Vulnerability Development mailing list archives
Re: Core Dump as an Intrusion Event
From: Alexander Kiwerski <alex () WINSTAR NET>
Date: Thu, 5 Oct 2000 07:56:27 -0700
At 07:00 AM 10/5/2000, Crispin Cowan wrote:
Anyone have practical comments on this hypothesis? In practice, how often do services dump core for non-security reasons? If services dump core for non-security reasons even just a little, then the false-positive rate of intrusion detection from this clue gets out of control.
In practice, they shouldn't. However, I have seen machines that have 'buggy' versions of the service damons and end up dumping core once a week or so. Again, this shouldn't happen, and you should fix the problem (patches, etc) as quickly as possible. Most relevant example (some time ago too) I can think of is I saw it once on a Linux box' and Apache would dump once in a while, though this was in the early days of Apache. -Alexander Kiwerski
Current thread:
- Core Dump as an Intrusion Event Crispin Cowan (Oct 05)
- Re: Core Dump as an Intrusion Event Alexander Kiwerski (Oct 05)
- Re: Core Dump as an Intrusion Event antirez (Oct 05)
- Re: Core Dump as an Intrusion Event Slawek (Oct 05)
- Re: Core Dump as an Intrusion Event Pascal Bouchareine (Oct 05)
- Re: Core Dump as an Intrusion Event Crist Clark (Oct 05)
- Re: Core Dump as an Intrusion Event W. Reilly Cooley (Oct 05)
- Re: Core Dump as an Intrusion Event Eclipse, Solar (Oct 05)
- Re: Core Dump as an Intrusion Event Erik Tayler (Oct 06)
- Re: Core Dump as an Intrusion Event Jarno Huuskonen (Oct 06)
- Re: Core Dump as an Intrusion Event Crist Clark (Oct 07)
- Re: Core Dump as an Intrusion Event Kev (Oct 07)
(Thread continues...)