Honeypots mailing list archives
Re: sebek as a patch?
From: Edward Balas <ebalas () iu edu>
Date: Wed, 05 Oct 2005 11:59:45 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NAHieu wrote: | | In sebek environment, we better disable /dev/{kmem,mem}, together | with loading module capability. Then nobody can no longer access to | kernel memory, no? | If we are conserned about detection, the inability to read from /dev/kmem or install a kernel module would both be highly suspicious indicators on a linux system in my opinion. The trick is finding a the balance between detection and evasion that works for you. Edward -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDRAaBlKB5oSzVKwoRAsXnAKCkeG/S+r7GBKTIa89plREIXZI2UACgm1v1 HmSq/r+/a+86bwIRyh50muo= =fWmN -----END PGP SIGNATURE-----
Current thread:
- Re: sebek as a patch? Thorsten Holz (Oct 02)
- Re: sebek as a patch? Laurent OUDOT (Oct 04)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Thorsten Holz (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 05)
- Re: sebek as a patch? Daniel J. Axtens (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Edward Balas (Oct 06)
- Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
- Re: sebek as a patch? Daniel J. Axtens (Oct 07)
- Re: sebek as a patch? Edward Balas (Oct 07)
- Re: sebek as a patch? Thorsten Holz (Oct 05)