Honeypots mailing list archives

Re: sebek as a patch?

From: Edward Balas <ebalas () iu edu>
Date: Wed, 05 Oct 2005 11:59:45 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NAHieu wrote:

|
| In sebek environment, we better disable /dev/{kmem,mem}, together
| with loading module capability. Then nobody can no longer access to
| kernel memory, no?
|
If we are conserned about detection, the inability to read from
/dev/kmem  or install a kernel module would both be highly suspicious
indicators on a linux system in my opinion.

The trick is finding a the balance between detection and evasion that
works for you.

Edward

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDRAaBlKB5oSzVKwoRAsXnAKCkeG/S+r7GBKTIa89plREIXZI2UACgm1v1
HmSq/r+/a+86bwIRyh50muo=
=fWmN
-----END PGP SIGNATURE-----

Current thread:

Re: sebek as a patch? Thorsten Holz (Oct 02)
- Re: sebek as a patch? Laurent OUDOT (Oct 04)
- Re: sebek as a patch? NAHieu (Oct 05)
- Re: sebek as a patch? Edward Balas (Oct 05)
  - Re: sebek as a patch? Thorsten Holz (Oct 05)
    - Re: sebek as a patch? Edward Balas (Oct 05)
    - Re: sebek as a patch? NAHieu (Oct 05)
    - Re: sebek as a patch? Edward Balas (Oct 05)
    - Re: sebek as a patch? Valdis . Kletnieks (Oct 05)
    - Re: sebek as a patch? Daniel J. Axtens (Oct 06)
    - Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
    - Re: sebek as a patch? Edward Balas (Oct 06)
    - Re: sebek as a patch? Valdis . Kletnieks (Oct 06)
    - Re: sebek as a patch? Daniel J. Axtens (Oct 07)
    - Re: sebek as a patch? Edward Balas (Oct 07)