Hosting Provided By

Re: Detecting abnormal behaviour

From: Jose Nazario <jose(at)monkey.org>
Date: Sun Mar 23 2003 - 17:20:47 EST

have a look at systrace. you can block or log with pass arbitrary syscalls tied to program names.

http://www.citi.umich.edu/u/provos/systrace/linux.html

for reference, various people have looked at the idea of tracking syscall paths as a method to detect anomalies. systrace is currently stateless, but with some work it could be made stateful. its just hard to express a directed graph of syscalls.

for reference, i did some syscall graphs on openbsd some months back. it should give you an idea of the rapid complexity you will find:

http://monkey.org/~jose/graphing/syscalls/

systrace as it stands should be useful for you.

jose nazario, ph.d.			jose@monkey.org
					http://www.monkey.org/~jose/

Received on Sun Mar 23 22:25:06 2003

This message: [ Message body ]
Next message: Fabrice MARIE: "Re: library/executable image"
Previous message: Brett Moore: "RE: NSLOOKUP.EXE"
In reply to: Stephen.: "Re: Detecting abnormal behaviour"
Next in thread: Martin Maèok: "Re: Detecting abnormal behaviour"
Reply: Martin Maèok: "Re: Detecting abnormal behaviour"
Reply: wirepair: "Re: is it even possible for a worm with dcom vuln?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:38 EDT

Do you need help?