Vulnerability Development mailing list archives
Re: Detecting abnormal behaviour
From: Jose Nazario <jose () monkey org>
Date: Sun, 23 Mar 2003 17:20:47 -0500 (EST)
have a look at systrace. you can block or log with pass arbitrary syscalls tied to program names. http://www.citi.umich.edu/u/provos/systrace/linux.html for reference, various people have looked at the idea of tracking syscall paths as a method to detect anomalies. systrace is currently stateless, but with some work it could be made stateful. its just hard to express a directed graph of syscalls. for reference, i did some syscall graphs on openbsd some months back. it should give you an idea of the rapid complexity you will find: http://monkey.org/~jose/graphing/syscalls/ systrace as it stands should be useful for you. ___________________________ jose nazario, ph.d. jose () monkey org http://www.monkey.org/~jose/
Current thread:
- Detecting abnormal behaviour Adrian S (Mar 21)
- Re: Detecting abnormal behaviour Stephen. (Mar 23)
- Re: Detecting abnormal behaviour Jose Nazario (Mar 23)
- Re: Detecting abnormal behaviour Martin Mačok (Mar 24)
- Re: Detecting abnormal behaviour Jose Nazario (Mar 23)
- <Possible follow-ups>
- Re: Detecting abnormal behaviour Alexander E. Cuttergo (Mar 21)
- Re: Detecting abnormal behaviour Stephen. (Mar 23)