Vulnerability Development mailing list archives

Re: Core Dump as an Intrusion Event

From: Alexander Kiwerski <alex () WINSTAR NET>
Date: Thu, 5 Oct 2000 07:56:27 -0700

At 07:00 AM 10/5/2000, Crispin Cowan wrote:

Anyone have practical comments on this hypothesis?  In practice, how
often do services dump core for non-security reasons?  If services dump
core for non-security reasons even just a little, then the
false-positive rate of intrusion detection from this clue gets out of
control.


In practice, they shouldn't. However, I have seen machines that have
'buggy' versions of the service damons and end up dumping core once a week
or so. Again, this shouldn't happen, and you should fix the problem
(patches, etc) as quickly as possible. Most relevant example (some time ago
too) I can think of is I saw it once on a Linux box' and Apache would dump
once in a while, though this was in the early days of Apache.

-Alexander Kiwerski

Current thread:

Core Dump as an Intrusion Event Crispin Cowan (Oct 05)
- Re: Core Dump as an Intrusion Event Alexander Kiwerski (Oct 05)
- Re: Core Dump as an Intrusion Event antirez (Oct 05)
- Re: Core Dump as an Intrusion Event Slawek (Oct 05)
- Re: Core Dump as an Intrusion Event Pascal Bouchareine (Oct 05)
- Re: Core Dump as an Intrusion Event Crist Clark (Oct 05)
- Re: Core Dump as an Intrusion Event W. Reilly Cooley (Oct 05)
- Re: Core Dump as an Intrusion Event Eclipse, Solar (Oct 05)
  - Re: Core Dump as an Intrusion Event Erik Tayler (Oct 06)
  - Re: Core Dump as an Intrusion Event Jarno Huuskonen (Oct 06)
  - Re: Core Dump as an Intrusion Event Crist Clark (Oct 07)
  - Re: Core Dump as an Intrusion Event Kev (Oct 07)

(Thread continues...)