|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Core Dump as an Intrusion Event
From: Pascal Bouchareine (pb
GROLIER.FR)Date: Thu Oct 05 2000 - 10:31:34 CDT
- Next message: Crist Clark: "Re: Core Dump as an Intrusion Event"
- Previous message: antirez: "Re: Core Dump as an Intrusion Event"
- In reply to: Crispin Cowan: "Core Dump as an Intrusion Event"
- Next in thread: Crist Clark: "Re: Core Dump as an Intrusion Event"
- Reply: Pascal Bouchareine: "Re: Core Dump as an Intrusion Event"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
So true.
Many crontabs used to do a find / -name core -exec rm -f {} \;
Services core dumps would ideally be analyzed by a system administrator.
If not to notice (a bit late ?) an intrusion attempt, to fix bugs in his
applications.
Core dump notification sounds generally good to me. Even a false-true
is interesting to look at :)
An annoying point is, *many* usual daemons have complex memory leaks,
and often core dump after a long period of running time. This is often
very hard to analyze and fix.
On Thu, Oct 05, 2000 at 07:00:15AM -0700, Crispin Cowan wrote:
> Anyone have practical comments on this hypothesis? In practice, how
> often do services dump core for non-security reasons? If services dump
> core for non-security reasons even just a little, then the
> false-positive rate of intrusion detection from this clue gets out of
> control.
>
> Caveat: I know that this is a bad heuristic for Windows machines :-)
--
Kalou.
ldiq t0, 0xbeeffedadeadbabe
- Next message: Crist Clark: "Re: Core Dump as an Intrusion Event"
- Previous message: antirez: "Re: Core Dump as an Intrusion Event"
- In reply to: Crispin Cowan: "Core Dump as an Intrusion Event"
- Next in thread: Crist Clark: "Re: Core Dump as an Intrusion Event"
- Reply: Pascal Bouchareine: "Re: Core Dump as an Intrusion Event"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]