INSTALLATION

wget http://rfxnetworks.com/downloads/nsiv-current.tar.gz
tar -zxvf nsiv-current.tar.gz
cd nsiv-0.*
./install.sh

Configuration Change

vi /usr/local/nsiv/ignore.rules

NSIV Testing

/usr/local/sbin/nsiv -s

-----------------------------------

Introduction

Network socket inode validation is a rule based utility intended to aid in the
validation of inodes against each LISTEN socket on a system. The nature for
this app is such that rouge binaries can easily hijack a user, program
privileges, or work space; and utilize such to kill the old service & execute
a new service on the known port they crashed.

The best known examples of this trend is 'tmp' path uploaded content via php
remote include exploits; which is executed, crashes the web server and starts
a rouge httpd process and other such items.

A simple structure of validation is used by NSIV to verify the integrity of
services on a given system. The rules system has 3 required variables; the
first being a declared PORT value for which the service is known to operate on,
the second is the BIN value which is simply the path to your service executed binary
and the third option is the RST value which points to an init script or similar - and must include
restart flag or similar.

There-after NSIV determines the running PID of your BIN; the current inode of
your BIN followed by the current inode that is binding your declared PORT for
such service. If the listening inode differs from that of the BIN inode value
then we assume the service has been hijacked or similar and the PID is killed
and RST executed.




RaviBagul
---------
------
---
.