Layering an IDS on Linux - prepwork
Arjan van de Ven
arjan at infradead.org
Sun Aug 5 23:33:08 UTC 2007
On Sun, 2007-08-05 at 16:06 -0400, Alan Cox wrote:
> On Sun, Aug 05, 2007 at 04:31:48PM +0200, Miloslav Trmac wrote:
> > Repeated SIGABRT terminations might indicate an ongoing DoS attack, but
> > isolated SIGABRT terminations need to be ignored, IMHO.
>
> They probably want logging. You only need one attack. But you want to
> log an abort/core dump of any system service/process anyway - because it
> shouldn't be aborting and the dumb will be good gdb food
getting things to dump core somewhere securily, and then do
(semi)offline processing works quite ok. It would even be nice if there
was a "a program dumped core. Can I send a backtrace to the distro
vendor?" program that would allow fedora (and others) to get statistical
information about where the most common crashes happen.
(and if some little magic you can normally deduce attacks as well for
local use)
Example script from way-back attached that runs on a coredump and
produces something that in theory can be used for this
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bt.sh
Type: application/x-shellscript
Size: 1092 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20070805/7d5c55ab/attachment-0002.bin
More information about the devel
mailing list