Hosting Provided By

Re: Detecting abnormal behaviour

From: Martin Maèok <martin.macok(at)underground.cz>
Date: Mon Mar 24 2003 - 07:41:45 EST

On Sun, Mar 23, 2003 at 05:20:47PM -0500, Jose Nazario wrote:

> have a look at systrace. you can block or log with pass arbitrary syscalls

Or try subterfugue:

It uses ptrace(2) to do the job and it's written (mostly) in Python. It is a framework for syscall tracking modules (Tricks) which can be written in Python in a very simple way (a class with callbefore(pid, call, args...) and callafter(pid, call, args) methods). More Tricks can be load at a time and work in FI-FO order around syscalls (LI-FO). It can do anything with it's args or with the result of the call (including killing it of course and (experimental?) support for syscall inserting and restarting syscalls).

Works in Linux 2.2.x and 2.4.x (better), Python 2.1 and lower (Debian has 2.2+ port?)

Written by Mike Coleman and Pavel Machek. It's free (GPL).

For more, see:
http://subterfugue.org/

Do you need help?

I have made stateful tracking Trick to subterfugue recently.

It's in current CVS, not much tested and whole subterfugue itself seems a bit experimental still (and has some unresolved issues), but for some tasks seems to work pretty good.

StateTrick provides different syscall restrictions/environment in different parts of the process execution history. Those parts (states) are defined through stateful automaton working with (syscall,args). It can also load other Tricks and enable them in different states. It's currently not much documented and well tested, but can be downloaded from current CVS.

$ sf -h -t State
This is subterfugue. It is used to play various specified tricks on a command.

usage: sf [OPTIONS]... [<COMMAND> [<COMMAND-OPTIONS>...]]

-t, --trick=TRICK[:OPTIONS]     use TRICK with OPTIONS
-o, --output=FILE               direct sf output to FILE
-o, --output=N                  direct sf output to file descriptor N
-d, --debug                     show debugging output
-n, --failnice                  allow kids to live on if sf aborts
-h, --help                      output help, including for TRICKs, and exit
-V, --version                   output version information and exit

--waitchannelhack               enable kludge (required for unpatched
                                2.3.99-2.4.0test9)
--slowmainloop                  disable fast C loop (for debugging)
--nowall                        run w/o wait __WALL flag (bogus 2.2 support)

        StateTrick can change program's execution restrictions dynamically
        according to program's execution history. It can also load other tricks
        and disable/enable them at runtime. When program calls syscall that
        is not allowed in current state, it is killed and the state and
        call(args) are reported.

        options:
            config = filename       ... state machine configuration file
            verbose =            ... verbosity, default = 0
        
        example:
            $ sf -t State:'config = State.conf' naughty_app
        
        Configuration file syntax:  [voluntary]
        # comment
        IGNORE  [ [...]]
        WATCH  [ [...]]
        DEFINE  
        STATE 
        TRICKS  [ [...]]
        ([args]) [->  [-> ]]

        Configuration file example:
        ---------------------------
        # define Tricks
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
        DEFINE TRACE Trace
        DEFINE TRACEFS Trace:call=["open", "close", "read", "fstat64"]
        DEFINE COUNT Count
        
        # ignore those calls (allowed, won't change states)
        # IGNORE brk fstat64
        
        # define state, 'START' is implicit
        STATE START
        # those tricks will be enabled (active) in this state
        TRICKS TRACE COUNT
        # define calls allowed in this state
        uname()
        # regexp ([a-z] works), but '*' means '[^/]*' and '.' means '\.'
        open(/etc/ld.so.*,0,)
        open(/lib/libc*,0,)
        mmap(-1073749156)
        # munmap will change program's state to state 'FORKING'
        munmap() -> FORKING
        # other syscalls than those defined above are not allowed in START
        # (IGNORED and not WATCHED are allowed too)

        # define new state, no tricks enabled here
        STATE FORKING
        # parent will go to state FORKED, child goes to state CHILD
        fork() -> FORKED -> CHILD

        STATE FORKED
        mmap()
        wait4()
        munmap() -> FINISH
        
        STATE CHILD
        TRICKS TRACEFS
        mmap()
        write()
        munmap() -> FINISH
        
        STATE FINISH
        _exit()
        ----------------------------
        TODO: more documentation

-- 
         Martin Maèok                 
http://underground.cz/
   
martin.macok(at)underground.cz        
http://Xtrmntr.org/ORBman/

Received on Mon Mar 24 13:11:44 2003

This message: [ Message body ]
Next message: Adam Gilmore: "RE: library/executable image"
Previous message: Fabrice MARIE: "Re: library/executable image"
In reply to Jose Nazario: "Re: Detecting abnormal behaviour"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:38 EDT