Live Analysis in Windows and Linux

Please read pp. 489-659 of MF, and pp. 261-307 of WFA.

Following MF pages 490 and 576, what characteristics of an interesting program are we looking at?

Quick disassembly

You can use "objdump --disassemble-all" to get a quick disassembly of a suspect program.

Baselining the work environment

One old standby for "fingerprinting" a system is Tripwire. While it went commercial many years ago, there are open source forks of the code. There is a 2.4.0 version in your PCLinuxOS repository, or you can pull the latest and greatest SourceForge version (March 2010) from here.

Another program is AIDE, which is also in your repository.

(Your book mentions NAGIOS, but that's a network-based system monitoring tool that I don't think would be very useful for baselining systems.)

Watching the environment

First, run your newly installed fingerprint software on your virtual machine (or "throwaway" machine).

Now you can use the standard programs that we talked about back in the beginning with live analysis: "ps", "top", "lsof", "netstat", and even "ls" to look at the pseudo-directory /proc/<pid>/. Two that we haven't talked about but that are very useful are "wireshark" and "tcpdump" (both built on the same set of routines in libpcap.) Your book also mentions "etherape", which might be useful for imaging network activity (and certainly is an amusing program just to run!)

IDS time

Snort is a very standard IDS, and it's very easy to install from your repository. (It, like tcpdump and wireshark, is based on the excellent libpcap package.) Unfortunately, it's not as easy to configure, and you will have to spend some time to get it working.


The program "strace" is an excellent tool (as we saw last class!) for following the system calls made by a process.

The program "ltrace" might also be useful, but there are two caveats here: (1) it shows library calls, not system calls (at least, not by defualt); (2) these library calls are much less meaningful to users not familiar with the particulars of a given library (and there are thousands of these libraries!)

You can also use "pmap PID" to find information about where in memory bits of programs are at.


The easiest item to check probably are filesystem changes using "tripwire -m c" or "aide".

You can try to postprocess your tcpdump data with various programs.