Vulnerability Development mailing list archives
Re: Detecting abnormal behaviour
From: Jose Nazario <jose () monkey org>
Date: Sun, 23 Mar 2003 17:20:47 -0500 (EST)
have a look at systrace. you can block or log with pass arbitrary syscalls
tied to program names.
http://www.citi.umich.edu/u/provos/systrace/linux.html
for reference, various people have looked at the idea of tracking syscall
paths as a method to detect anomalies. systrace is currently stateless,
but with some work it could be made stateful. its just hard to express a
directed graph of syscalls.
for reference, i did some syscall graphs on openbsd some months back. it
should give you an idea of the rapid complexity you will find:
http://monkey.org/~jose/graphing/syscalls/
systrace as it stands should be useful for you.
___________________________
jose nazario, ph.d. jose () monkey org
http://www.monkey.org/~jose/
Current thread:
- Detecting abnormal behaviour Adrian S (Mar 21)
- Re: Detecting abnormal behaviour Stephen. (Mar 23)
- Re: Detecting abnormal behaviour Jose Nazario (Mar 23)
- Re: Detecting abnormal behaviour Martin Mačok (Mar 24)
- Re: Detecting abnormal behaviour Jose Nazario (Mar 23)
- <Possible follow-ups>
- Re: Detecting abnormal behaviour Alexander E. Cuttergo (Mar 21)
- Re: Detecting abnormal behaviour Stephen. (Mar 23)