<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos

Honeypots: Re: sebek as a patch?

Re: sebek as a patch?

From: Edward Balas <ebalas_at_iu.edu>
Date: Wed, 05 Oct 2005 11:59:45 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NAHieu wrote:

|
| In sebek environment, we better disable /dev/{kmem,mem}, together
| with loading module capability. Then nobody can no longer access to
| kernel memory, no?
|
If we are conserned about detection, the inability to read from
/dev/kmem or install a kernel module would both be highly suspicious
indicators on a linux system in my opinion.

The trick is finding a the balance between detection and evasion that
works for you.

Edward

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDRAaBlKB5oSzVKwoRAsXnAKCkeG/S+r7GBKTIa89plREIXZI2UACgm1v1
HmSq/r+/a+86bwIRyh50muo=
=fWmN
-----END PGP SIGNATURE-----
Received on Oct 05 2005

This message: [ Message body ]
Next message: NAHieu: "Re: sebek as a patch?"
Previous message: Edward Balas: "Re: sebek as a patch?"
In reply to: NAHieu: "Re: sebek as a patch?"
Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: sebek as a patch?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]

edgeos