[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Layering an IDS on Linux - prepwork



On Sun, 2007-08-05 at 16:06 -0400, Alan Cox wrote:
> On Sun, Aug 05, 2007 at 04:31:48PM +0200, Miloslav Trmac wrote:
> > Repeated SIGABRT terminations might indicate an ongoing DoS attack, but
> > isolated SIGABRT terminations need to be ignored, IMHO.
> 
> They probably want logging. You only need one attack. But you want to
> log an abort/core dump of any system service/process anyway - because it
> shouldn't be aborting and the dumb will be good gdb food

getting things to dump core somewhere securily, and then do
(semi)offline processing works quite ok. It would even be nice if there
was a "a program dumped core. Can I send a backtrace to the distro
vendor?" program that would allow fedora (and others) to get statistical
information about where the most common crashes happen.

(and if some little magic you can normally deduce attacks as well for
local use)

Example script from way-back attached that runs on a coredump and
produces something that in theory can be used for this

Attachment: bt.sh
Description: application/shellscript


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]