Honeypots mailing list archives
Re: sebek as a patch?
From: "Daniel J. Axtens" <danielax () gmail com>
Date: Thu, 6 Oct 2005 13:18:15 +0800
In sebek environment, we better disable /dev/{kmem,mem}, together with loading module capability. Then nobody can no longer access to kernel memory, no?
I am not a kernel/honepot hacker, but, would it be possible, to, at
the kernel level, redirect /dev/{mem,kmem} to, for example, a stored
memory dump? That way, when the attacker probes the device file,
he/she sees not the real state of the memory, but a stored state from
when the kernel wasn't honeypotted. Then any changes to the devices
could either be ignored, or written to the stored dump.
That way, the honeypot shouldn't be too obvious - unless the attacker
deliberately does something crashy and finds the box proceeds as
normal.
Just a random idea... I have no idea if that is even possible - never
mind useful.
--
Neuronstorm: neuronstorm.sourceforge.net
The Neuronstorm Blog: leinad-golb.blogspot.com
Current thread:
- Re: sebek as a patch? Thorsten Holz (Oct 02)
- Re: sebek as a patch? Laurent OUDOT (Oct 04)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Thorsten Holz (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 05)
- Re: sebek as a patch? Daniel J. Axtens (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Edward Balas (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Daniel J. Axtens (Oct 07)
- Re: sebek as a patch? Edward Balas (Oct 07)
- Re: sebek as a patch? Thorsten Holz (Oct 05)