Re: fingerprinting servers--md5deep problem

--- Tom Stowell <> wrote:
> Booting from a Knoppix CD is a way to work around the immediate
> symptom

Should have said in the first post that I'm aware of this option; but
I'm working on live servers that need to stay up. 

I'm less concerned about 'missing' files that are bound to change
(appevent.evt, SAM, pagefile.sys, etc). 

I'm more concerned about getting something, anything that's a snapshot
of the server without being a full image or running tripwire, etc.

Here's what I did: 

find ./ -type f -exec md5sum {} \; > outputfile.txt

Simple. Worked fine, it skipped the 'busy text files' like SAM,
pagefile.sys, etc. 

Anyone know why md5deep can't skip these as well? 


> I'm actually working on a related project at the moment:
Your project sounds interesting! It would be nice to see how a server
changes over time. Especially when patching, backing out patches, etc.
I'll look for it on freshmeat ;-) 

Jeff.


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com