Shulou(Shulou.com)06/02 Report--

Text

Why should 0x00 be used?

Intrusion detection is the most basic and best attack detection method in the security field. For our server, assuming it is attacked, destroying data is not the intention of most attackers, but more about having sex with our server. So once the server is compromised, a lot of the configuration may be changed. For example, a new software is installed, such as a sudden addition of data, or a change in the configuration file of the server. Then, AIDE this intrusion detection software can detect some changes in our system, and these direct detection results can be used as the basis for our server to be breached. Note: the intrusion detection we are talking about here is not the network intrusion detection, but the system intrusion detection.

0x01 about AIDE

AIDE is the abbreviation of (Advanced Intrusion Detection Environment) advanced intrusion detection, and its function is mainly to check the integrity of files.

How 0x02 works

AIDE first initializes a database of monitored files. It performs a check operation on the file in advance and saves the check value to the database. Finally, periodic checks are carried out according to the administrator's configuration, such as 1 day, 1 week, or manual check. In fact, the inspection is to check the monitored document again, compare the new check value with the original check value, and prove that there is a change if it is not the same.

0x03 check algorithm

# md5

# sha1

# rmd160

# tiger

# crc32

# sha256

# sha512

# whirlpool

# gost

# haval

# crc32b

0x04 Monitoring Properties

# p: permissions

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.