Vulnerability Development mailing list archives
Re: Detecting abnormal behaviour
From: "Stephen." <sa7ori () blackroses com>
Date: Fri, 21 Mar 2003 20:35:54 -0500 (EST)
I am not entirely sure about what you are referring to, but from the buzz words you used, I assume what you are trying to do is employ some kernel module to log the PID of a process that is making a specific system call. If this is what you are attempting to do, it is fairly trivial to do with linux kernel modules. There are actually quite a few programs out there that will allow you to set up "filters" for syscalls and their parameters, for instance an "open" on "/etc/passwd". If you are coding this from scratch, Pragmatic's (THC) paper on Linux Kernel Modules, is a good place to start...Also, check out any of Tim Lawless's code, its a good place to rip code from :-). Hope this helps, if not, just email me and I can fire off some source if you need it. On Fri, 21 Mar 2003, Adrian S wrote:
Hi, Is it possible to determine the source address of the system call to check if it is proper from a list of legal addresses (legal process space etc) ? rgds Adrian
Current thread:
- Detecting abnormal behaviour Adrian S (Mar 21)
- Re: Detecting abnormal behaviour Stephen. (Mar 23)
- Re: Detecting abnormal behaviour Jose Nazario (Mar 23)
- Re: Detecting abnormal behaviour Martin Mačok (Mar 24)
- Re: Detecting abnormal behaviour Jose Nazario (Mar 23)
- <Possible follow-ups>
- Re: Detecting abnormal behaviour Alexander E. Cuttergo (Mar 21)
- Re: Detecting abnormal behaviour Stephen. (Mar 23)