RE: Using SWATCH for Forensic Analysis of VMware$DD images

• Previous message: Karl_Rademacherat_private: "RE: Hard drive write blocking in Windows"
• In reply to: Crow, Owen: "RE: Using SWATCH for Forensic Analysis of VMware$DD images"
• Next in thread: Andy_Bachat_private: "RE: Using SWATCH for Forensic Analysis of VMware$DD images"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> vs. a simple script:
>
> #!/bin/sh
> egrep -i '/rootkit|root kit|hack| irc | bot |sniff|backdoor|back
> door|promisc|knark|hax0r|hide|trojan|virus|TFN2K|adore|LKM|attack|denial-of-
> service|ddos|brute force|0wn/i' "$@" | \
> 	strings >> /images/grep_honeypot.txt

Even easier, try "fgrep -f file-with-patterns" and list all the
patterns you want.  See "man fgrep".

       -f FILE, --file=FILE
              Obtain patterns from FILE, one per line.  The empty
              file  contains  zero patterns, and therfore matches
              nothing.

--
Dave Dittrich                           Computing & Communications
dittrichat_private             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: Titus, Jennifer: "Top Ten List!?"
• Previous message: Karl_Rademacherat_private: "RE: Hard drive write blocking in Windows"
• In reply to: Crow, Owen: "RE: Using SWATCH for Forensic Analysis of VMware$DD images"
• Next in thread: Andy_Bachat_private: "RE: Using SWATCH for Forensic Analysis of VMware$DD images"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 16:24:44 PST