Re: SNARE and Ptrace?

From: Arjan van de Ven (arjanv@redhat.com)
Date: Mon Mar 24 2003 - 17:29:48 EST

Next message: Martin J. Bligh: "[Bug 497] New: conntrack related slab corruption."
Previous message: Rene Rebe: "Re: Testers wanted: Software Suspend for 2.4"
In reply to: Robert L. Harris: "SNARE and Ptrace?"
Next in thread: Alan Cox: "Re: SNARE and Ptrace?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2003-03-24 at 23:20, Robert L. Harris wrote:
> Has anyone tested to see if "Snare" from intersectalliance.com can
> detect someone executing a ptrace attack? An old company I used to work
> for has a number of production kernels out and can't just upgrade them
> all over night so they need a good detection method and short-term fix
> if possible. In the past we had evaluated Snare which I pointed him to
> but we're not sure if/how it might detect such an attack.

I audited snare several months ago, and back then it was trivial to even
get a basic rm /etc/passwd done unaudited..... the design back then was
just not tight. I've heard the SNARE guys have been working hard to
improve that but I've not had time to look at the new code

application/pgp-signature attachment: This is a digitally signed message part

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Martin J. Bligh: "[Bug 497] New: conntrack related slab corruption."
Previous message: Rene Rebe: "Re: Testers wanted: Software Suspend for 2.4"
In reply to: Robert L. Harris: "SNARE and Ptrace?"
Next in thread: Alan Cox: "Re: SNARE and Ptrace?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Mon Mar 31 2003 - 22:00:17 EST