Has anyone tested to see if "Snare" from intersectalliance.com can
detect someone executing a ptrace attack? An old company I used to work
for has a number of production kernels out and can't just upgrade them
all over night so they need a good detection method and short-term fix
if possible. In the past we had evaluated Snare which I pointed him to
but we're not sure if/how it might detect such an attack.
Thoughts/Theories?
Robert
:wq!
---------------------------------------------------------------------------
Robert L. Harris | PGP Key ID: E344DA3B
@ x-hkp://pgp.mit.edu
DISCLAIMER:
These are MY OPINIONS ALONE. I speak for no-one else.
Diagnosis: witzelsucht
IPv6 = [email protected] http://ipv6.rdlg.net
IPv4 = [email protected] http://www.rdlg.net
On Mon, 2003-03-24 at 23:20, Robert L. Harris wrote:
> Has anyone tested to see if "Snare" from intersectalliance.com can
> detect someone executing a ptrace attack? An old company I used to work
> for has a number of production kernels out and can't just upgrade them
> all over night so they need a good detection method and short-term fix
> if possible. In the past we had evaluated Snare which I pointed him to
> but we're not sure if/how it might detect such an attack.
I audited snare several months ago, and back then it was trivial to even
get a basic rm /etc/passwd done unaudited..... the design back then was
just not tight. I've heard the SNARE guys have been working hard to
improve that but I've not had time to look at the new code
On Mon, 2003-03-24 at 22:20, Robert L. Harris wrote:
> Has anyone tested to see if "Snare" from intersectalliance.com can
> detect someone executing a ptrace attack? An old company I used to work
> for has a number of production kernels out and can't just upgrade them
> all over night so they need a good detection method and short-term fix
> if possible. In the past we had evaluated Snare which I pointed him to
> but we're not sure if/how it might detect such an attack.
Snare won't really help you. In fact older snare tends to make a box
less secure. The rework looked good but I've not had time to do a
detailed review and I believe they've been busy working on other
projects too.
If there is no UML or debugging done on the box, stick "return -EPERM"
at the start of sys_ptrace and just disable the entire debug/strace
feature set.