|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Core Dump as an Intrusion Event
From: Alexander Kiwerski (alex
WINSTAR.NET)Date: Thu Oct 05 2000 - 09:56:27 CDT
- Next message: Ron DuFresne: "Re: JetDirect Card DoS exploit?"
- Previous message: Ryan W. Maple: "Re: JetDirect Card DoS exploit?"
- In reply to: Crispin Cowan: "Core Dump as an Intrusion Event"
- Next in thread: Slawek: "Re: Core Dump as an Intrusion Event"
- Reply: Alexander Kiwerski: "Re: Core Dump as an Intrusion Event"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 07:00 AM 10/5/2000, Crispin Cowan wrote:
>Anyone have practical comments on this hypothesis? In practice, how
>often do services dump core for non-security reasons? If services dump
>core for non-security reasons even just a little, then the
>false-positive rate of intrusion detection from this clue gets out of
>control.
In practice, they shouldn't. However, I have seen machines that have
'buggy' versions of the service damons and end up dumping core once a week
or so. Again, this shouldn't happen, and you should fix the problem
(patches, etc) as quickly as possible. Most relevant example (some time ago
too) I can think of is I saw it once on a Linux box' and Apache would dump
once in a while, though this was in the early days of Apache.
-Alexander Kiwerski
- Next message: Ron DuFresne: "Re: JetDirect Card DoS exploit?"
- Previous message: Ryan W. Maple: "Re: JetDirect Card DoS exploit?"
- In reply to: Crispin Cowan: "Core Dump as an Intrusion Event"
- Next in thread: Slawek: "Re: Core Dump as an Intrusion Event"
- Reply: Alexander Kiwerski: "Re: Core Dump as an Intrusion Event"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]