are free to do the same.
 
Old 04-16-2007, 10:17 PM   #8
ComputerHermit_
LQ Newbie
 
Registered: Feb 2007
Distribution: Ubuntu 7.10 Mint 4.0
Posts: 23

Original Poster
Rep: Reputation: 15
unSpawn thank you I will check out Sourceforge


Zention thank you as well
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
rkhunter atlaika Linux - Security 7 11-29-2005 10:47 AM
rkhunter phatbastard Linux - Security 3 12-08-2004 09:44 PM
Snort and rkhunter lord_zoo Linux - Security 5 11-28-2004 08:07 AM
chkrootkit & rkhunter crontab Sabicas Linux - Security 1 11-27-2004 07:49 AM
rkhunter or chkrootkit? marlor Linux - Security 2 08-28-2004 08:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration