[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-devel-list
Subject: Re: Layering an IDS on Linux - prepwork
From: Arjan van de Ven <arjan () infradead ! org>
Date: 2007-08-05 23:33:08
Message-ID: 1186356788.2697.1.camel () laptopd505 ! fenrus ! org
[Download RAW message or body]
On Sun, 2007-08-05 at 16:06 -0400, Alan Cox wrote:
> On Sun, Aug 05, 2007 at 04:31:48PM +0200, Miloslav Trmac wrote:
> > Repeated SIGABRT terminations might indicate an ongoing DoS attack, but
> > isolated SIGABRT terminations need to be ignored, IMHO.
>
> They probably want logging. You only need one attack. But you want to
> log an abort/core dump of any system service/process anyway - because it
> shouldn't be aborting and the dumb will be good gdb food
getting things to dump core somewhere securily, and then do
(semi)offline processing works quite ok. It would even be nice if there
was a "a program dumped core. Can I send a backtrace to the distro
vendor?" program that would allow fedora (and others) to get statistical
information about where the most common crashes happen.
(and if some little magic you can normally deduce attacks as well for
local use)
Example script from way-back attached that runs on a coredump and
produces something that in theory can be used for this
["bt.sh" (bt.sh)]
#!/bin/sh
function rpm_deps {
echo "relevant rpm versions"
echo "---------------------"
for i in $1 `ldd $1 | cut -d">" -f2 | cut -d"(" -f1`; do echo `rpm -qf $i | head \
-1` ; done | sort -u }
function backtrace {
gdb --quiet $1 $2 <<EOF 2>&1 |
set width 250
bt
EOF
sed -n \
-e 's/^(gdb) //' \
-e '/^#/p' \
-e '/^Thread/p'
}
function debuginfo_libs {
gdb --quiet $1 $2 <<EOF 2>&1 |
set width 250
bt
EOF
sed -n \
-e 's/^(gdb) //' \
-e '/^#/p' \
-e '/^Thread/p' |
sed -n -e '/from/p' | sed -e 's/.* from //' | sort -u | xargs -r rpm -qf \
--queryformat "%{NAME}-debuginfo\n" | sort -u rpm=`rpm -qf --queryformat \
"%{NAME}-debuginfo\n" $1` rpm -qa $rpm | grep -q $rpm
if [ "$?" -eq "1" ]; then
echo $rpm
fi
}
app=`file $1 | cut -d\' -f2`
which $app &> /dev/null
if [ "$?" -eq "1" ]; then
fname=`eu-readelf -n $1 | grep "args:" | cut -d":" -f2 | cut -d" " -f2`
wapp=`which $fname`
if [ "$?" -eq "1" ]; then
wapp="core"
fi
else
wapp=`which $app`
fi
rpm_deps $wapp
debuginfo_libs $wapp $1
backtrace $wapp $1
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic