On Fri, 7 Oct 1994, Fred Blonder wrote: > ALWAYS (well, almost) changing, so if Tripwire raised the alarm on a > logfile, your reaction should be: "So what?". ;-) again if you are checking only, uid, gid, size increasing only, etc then so what is the wrong reaction. > At the FIRST Conference in Boston a couple months ago, Gene Spafford > spoke about Tripwire. Someone in the audience asked about the > possibility of improving Tripwire so that it could checkpoint > logfiles. Gene seemed to think this was a good idea, and said he'd > consider it in a future version. that is a different idea than what i thought you said. good point. rotating the logs and checking the older ones with a signature approaches this. it a matter of granularity. an inplace checkpoint could occur much more frequently. jmb Jonathan M. Bresler jmb@kryten.atinc.com | Analysis & Technology, Inc. | 2341 Jeff Davis Hwy play go. | Arlington, VA 22202 ride bike. hack FreeBSD.--ah the good life | 703-418-2800 x346