Re: Detecting abnormal behaviour

From: Jose Nazario (joseat_private)
Date: Sun Mar 23 2003 - 14:20:47 PST

Next message: Fabrice MARIE: "Re: library/executable image"

Previous message: Brett Moore: "RE: NSLOOKUP.EXE"
In reply to: Stephen.: "Re: Detecting abnormal behaviour"
Next in thread: Martin Mačok: "Re: Detecting abnormal behaviour"
Reply: Martin Mačok: "Re: Detecting abnormal behaviour"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

have a look at systrace. you can block or log with pass arbitrary syscalls
tied to program names.

	http://www.citi.umich.edu/u/provos/systrace/linux.html

for reference, various people have looked at the idea of tracking syscall
paths as a method to detect anomalies. systrace is currently stateless,
but with some work it could be made stateful. its just hard to express a
directed graph of syscalls.

for reference, i did some syscall graphs on openbsd some months back. it
should give you an idea of the rapid complexity you will find:

	http://monkey.org/~jose/graphing/syscalls/

systrace as it stands should be useful for you.

___________________________
jose nazario, ph.d.			joseat_private
					http://www.monkey.org/~jose/

Next message: Fabrice MARIE: "Re: library/executable image"
Previous message: Brett Moore: "RE: NSLOOKUP.EXE"
In reply to: Stephen.: "Re: Detecting abnormal behaviour"
Next in thread: Martin Mačok: "Re: Detecting abnormal behaviour"
Reply: Martin Mačok: "Re: Detecting abnormal behaviour"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Mar 23 2003 - 19:24:47 PST