Hosting Provided By

Re: Detecting abnormal behaviour

From: Stephen. <sa7ori(at)blackroses.com>
Date: Fri Mar 21 2003 - 20:35:54 EST

I am not entirely sure about what you are referring to, but from the buzz words you used, I assume what you are trying to do is employ some kernel module to log the PID of a process that is making a specific system call. If this is what you are attempting to do, it is fairly trivial to do with linux kernel modules. There are actually quite a few programs out there that will allow you to set up "filters" for syscalls and their parameters, for instance an "open" on "/etc/passwd". If you are coding this from scratch, Pragmatic's (THC) paper on Linux Kernel Modules, is a good place to start...Also, check out any of Tim Lawless's code, its a good place to rip code from :-). Hope this helps, if not, just email me and I can fire off some source if you need it.

On Fri, 21 Mar 2003, Adrian S wrote:

>
>
> Hi,
>
> Is it possible to determine the source address of the system call to check
Received on Sun Mar 23 16:40:07 2003

This message: [ Message body ]
Next message: Adrian S: "library/executable image"
Previous message: K. K. Mookhey: "Re: NSLOOKUP.EXE"
In reply to Adrian S: "Detecting abnormal behaviour"
Next in thread: Jose Nazario: "Re: Detecting abnormal behaviour"
Reply: Jose Nazario: "Re: Detecting abnormal behaviour"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:38 EDT