|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Core Dump as an Intrusion Event
From: W. Reilly Cooley (wcooley
WIREX.COM)Date: Thu Oct 05 2000 - 12:21:03 CDT
- Next message: Eclipse, Solar: "Re: Core Dump as an Intrusion Event"
- Previous message: Crist Clark: "Re: Core Dump as an Intrusion Event"
- In reply to: Crispin Cowan: "Core Dump as an Intrusion Event"
- Next in thread: Eclipse, Solar: "Re: Core Dump as an Intrusion Event"
- Reply: W. Reilly Cooley: "Re: Core Dump as an Intrusion Event"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, Oct 05, 2000 at 07:00:15AM -0700, Crispin Cowan wrote:
> Anyone have practical comments on this hypothesis? In practice, how
> often do services dump core for non-security reasons? If services dump
> core for non-security reasons even just a little, then the
> false-positive rate of intrusion detection from this clue gets out of
> control.
Aside from Netscape, not very often. I think it's still worth knowing,
especially on servers, even in the case that it's not a likely intrusion.
FWIW, the FreeBSD 2.2 kernel logs this kind of information, and my log
checker sends it to me (since it logs at facility 'kernel').
> Caveat: I know that this is a bad heuristic for Windows machines :-)
Wil
-- W. Reilly Cooley, Esq. wcooley
- Next message: Eclipse, Solar: "Re: Core Dump as an Intrusion Event"
- Previous message: Crist Clark: "Re: Core Dump as an Intrusion Event"
- In reply to: Crispin Cowan: "Core Dump as an Intrusion Event"
- Next in thread: Eclipse, Solar: "Re: Core Dump as an Intrusion Event"
- Reply: W. Reilly Cooley: "Re: Core Dump as an Intrusion Event"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]