Re: Sebek question

[Edward Balas <ebalas () iu edu>]

On Tue, 25 Nov 2003, Bug Ant wrote:

> Hi all,
>    I've a simple question about Sebek.
>
> Can Sebek be installed as a static patch to the kernel instead of a 
> module? In the Sebek FAQ I've found this:
>
> It does this as a kernel module (or patch) 
> (http://www.honeynet.org/tools/sebek/faq.html#faq201)
>
> In the doc I've always read about the use and installation of Sebek as a 
> module... so it's possible to install and use it in a static way? and if 
> no why?
It is not currently possible, mostly because I havent tried to do 
so yet. The root cause in my laziness, and the fact that
not as many people have asked for this as I would have expected.

There should be no real impediment to having sebek patch the source 
instead of using a kernel module, this approach also means that with the 
right patching you can make the sebek read "the" system read call which 
improves the subtlty of sebek while making it harder to disable.

With in the next major release I am hoping to add this capability.

Edward