Cheesewire

14. Loadable Module: Open Files (`IDM_open_files.pm`)

The IDM_open_files modules monitors all open files in specified directories (and their subdirectories):

it is expected that particular directories will be selected, e.g., those in which intruder-related software is commonly hidden;
regular-expressions can be used.

14.1. Signature Configuration

All paths in this section are relative to <sids_root>.

Files:

    /etc/IDM_open_files/expected.local.lsof
    /etc/IDM_open_files/expected.<platform>.lsof

local signatures for a particular directory take precedence over — i.e., override — <platform> signatures.

14.1.1. Example Signature Files

This example file configures IDM_open_files to monitor two directories, /dev, where intruder-related software if often hidden, and /lib,

    #
    # -- reg-exps are fine (encouraged) :
    #

    DIR: "/dev"

      initctl
      null
      ptmx
      xconsole
      zero
      pts\/\d
      ttyS\d
      tty\d

    DIR: "/lib64"
    
      ld-2.3.4.so
      lib.*so.*
      security\/pam_[a-z0-9]+.so

14.1.2. Signature Processing

The configurations given for a particular directory are converted into a regular expression match, for example, for /lib64, as specified above:

    $of =~ m/ld-2.3.4.so
        |lib.*so.*
        |security\/pam_[a-z0-9]+.so/x

Any file found open within /lib64 which does not match this reg-exp is logged.

...previous

up (conts)

next...

About this document:

Produced from the SGML: /home/isd/public_html/_cheesewire/_reml_grp/index.reml
On: 4/9/2006 at 17:35:44
Options: reml2 -i noindex -l long -o html -p multiple

14. Loadable Module: Open Files (IDM_open_files.pm)

14.1. Signature Configuration

14.1.1. Example Signature Files

14.1.2. Signature Processing

14. Loadable Module: Open Files (`IDM_open_files.pm`)