have a look at systrace. you can block or log with pass arbitrary syscalls tied to program names. http://www.citi.umich.edu/u/provos/systrace/linux.html for reference, various people have looked at the idea of tracking syscall paths as a method to detect anomalies. systrace is currently stateless, but with some work it could be made stateful. its just hard to express a directed graph of syscalls. for reference, i did some syscall graphs on openbsd some months back. it should give you an idea of the rapid complexity you will find: http://monkey.org/~jose/graphing/syscalls/ systrace as it stands should be useful for you. ___________________________ jose nazario, ph.d. joseat_private http://www.monkey.org/~jose/
This archive was generated by hypermail 2b30 : Sun Mar 23 2003 - 19:24:47 PST