Re: Detecting abnormal behaviour

["Stephen." <sa7ori () blackroses com>]

I am not entirely sure about what you are referring to, but from the buzz
words you used, I assume what you are trying to do is employ some kernel
module to log the PID of a process that is making a specific system call.
If this is what you are attempting to do, it is fairly trivial to do with
linux kernel modules. There are actually quite a few programs out there
that will allow you to set up "filters" for syscalls and their parameters,
for instance an "open" on "/etc/passwd". If you are coding this from
scratch, Pragmatic's (THC) paper on Linux Kernel Modules, is a good place
to start...Also, check out any of Tim Lawless's code, its a good place to
rip code from :-). Hope this helps, if not, just email me and I can fire
off some source if you need it.

On Fri, 21 Mar 2003, Adrian S wrote:

> Hi,
>
> Is it possible to determine the source address of the system call to check
> if it is proper from a list of legal addresses (legal process space etc) ?
>
> rgds
> Adrian