LinuxQuestions.org - System call tracing for IDS .... how????

- Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)

- - System call tracing for IDS .... how???? (https://www.linuxquestions.org/questions/linux-software-2/system-call-tracing-for-ids-how-632890/)

System call tracing for IDS .... how????

Guys i wanna know hw i can trace system calls for a running process like say sendmail and hand it over to a C program for analysis i.e comapring it with a databse of normal behaviour to aid intrusion detection .

I vil appreicate if u ppl reply

Thanks

Floyd

Behavioural analysis support for GNU/Linux sounds cool and I'm not aware there's such a product already for this. Strace should work OK but that's userland, a bit unwieldy and doesn't allow you to deny/grant access. I think hooking into the kernel could be "better" performance-wise and because you then also have the means to deny or grant access. IMHO one of the (easiest understandable and configurable) examples of a userland/kernel combo logging and denying syscalls would be Syscalltrace. It's kernel 2.4-only but IIRC Kprobes and the Linux Trace Toolkit both cover 2.4 and 2.6. Maybe it's not bad also to look at other approaches for doing deny/grants like GRSecurity's RBAC and SELinux. Maybe hooking into the LSM ain't a bad idea. Should save time since the framework is already there.

Now for a bit of a downer. In the other thread (the one I didn't close) you state you're "workin on a Host-based IDS". In this thread you're basically asking how such a HIDS would function. I'm getting the idea this may be an assignment of sorts. Is it?

No , im actually workin on a prject HIDS , i've been struggling hard to find a tool which will allow me to intercept system calls of a running process and then analyse them , so that i can compare them with a database of normal behaviour .

Thanks a lot for da advice . I will definitely try out da stuff .