Welcome to TiddlyWiki created by Jeremy Ruston, Copyright © 2007 UnaMesa Association
Welcome!
[img[images/banner.png]]
<<option chkOpenInNewWindow>> OpenLinksInNewWindow
<<option chkSaveEmptyTemplate>> SaveEmptyTemplate
<<option chkToggleLinks>> Clicking on links to tiddlers that are already open causes them to close
^^(override with Control or other modifier key)^^
<<option chkHttpReadOnly>> HideEditingFeatures when viewed over HTTP
<<option chkForceMinorUpdate>> Treat edits as MinorChanges by preserving date and time
^^(override with Shift key when clicking 'done' or by pressing Ctrl-Shift-Enter^^
//Macro: allTagsExcept
//Author: Clint Checketts
//Version: 1.0 Sept 8, 2005
version.extensions.allTagsExcept = {major: 0, minor: 1, revision: 0, date: new Date(2005,8,15)};
config.macros.allTagsExcept = {tooltip: "Show tiddlers tagged with '%0'",noTags: "There are no tags to display"};
//usage: < < allTagsExcept systemConfig systemTiddlers > > This will show all tags but those listed (e.g. systemConfig and systemTiddlers
config.macros.allTagsExcept.handler = function(place,macroName,params)
{
var tags = store.getTags();
var theTagList = createTiddlyElement(place,"ul",null,null,null);
if(tags.length == 0)
createTiddlyElement(theTagList,"li",null,"listTitle",this.noTags);
for (var t=0; t<tags.length; t++) {
var includeTag = true;
for (var p=0;p<params.length; p++) if (tags[t][0] == params[p]) includeTag = false;
if (includeTag){
var theListItem =createTiddlyElement(theTagList,"li",null,null,null);
var theTag = createTiddlyButton(theListItem,tags[t][0] + " (" + tags[t][1] + ")",this.tooltip.format([tags[t][0]]),onClickTag);
theTag.setAttribute("tag",tags[t][0]);
}
}
}
!__1.0 Honeynet Deployments__
!!1.1 Current technologies deployed.
We are running a GEN II Honeynet with a variety of ~OSs of interest. We continue to use live ~OSs instead of ~VMware or ~HoneyD. Our web page with a diagram of our current setup is located at: http://users.ece.gatech.edu/~owen/Research/HoneyNet/HoneyNet_home.htm. Since our last report, we have restructured our honeynet and converted to the Honeywall CD configuration; we also now conduct all monitoring of the honeynet on an analysis box that is separate from the Honeywall (bridge) machine. We continue to deploy a Darknet within our Honeynet and have added a SUN workstation during this period. Our focus continues to be the use of the Honeynet to help secure the campus network.
!!1.2 Lessons learned from the technology, what you like about it.
Honeynets can be incorporated into an organization’s network security plan to help secure the network. We work closely with Georgia Tech’s Office of Information Technology to help secure the campus network.
We have improved our log file naming convention. Previously we created a new folder for each day’s log file(s) and named the folder by the month and day (i.e. Mar15, Apr24, Aug12). This format required separate storage locations for different years, and was more difficult to navigate both within Ethereal and in developing scripts that run on a series of logs because the folders were sorted alphabetically by month instead of in date order. Our improved format is to create a folder for each day in the numerical form of (i.e. 20020315, 20030424, 20040812).
Our new setup with the honeywall CD, separate analysis box, and cleanly wired honeynet rack appears to be stable and makes it much simpler to adjust the configuration of the honeynet; adding a honeypot to the network or quickly disconnecting a honeypot from the network is now a simpler task as a result of the improvements made this summer.
The data consistency created by using the honeywall CD is very beneficial.
!!1.3 Lessons learned from the technology, what is lacking, what you would like to see improved.
We need better methods to analyze the large amount of data collected by the honeynet. We are working towards developing tools to both analyze and visualize the data collected.
!__2.0 Findings__
!!2.1 Number and type of systems compromised during six month period.
We have had two hoenypots compromised by worms since our last report. One machine was a Microsoft Windows 2000 system and the other was a Linux ~RedHat 7.3 system.
!!2.2 Highlight any unique findings, attacks, tools, or methods.
We found it interesting to observe the large spike in traffic to the honeynet from the Georgia Tech address range as students moved back in to start the Fall semester. Over the course of the summer, a typical day would include less than five (and often zero) ~IP’s attempting to establish connections to the honeynet from within Georgia Tech’s two and a half Class B address range. As students returned for the Fall semester, the number of ~IP’s attempting to establish connections increased dramatically, with a typical day including 10-20 separate ~IP’s attempting to establish connections.
Using a darknet to increase our IP address range provides additional traffic to include in our analysis (without the addition of physical honeypots) and helps us to observe scanning patterns.
We had 489 unique machines on the Georgia Tech campus that attempted to connect to the Honeynet between January 1st, 2004 and August 31st, 2004. (These machines are assumed to be compromised or in use by a malicious person.)
!!2.3 Any trends seen in the past six months;
The majority of traffic to our honeynet originating from within the campus network attempts to establish connections to Port 445. Between January 1, 2004 and August 31, 2004, 795 machines from within the campus attempted to establish a connection using port 445. (This number includes repeat attacks from a single IP address, but only counts one connection attempt per machine per day to port 445.)
We found an article that mentions the use of TCP ports 135 and 1026 to send popup spam to Windows systems. On at least one occasion we observed this type of traffic, but it did not result in a popup window on our honeypot.
!!2.4 Document data analysis tools and methods being used.
We currently use ethereal with various filters as our primary data analysis tool. We are developing perl scripts to parse through the logs and generate plots of the data. (PCAP data is parsed and the extracted results are stored in an XML file. Plots are then generated from the XML data.)
!!2.5 For data analysis what tools work well, and what still needs to be developed.
Ethereal is not a very efficient or effective way to analyze daily logs, especially as the size of the honeynet is increased, resulting in additional traffic. We have begun to develop perl scripts, but this method appears to be too slow as well. What we need to do is implement our perl scripts in C. We also are considering the use of an SQL database to be able to cope with the large amount of data and access it more quickly.
We could reap huge benefits from a data analysis CD in addition to the honeywall CD. The data analysis CD could be used to setup your analysis box and could be another way to standardize honeynets throughout the alliance.
!__3.0 Misc. Activities__
!!3.1 Presenting at conferences
The papers listed in 3.3 were presented at conferences.
!!3.2 Developing, testing or releasing code
We have developed several perl scripts for data analysis, but we believe implementing these (and other) scripts in C will prove more beneficial for data analysis. We also have a ~PhD student working on network security visualization techniques and are using the software he is developing to observe our honeynet data.
!!3.3 Publication of papers
The following papers were published and presented at the IEEE Information Assurance Workshop at West Point, New York:
"Application of a Methodology to Characterize Rootkits Retrieved from Honeynets" by John Levine, Julian Grizzard, and Henry Owen; and
"An Investigation of a Compromised Host on a Honeynet Being Used to Increase the Security of a Large Enterprise Network" by Timothy Jackson, John Levine, Julian Grizzard, and Henry Owen.
The following paper was published an presented at DEFCON 12:
“Network Attack Visualization†by Greg Conti.
The following paper was published and presented at the Recent Advances in Intrusion Detection (RAID) Symposium:
"~HoneyStat: Local Worm Detection Using Honeypots" by David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, Julian Grizzard, John Levine, and Henry Owen.
!!3.4 Involvement in ~SotM challenges.
We have not participated.
!!3.5 Other
We have developed a honeynet continuity file for the Georgia Tech Honeynet. One of the challenges of a student run honeynet at an academic institute is that students (graduate and undergraduate) arrive and depart on a regular basis. For example, John Levine, who created the Georgia Tech Honeynet, graduated with a ~PhD in May 2004 and is now an instructor at West Point, and Julian Grizzard, who is currently in charge of the honeynet, expects to graduate with his ~PhD in 2005. We developed the continuity file to streamline the process of teaching new people how to run and monitor the honeynet, as well as serve as a source for lessons learned. The file includes configuration information, points of contact (internal and external), web sites of interest, logging information, and policy guidelines for monitoring our honeynet. We recommend a continuity file for any organization, but especially for academic institutes.
!__4.0 Organizational__
!4.1 Changes in your structure of your organization.
We have new undergraduate students getting involved in the honeynet, to include Neil Joshi, and Alfredo Ramos.
!__5.0 Lessons Learned__
!!5.1 What positive things can you share with the community, so they can replicate your success.
The Georgia Tech Honeynet is a great tool for helping to secure the campus network. Since all traffic to the Honeynet is suspicious, any packet to the Honeynet originating from within the Georgia Tech address range is likely from a compromised computer, a malicious user, or the campus IDS. We send reports of all computers attempting to connect to the Honeynet to the campus network managers (OIT); they can then take action to keep the network secure by correlating our data with their IDS tools in order to reduce false positives.
The honeywall CDROM has worked out well. When making significant changes to a honeynet, we recommend making the changes in a down period in case there are configuration issues. Making the transition to the honeywall CDROM during the summer semester proved very beneficial. We also recommend testing any configuration changes on a private network prior to connecting to the internet.
!!5.2 What mistakes can you share with the community, so they don't make the same mistakes.
Parsing through large data sets can be very time consuming. We need better tools that the community can use to make this analysis easier and more efficient.
!__6.0 Goals__
!!6.1 Plans/Goals for next six months.
We are currently working on writing a Know Your Enemy Paper based on a statistical analysis of our data. We also intend to add honeypots to our honeynet within the next few months, with a long term goal of developing a distributed honeynet across the Georgia Tech network. We also plan to develop more elaborate quality analysis tools (in a beta state right now) to share with the community.
Background: #fff
Foreground: #000
PrimaryPale: #8cf
PrimaryLight: #18f
PrimaryMid: #fff
PrimaryDark: #014
SecondaryPale: #ffc
SecondaryLight: #fe8
SecondaryMid: #db4
SecondaryDark: #841
TertiaryPale: #eee
TertiaryLight: #ccc
TertiaryMid: #999
TertiaryDark: #666
Error: #f88
/***
|Name|DatePlugin|
|Source|http://www.TiddlyTools.com/#DatePlugin|
|Version|2.3.0|
|Author|Eric Shulman - ELS Design Studios|
|License|http://www.TiddlyTools.com/#LegalStatements <<br>>and [[Creative Commons Attribution-ShareAlike 2.5 License|http://creativecommons.org/licenses/by-sa/2.5/]]|
|~CoreVersion|2.1|
|Type|plugin|
|Requires||
|Overrides||
|Description|formatted dates plus popup menu with 'journal' link, changes and (optional) reminders|
There are quite a few calendar generators, reminders, to-do lists, 'dated tiddlers' journals, blog-makers and GTD-like schedule managers that have been built around TW. While they all have different purposes, and vary in format, interaction, and style, in one way or another each of these plugins displays and/or uses date-based information to make finding, accessing and managing relevant tiddlers easier. This plugin provides a general approach to embedding dates and date-based links/menus within tiddler content.
This plugin display formatted dates, for the specified year, month, day using number values or mathematical expressions such as (Y+1) or (D+30). Optionally, you can create a link from the formatted output to a 'dated tiddler' for quick blogging or create a popup menu that includes the dated tiddler link plus links to changes made on that date as well as links to any pending reminders for the coming 31 days (if the RemindersPlugin is installed). This plugin also provides a public API for easily incorporating formatted date output (with or without the links/popups) into other plugins, such as calendar generators, etc.
!!!!!Usage
<<<
When installed, this plugin defines a macro: {{{<<date [mode] [date] [format] [linkformat]>>}}}. All of the macro parameters are optional and, in it's simplest form, {{{<<date>>}}}, it is equivalent to the ~TiddlyWiki core macro, {{{<<today>>}}}.
However, where {{{<<today>>}}} simply inserts the current date/time in a predefined format (or custom format, using {{{<<today [format]>>}}}), the {{{<<date>>}}} macro's parameters take it much further than that:
* [mode] is either ''display'', ''link'' or ''popup''. If omitted, it defaults to ''display''. This param let's you select between simply displaying a formatted date, or creating a link to a specific 'date titled' tiddler or a popup menu containing a dated tiddler link, plus links to changes and reminders.
* [date] lets you enter ANY date (not just today) as ''year, month, and day values or simple mathematical expressions'' using pre-defined variables, Y, M, and D for the current year, month and day, repectively. You can display the modification date of the current tiddler by using the keyword: ''tiddler'' in place of the year, month and day parameters. Use ''tiddler://name-of-tiddler//'' to display the modification date of a specific tiddler. You can also use keywords ''today'' or ''filedate'' to refer to these //dynamically changing// date/time values.
* [format] and [linkformat] uses standard ~TiddlyWiki date formatting syntax. The default is "YYYY.0MM.0DD"
>^^''DDD'' - day of week in full (eg, "Monday"), ''DD'' - day of month, ''0DD'' - adds leading zero^^
>^^''MMM'' - month in full (eg, "July"), ''MM'' - month number, ''0MM'' - adds leading zero^^
>^^''YYYY'' - full year, ''YY'' - two digit year, ''hh'' - hours, ''mm'' - minutes, ''ss'' - seconds^^
>^^//note: use of hh, mm or ss format codes is only supported with ''tiddler'', ''today'' or ''filedate'' values//^^
* [linkformat] - specify an alternative date format so that the title of a 'dated tiddler' link can have a format that differs from the date's displayed format
In addition to the macro syntax, DatePlugin also provides a public javascript API so that other plugins that work with dates (such as calendar generators, etc.) can quickly incorporate date formatted links or popups into their output:
''{{{showDate(place, date, mode, format, linkformat, autostyle, weekend)}}}''
Note that in addition to the parameters provided by the macro interface, the javascript API also supports two optional true/false parameters:
* [autostyle] - when true, the font/background styles of formatted dates are automatically adjusted to show the date's status: 'today' is boxed, 'changes' are bold, 'reminders' are underlined, while weekends and holidays (as well as changes and reminders) can each have a different background color to make them more visibly distinct from each other.
* [weekend] - true indicates a weekend, false indicates a weekday. When this parameter is omitted, the plugin uses internal defaults to automatically determine when a given date falls on a weekend.
<<<
!!!!!Examples
<<<
The current date: <<date>>
The current time: <<date today "0hh:0mm:0ss">>
Today's blog: <<date link today "DDD, MMM DDth, YYYY">>
Recent blogs/changes/reminders: <<date popup Y M D-1 "yesterday">> <<date popup today "today">> <<date popup Y M D+1 "tomorrow">>
The first day of next month will be a <<date Y M+1 1 "DDD">>
This tiddler (DatePlugin) was last updated on: <<date tiddler "DDD, MMM DDth, YYYY">>
The SiteUrl was last updated on: <<date tiddler:SiteUrl "DDD, MMM DDth, YYYY">>
This document was last saved on <<date filedate "DDD, MMM DDth, YYYY at 0hh:0mm:0ss">>
<<date 2006 07 24 "MMM DDth, YYYY">> will be a <<date 2006 07 24 "DDD">>
<<<
!!!!!Installation
<<<
import (or copy/paste) the following tiddlers into your document:
''DatePlugin'' (tagged with <<tag systemConfig>>)
<<<
!!!!!Revision History
<<<
''2007.05.31 [2.3.0]'' list "created" tiddlers in date popup. Also, force re-cache of created/modified indices when displaying current date and store.isDirty(), so that popup is kept in sync with tiddler changes.
''2006.05.09 [2.2.1]'' added "todaybg" handling to set background color of current date. Also, honor excludeLists tag when getting lists of tiddlers. Based on suggestions by Mark Hulme.
''2006.05.05 [2.2.0]'' added "linkedbg" handling to set background color when a 'dated tiddler' exists. Based on a suggestion by Mark Hulme.
''2006.03.08 [2.1.2]'' add 'override leadtime' flag param in call to findTiddlersWithReminders(), and add "Enter a title" default text to new reminder handler. Thanks to Jeremy Sheeley for these additional tweaks.
''2006.03.06 [2.1.0]'' hasReminders() nows uses window.reminderCacheForCalendar[] when present. If calendar cache is not present, indexReminders() now uses findTiddlersWithReminders() with a 90-day look ahead to check for reminders. Also, switched default background colors for autostyled dates: reminders are now greenish ("c0ffee") and holidays are now reddish ("ffaace").
''2006.02.14 [2.0.5]'' when readOnly is set (by TW core), omit "new reminders..." popup menu item and, if a "dated tiddler" does not already exist, display the date as simple text instead of a link.
''2006.02.05 [2.0.4]'' added var to variables that were unintentionally global. Avoids FireFox 1.5.0.1 crash bug when referencing global variables
''2006.01.18 [2.0.3]'' In 1.2.x the tiddler editor's text area control was given an element ID=("tiddlerBody"+title), so that it was easy to locate this field and programmatically modify its content. With the addition of configuration templates in 2.x, the textarea no longer has an ID assigned. To find this control we now look through all the child nodes of the tiddler editor to locate a "textarea" control where attribute("edit") equals "text", and then append the new reminder to the contents of that control.
''2006.01.11 [2.0.2]'' correct 'weekend' override detection logic in showDate()
''2006.01.10 [2.0.1]'' allow custom-defined weekend days (default defined in config.macros.date.weekend[] array)
added flag param to showDate() API to override internal weekend[] array
''2005.12.27 [2.0.0]'' Update for TW2.0
Added parameter handling for 'linkformat'
''2005.12.21 [1.2.2]'' FF's date.getYear() function returns 105 (for the current year, 2005). When calculating a date value from Y M and D expressions, the plugin adds 1900 to the returned year value get the current year number. But IE's date.getYear() already returns 2005. As a result, plugin calculated date values on IE were incorrect (e.g., 3905 instead of 2005). Adding +1900 is now conditional so the values will be correct on both browsers.
''2005.11.07 [1.2.1]'' added support for "tiddler" dynamic date parameter
''2005.11.06 [1.2.0]'' added support for "tiddler:title" dynamic date parameter
''2005.11.03 [1.1.2]'' when a reminder doesn't have a specified title parameter, use the title of the tiddler that contains the reminder as "fallback" text in the popup menu. Based on a suggestion from BenjaminKudria.
''2005.11.03 [1.1.1]'' Temporarily bypass hasReminders() logic to avoid excessive overhead from generating the indexReminders() cache. While reminders can still appear in the popup menu, they just won't be indicated by auto-styling the date number that is displayed. This single change saves approx. 60% overhead (5 second delay reduced to under 2 seconds).
''2005.11.01 [1.1.0]'' corrected logic in hasModifieds() and hasReminders() so caching of indexed modifieds and reminders is done just once, as intended. This should hopefully speed up calendar generators and other plugins that render multiple dates...
''2005.10.31 [1.0.1]'' documentation and code cleanup
''2005.10.31 [1.0.0]'' initial public release
''2005.10.30 [0.9.0]'' pre-release
<<<
!!!!!Credits
<<<
This feature was developed by EricShulman from [[ELS Design Studios|http:/www.elsdesign.com]].
<<<
!!!!!Code
***/
//{{{
version.extensions.date = {major: 2, minor: 3, revision: 0, date: new Date(2007,5,31)};
//}}}
//{{{
config.macros.date = {
format: "YYYY.0MM.0DD", // default date display format
linkformat: "YYYY.0MM.0DD", // 'dated tiddler' link format
linkedbg: "#babb1e", // "babble"
todaybg: "#ffab1e", // "fable"
weekendbg: "#c0c0c0", // "cocoa"
holidaybg: "#ffaace", // "face"
createdbg: "#bbeeff", // "beef"
modifiedsbg: "#bbeeff", // "beef"
remindersbg: "#c0ffee", // "coffee"
holidays: [ "01/01", "07/04", "07/24", "11/24" ], // NewYearsDay, IndependenceDay(US), Eric's Birthday (hooray!), Thanksgiving(US)
weekend: [ 1,0,0,0,0,0,1 ] // [ day index values: sun=0, mon=1, tue=2, wed=3, thu=4, fri=5, sat=6 ]
};
//}}}
//{{{
config.macros.date.handler = function(place,macroName,params)
{
// do we want to see a link, a popup, or just a formatted date?
var mode="display";
if (params[0]=="display") { mode=params[0]; params.shift(); }
if (params[0]=="popup") { mode=params[0]; params.shift(); }
if (params[0]=="link") { mode=params[0]; params.shift(); }
// get the date
var now = new Date();
var date = now;
if (!params[0] || params[0]=="today")
{ params.shift(); }
else if (params[0]=="filedate")
{ date=new Date(document.lastModified); params.shift(); }
else if (params[0]=="tiddler")
{ date=store.getTiddler(story.findContainingTiddler(place).id.substr(7)).modified; params.shift(); }
else if (params[0].substr(0,8)=="tiddler:")
{ var t; if ((t=store.getTiddler(params[0].substr(8)))) date=t.modified; params.shift(); }
else {
var y = eval(params.shift().replace(/Y/ig,(now.getYear()<1900)?now.getYear()+1900:now.getYear()));
var m = eval(params.shift().replace(/M/ig,now.getMonth()+1));
var d = eval(params.shift().replace(/D/ig,now.getDate()+0));
date = new Date(y,m-1,d);
}
// date format with optional custom override
var format=this.format; if (params[0]) format=params.shift();
var linkformat=this.linkformat; if (params[0]) linkformat=params.shift();
showDate(place,date,mode,format,linkformat);
}
//}}}
//{{{
window.showDate=showDate;
function showDate(place,date,mode,format,linkformat,autostyle,weekend)
{
if (!mode) mode="display";
if (!format) format=config.macros.date.format;
if (!linkformat) linkformat=config.macros.date.linkformat;
if (!autostyle) autostyle=false;
// format the date output
var title = date.formatString(format);
var linkto = date.formatString(linkformat);
// just show the formatted output
if (mode=="display") { place.appendChild(document.createTextNode(title)); return; }
// link to a 'dated tiddler'
var link = createTiddlyLink(place, linkto, false);
link.appendChild(document.createTextNode(title));
link.title = linkto;
link.date = date;
link.format = format;
link.linkformat = linkformat;
// if using a popup menu, replace click handler for dated tiddler link
// with handler for popup and make link text non-italic (i.e., an 'existing link' look)
if (mode=="popup") {
link.onclick = onClickDatePopup;
link.style.fontStyle="normal";
}
// format the popup link to show what kind of info it contains (for use with calendar generators)
if (!autostyle) return;
if (hasModifieds(date)||hasCreateds(date))
{ link.style.fontStyle="normal"; link.style.fontWeight="bold"; }
if (hasReminders(date))
{ link.style.textDecoration="underline"; }
if(isToday(date))
{ link.style.border="1px solid black"; }
if( (weekend!=undefined?weekend:isWeekend(date)) && (config.macros.date.weekendbg!="") )
{ place.style.background = config.macros.date.weekendbg; }
if(isHoliday(date)&&(config.macros.date.holidaybg!=""))
{ place.style.background = config.macros.date.holidaybg; }
if (hasCreateds(date)&&(config.macros.date.createdbg!=""))
{ place.style.background = config.macros.date.createdbg; }
if (hasModifieds(date)&&(config.macros.date.modifiedsbg!=""))
{ place.style.background = config.macros.date.modifiedsbg; }
if (store.tiddlerExists(linkto)&&(config.macros.date.linkedbg!=""))
{ place.style.background = config.macros.date.linkedbg; }
if (hasReminders(date)&&(config.macros.date.remindersbg!=""))
{ place.style.background = config.macros.date.remindersbg; }
if(isToday(date)&&(config.macros.date.todaybg!=""))
{ place.style.background = config.macros.date.todaybg; }
}
//}}}
//{{{
function isToday(date) // returns true if date is today
{ var now=new Date(); return ((now-date>=0) && (now-date<86400000)); }
function isWeekend(date) // returns true if date is a weekend
{ return (config.macros.date.weekend[date.getDay()]); }
function isHoliday(date) // returns true if date is a holiday
{
var longHoliday = date.formatString("0MM/0DD/YYYY");
var shortHoliday = date.formatString("0MM/0DD");
for(var i = 0; i < config.macros.date.holidays.length; i++) {
var holiday=config.macros.date.holidays[i];
if (holiday==longHoliday||holiday==shortHoliday) return true;
}
return false;
}
//}}}
//{{{
// Event handler for clicking on a day popup
function onClickDatePopup(e)
{
if (!e) var e = window.event;
var theTarget = resolveTarget(e);
var popup = createTiddlerPopup(this);
if(popup) {
// always show dated tiddler link (or just date, if readOnly) at the top...
if (!readOnly || store.tiddlerExists(this.date.formatString(this.linkformat)))
createTiddlyLink(popup,this.date.formatString(this.linkformat),true);
else
createTiddlyText(popup,this.date.formatString(this.linkformat));
addCreatedsToPopup(popup,this.date,this.format);
addModifiedsToPopup(popup,this.date,this.format);
addRemindersToPopup(popup,this.date,this.linkformat);
}
scrollToTiddlerPopup(popup,false);
e.cancelBubble = true;
if (e.stopPropagation) e.stopPropagation();
return(false);
}
//}}}
//{{{
function indexCreateds() // build list of tiddlers, hash indexed by creation date
{
var createds= { };
var tiddlers = store.getTiddlers("title","excludeLists");
for (var t = 0; t < tiddlers.length; t++) {
var date = tiddlers[t].created.formatString("YYYY0MM0DD")
if (!createds[date])
createds[date]=new Array();
createds[date].push(tiddlers[t].title);
}
return createds;
}
function hasCreateds(date) // returns true if date has created tiddlers
{
if (!config.macros.date.createds) config.macros.date.createds=indexCreateds();
return (config.macros.date.createds[date.formatString("YYYY0MM0DD")]!=undefined);
}
function addCreatedsToPopup(popup,when,format)
{
var force=(store.isDirty() && when.formatString("YYYY0MM0DD")==new Date().formatString("YYYY0MM0DD"));
if (force || !config.macros.date.createds) config.macros.date.createds=indexCreateds();
var indent=String.fromCharCode(160)+String.fromCharCode(160);
var createds = config.macros.date.createds[when.formatString("YYYY0MM0DD")];
if (createds) {
createds.sort();
var e=createTiddlyElement(popup,"div",null,null,"created:");
for(var t=0; t<createds.length; t++) {
var link=createTiddlyLink(popup,createds[t],false);
link.appendChild(document.createTextNode(indent+createds[t]));
createTiddlyElement(popup,"br",null,null,null);
}
}
}
//}}}
//{{{
function indexModifieds() // build list of tiddlers, hash indexed by modification date
{
var modifieds= { };
var tiddlers = store.getTiddlers("title","excludeLists");
for (var t = 0; t < tiddlers.length; t++) {
var date = tiddlers[t].modified.formatString("YYYY0MM0DD")
if (!modifieds[date])
modifieds[date]=new Array();
modifieds[date].push(tiddlers[t].title);
}
return modifieds;
}
function hasModifieds(date) // returns true if date has modified tiddlers
{
if (!config.macros.date.modifieds) config.macros.date.modifieds = indexModifieds();
return (config.macros.date.modifieds[date.formatString("YYYY0MM0DD")]!=undefined);
}
function addModifiedsToPopup(popup,when,format)
{
var force=(store.isDirty() && when.formatString("YYYY0MM0DD")==new Date().formatString("YYYY0MM0DD"));
if (force || !config.macros.date.modifieds) config.macros.date.modifieds=indexModifieds();
var indent=String.fromCharCode(160)+String.fromCharCode(160);
var mods = config.macros.date.modifieds[when.formatString("YYYY0MM0DD")];
if (mods) {
mods.sort();
var e=createTiddlyElement(popup,"div",null,null,"changed:");
for(var t=0; t<mods.length; t++) {
var link=createTiddlyLink(popup,mods[t],false);
link.appendChild(document.createTextNode(indent+mods[t]));
createTiddlyElement(popup,"br",null,null,null);
}
}
}
//}}}
//{{{
function indexReminders(date,leadtime) // build list of tiddlers with reminders, hash indexed by reminder date
{
var reminders = { };
if(window.findTiddlersWithReminders!=undefined) { // reminder plugin is installed
// DEBUG var starttime=new Date();
var t = findTiddlersWithReminders(date, [0,leadtime], null, null, 1);
for(var i=0; i<t.length; i++) reminders[t[i].matchedDate]=true;
// DEBUG var out="Found "+t.length+" reminders in "+((new Date())-starttime+1)+"ms\n";
// DEBUG out+="startdate: "+date.toLocaleDateString()+"\n"+"leadtime: "+leadtime+" days\n\n";
// DEBUG for(var i=0; i<t.length; i++) { out+=t[i].matchedDate.toLocaleDateString()+" "+t[i].params.title+"\n"; }
// DEBUG alert(out);
}
return reminders;
}
function hasReminders(date) // returns true if date has reminders
{
if (window.reminderCacheForCalendar)
return window.reminderCacheForCalendar[date]; // use calendar cache
if (!config.macros.date.reminders)
config.macros.date.reminders = indexReminders(date,90); // create a 90-day leadtime reminder cache
return (config.macros.date.reminders[date]);
}
function addRemindersToPopup(popup,when,format)
{
if(window.findTiddlersWithReminders==undefined) return; // reminder plugin not installed
var indent = String.fromCharCode(160)+String.fromCharCode(160);
var reminders=findTiddlersWithReminders(when, [0,31],null,null,1);
var e=createTiddlyElement(popup,"div",null,null,"reminders:"+(!reminders.length?" none":""));
for(var t=0; t<reminders.length; t++) {
link = createTiddlyLink(popup,reminders[t].tiddler,false);
var diff=reminders[t].diff;
diff=(diff<1)?"Today":((diff==1)?"Tomorrow":diff+" days");
var txt=(reminders[t].params["title"])?reminders[t].params["title"]:reminders[t].tiddler;
link.appendChild(document.createTextNode(indent+diff+" - "+txt));
createTiddlyElement(popup,"br",null,null,null);
}
if (readOnly) return; // omit "new reminder..." link
var link = createTiddlyLink(popup,indent+"new reminder...",true); createTiddlyElement(popup,"br");
var title = when.formatString(format);
link.title="add a reminder to '"+title+"'";
link.onclick = function() {
// show tiddler editor
story.displayTiddler(null, title, 2, null, null, false, false);
// find body 'textarea'
var c =document.getElementById("tiddler" + title).getElementsByTagName("*");
for (var i=0; i<c.length; i++) if ((c[i].tagName.toLowerCase()=="textarea") && (c[i].getAttribute("edit")=="text")) break;
// append reminder macro to tiddler content
if (i<c.length) {
if (store.tiddlerExists(title)) c[i].value+="\n"; else c[i].value="";
c[i].value += "<<reminder";
c[i].value += " day:"+when.getDate();
c[i].value += " month:"+(when.getMonth()+1);
c[i].value += " year:"+when.getFullYear();
c[i].value += ' title:"Enter a title" >>';
}
};
}
//}}}
!__Publications__
* H. Altunbasak, S. Krasser, H. Owen, J. Grimminger, H.-P. Huth, and J. Sokol, "Securing layer 2 in local area networks," accepted IEEE ICN 2005.
* H. Altunbasak, S. Krasser, H. Owen, J. Sokol, J. Grimminger, and H.-P. Huth, "Addressing the weak link between layer 2 and layer 3 in the Internet architecture," in Proc. IEEE International Conference on Local Computer Networks, Tampa, Florida, USA, pp. 417-418, November 2004.
In order to release captures of network attack traffic to the public, much of the sensitive information contained within the capture files must be removed. The goals of our anonymization algorithms are to protect the sensitive information while allowing researchers and the public at large to examine and analyze the network attacks. Our solution uses one-to-one mappings of IP addresses (even within payloads) and overwriting of hostnames.
!Anonymization Methods
------------------------------------
!!__IP Address Mapping__
We map the top two octets and the bottom two octets separately. For the top two octets, we generate one map and for the bottom two octets we create a map for each of our subdomains with the Georgia Tech IP space and one for other non-Georgia Tech addresses. Some /16 networks should not be mapped since they are private, unroutable, or have some special attribute. We identified several networks that we do not map the top two octets as listed below. For the remaining networks, we randomly mix the mapping.
*0.0.0.0/8
*10.0.0.0/8
*127.0.0.0/8
*169.254.0.0/16
*172.16.0.0/16
*192.168.0.0/16
*224.0.0.0/4
*240.0.0.0/4
The lower mappings consist of mapping the lower two octets of the IP addresses. In the lower mappings, if the last octet is equal to 0 or 255, it is mapped to another address ending in 0 or 255. All other lower two octets are randomly mapped.
!!__IP Header Anonymization__
For each IP packet, the packet is first disassembled. Then, the source and destination IP addresses are remapped, and then reassemble the packet. We use a perl module, ~NetPacket::IP for the purpose of parsing and reassembling the packet. This perl module is kind enough to recalculate the IP header checksum so that an attacker can not calculate the original IP addresses.
!!__ICMP, TCP, and UDP Header Anonymization__
The next layer of the communications stack gives a new set of details that could be used to calculate the original IP addresses. Both the TCP and UDP header checksum are calculated from a psuedo-header which contains the source and destination IP addresses (from the IP header). ICMP is tricker. ICMP oftentimes embeds the headers of rejected packets within its payload that require further sanitization. We do a simple test for embedded ~IPv4 packets by looking for 0x45 as the first byte of the payload. If the test detects an embedded packet, the algorithm recurses on the payload. ~NetPacket::TCP and ~NetPacket::UDP were used to parse and reassemble the TCP and UDP packets respectively.
!!__Upper Layer Packet Anonymization__
Payload anonymization is too difficult to describe without risking censorship. Various protocols find interesting ways of hiding revealing information in the payload in ways completely unparsable by anything (including the original software). We have leaned on the side of protecting privacy at the risk of destroying information in the payload. To this end, we overwrite data that matches a very general regular expression with 'X' characters, and hope that it was not something needed for analysis.
!!!DNS Protocol Sanitization
Among the various problematic packets that require anonymization, are DNS packets. The format of DNS packets varies upon the codes within the packet and requires a full decode to correctly manipulate. For example, if the packet is a response packet and has a code equal to 0, then the last 4 bytes are an IP address that must be mapped. If the code was equal to 3, a dynamic update, then there yet another domain name that must be removed.
!!!Samba Protocol Sanitization
Another frustrating protocol is the Windows Networking protocol, known as samba. The Tree Connect ~AndX Request message includes a path portion that contains a unicode encoded string with slashes and a host network name, IP address, or ~NetBios name. Since the format of this path is difficult to anticipate, we simply replaced any printable character between the beginning two slashes, and the next slash. (E.g. \\POTENTIAL.NOWHERE.COM\IPC$) There are other messages such as the Trans2 Request that sometimes has the hostname as the file specification, but without the proper slash notation. This much be removed by a general regular expression. The netbios name is impossible to recognize without a full decode of the SMB protocol. We have not been able to accomplish this yet.
!!!IRC Traffic Sanitization
Currently we only perform regular expression search and replace on IRC traffic. No attempts were made to actually decode the protocol. The regular expression contains all letters, digits, at-symbols, and periods ending with a valid domain such as com, edu, jp, nl, ro, and biz. This has an unfortunate effect of obfuscating entities that are not proper domain names because of the generality of the regular expression.
!Future Work Needed
---------------------------------
We have only begun the rigorous work of packet sanitation and much work is needed. First, we need to learn from the community what information is vital to retain in order for proper analysis and balance their needs with the complexity of maintaining privacy. Secondly, decoders are needed for many protocols, but focusing first on protocols used during attacks such as SMB, FTP, IRC, HTTP, and DNS. Next, a flexible but fast-running packet manipulation framework needs to be made that can rapidly manipulate packets.
!Conclusion
--------------------
The Georgia Tech Honeynet team has created a pcap-file anonymization tool in PERL that allows for quick remapping of IP addresses and does some packet decoding and a lot of string searches and replacements in order to anonymize the traffic captures. We believe this to be a good first-order approach to the problem of packet anonymization, but a more flexible approach is needed for future work.
On November 1, 2003 a Microsoft Windows 2000 Pro machine on the Georgia Tech Honey Net was compromised by an attacker. The attack originated from eastnet on Georgia Tech's Eastnet . However, analysis of the data seems to indicate that this host was only a relay for the attack and not the attacker's actual machine.
The attack first appeared as a standard Nachi attack, but after an initial attempt to compromise the machine revealed to the attacker that the machine had already been infected, he or she switched tactics and used an ~MSBlaster style exploit to open port 4444 with root privileges, thus indicating by the sophistication and the timing that this was a life attacker not an automated program. He or she then began setting up a root-kit on the machine.
The root-kit is made up of two self-extracting .exe files. This attacker names them c.exe and x.exe. The former extracts to a directory named "svchost" with a subdirectory "service" while the later extracts to "service" and "spools." The "svchost" directory contains ~WinMngr.EXE, ident.bat, one.exe, svc.bat, win.dll, cygwin1.dll, lsass.exe, regsvc.exe services.exe, and svchost.exe. These form the core of the root-kit. The subdirectory "svchost\service" is used for storage of warez, but because the attacker does not want disk usage to be noticed, he or she only places a few files on each compromised machine. The "service" directory created by x.exe contains mostly duplicate files from the "svchost" directory (possibly to avoid path issues), but it does have one important file in thug.bat.
Our attacker extracts these files and directories to "C:\WINNT\system32\Setup." The attacker then moves into the "svchost" directory and executes svc.bat. This file is the primary installer of the root-kit. The svc.bat file sets the user name of the IRC bot in win.dll (which is actually just a plain text file) and starts both the "Remote Registry Backup" service and the "Microsoft Networks" service, but binds both to the attacker's "svchost\lsass.exe" file. This results in 3 processes called lsass.exe, though only one is legitimate. The "Remote Registry Backup" service is also bound to "svchost\ident.bat" which executes ~WinMngr.EXE, while "Microsoft Networks" is also tied to "svchost\regsvc.exe." The effect of starting all of these files as services is to make them impossible to kill via the Windows(r) Task Manager. It is necessary to stop the services these files are attached to in order to bring them down. The next step taken by svc.bat is to hide the directories created by the zip file. Using the "attrib" command, the bat file runs: "attrib +S +H spools" (aka C:\WINNT\system32\Setup\spools) and "attrib +S +H svchost." These commands set both the system bit and the hidden bit on the directories causing Windows to hide them unless the bits are unset or someone checks "show hidden files and directories" and unchecks "hide protected operating system files" in the tools->file options->view menu of any Windows Explorer window.
[img[images/image002.gif]]
__Figure 1: Windows Explorer view of system compromise__
The fact that svc.bat which came from c.exe hides a directory "spools" that came from x.exe suggests that both files were created by the same person and intended to work together as a single root-kit.
The other half of this root-kit, x.exe, provides similar tools to the attacker, but with some things added. "Spools" for instance contains a number of utilities useful for hacking, such as wget, netcat, fport, and fscan. None of these are called directly by the services that are set up. This suggests the attacker wants the ability to hack other machines from this one. While it is possible the attacker just wanted to have certain tools around for setting things up, the deletion of the zip files (presumably just so save space) combined with the small amount of warez stored on the machine seems to negate this as our attacker seems to be interested in saving space so as to not show up on a cursory disk usage analysis. Given this evidence, and the sophistication of this attack, as well as the number of compromised boxes found (some 25 machines on Georgia Tech's campus alone, including the attacking host) it seems likely that the attacking host was being used a relay and the owner is not our attacker.
The third directory created by our attacker contains more interesting tools, including one (kill.exe) that is very useful in purging the system of this root-kit. The first file ofimportance is thug.bat. This is where the "Virtual Guide Numbering" service is created and bound to "service\lsass.exe" (which gives us a total of 4 processes named lsass running) and "services\winampa.exe" (which the name of the popular media player Winamp's background executable). This gives us two more processes running that are attached to services and can't be killed from the Task Manager. The batch file then hides the "C:\WINNT\system32\service" directory in the same manner as the other two and removes x.exe.
At some point in running these various programs, one of them creates a number of registry keys. This is the root-kit's signature and can be found on any machine infected by an unaltered version. The keys are placed in ~HKEY_USERS-->S-1-5-21-79052478-1383384898-1202660629-1107(this number may be unique to each install) -->Software-->Microsoft-->Internet Explorer-->Explorer Bars-->{~C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}(again possibly unique to each install)-->~FilesNamedMRU. Each one registers the name of a file the attacker installed but not its full path. Currently, it seems logical to conclude that the programs themselves both set and read these keys, thus executing all of the files listed if any one of them is started.
[img[images/image004.gif]]
__Figure 2: registry entry of compromised system__
This root-kit does not appear to cause any actual damage to the attacked system (in fact it patches the system against future attacks on port 135), but instead sets the machine up as a warez server via IRC. The bot installed connects to irc.efnet.com and joins the channel #~XiSO, where it broadcasts repeatedly the files it has available for download from the svchost\service directory.
Fortunately, removing this root-kit is not especially difficult after it is understood. To remove it, simply do the following:
# Using the Administrative Tools, stop the services that are infected and set them to manual start. (Be careful if you decide to disable them as doing so can cause headaches if the wrong services are disabled when the system is restarted).
#Edit the C:\WINNT\system32\Setup\svchost\x.pid file to find the process id (PID) of the IRC daemon.
#Using the kill.exe found in either "service" or "spools," kill the pid using C:\kill.exe <pid>. This stops the IRC daemon from running. Your logs will no longer be flooded with IRC data. You may also safely kill all ~WinMngr.EXE, winampa.exe and cmd.exe processes. You may kill the lsass and svchost processes, but the legitimate versions of these need to be running and may or may not restart properly if killed.
#Delete, or move the directories the attacker created:
##C:\WINNT\system32\Setup\spools
##C:\WINNT\system32\Setup\service
##C:\WINNT\system32\Setup\svchost
#Using regedit, remove all the keys placed by the attacker.
#Upon first booting the machine, ensure that you have only one copy of lsass.exe running, the registry keys are gone, and that none of the illegal services started. This is your indication that the machine is clean.
In conclusion, this root-kit displays a fair amount of skill and is not the work of a "script-kiddie." Analysis of the techniques used, as well as the tools involved, suggest an experienced, though not necessarily a highly-skilled, person conducted the attack. The root-kit itself suggests that the machine attacking our Honey Net was a relay machine. The hacking tools present in the kit suggest the intended use for this kit is not just to run an IRC bot, but also to allow remote control of and subsequent hacking using a compromised box. The techniques used by the attacker make it difficult, though not impossible, to find his or her files. Once located and understood, the root-kit is easily removed. However, the complexity of the kit itself and its potential to reinsert parts of itself make it difficult to deal with until it is understood. Had the attacker removed kill.exe, not used x.pid, and used executables instead of batch files the root-kit would have been very difficult to remove indeed. In short, this was a basic attack, based on someone else's work, that used good tools that could be improved to be very difficult to remove.
!Attack of September 13-14, 2004
On September 13th and 14th, 2004, two Microsoft Windows 2000 machines on the Georgia Tech ~HoneyNet were compromised by an attacker. The attack originated from a computer on the Georgia Tech network.
On 13 September, the attacker's machine installed a worm using DCERPC ~LSA_DS and Websphere MQ on the first honeypot . Immediately following the closure of this connection, the honeypot started making DNS calls for tx.sytes.net which successfully resolved to an IP address. The honeypot then regularly attempted to establish a connection to this IP address. Most of the time, there was no response; occasionally there was a reset. About 4 hours later, a connection was established and the honeypot began operating as an IRC bot. We disconnected this honeypot from the network and have since replaced it.
On 14 September, Georgia Tech experienced a series of power surges. Following the final power surge, a second honeypot came on-line; the first attempted connection resulted in a compromise. The attacker used an LSASS vulnerability to infect the honeypot. As soon as the connection was closed, the honeypot began attempting to make connections to the same IP address from the 13 September compromise. Within an hour, the honeypot established a connection to this machine and immediately began operating as an IRC bot (sending syn packets to port 445 on a /16 subnet within the Georgia Tech campus). This machine was also disconnected and has been replaced.
!__1.0 Honeynet Deployments__
We are running a GEN II Honeynet with a variety of ~OSs of interest. We continue to use live ~OSs instead of ~VMware or ~HoneyD. Our web page with a diagram of our current setup is located at: http://users.ece.gatech.edu/~owen/Research/HoneyNet/HoneyNet_home.htm. We have recently deployed a Darknet within our Honeynet.
Our focus continues to be the use of the Honeynet to help secure the campus network.
!__2.0 Findings__
We had one Microsoft 2000 system compromised during the quarter. (The compromise report is located at: http://users.ece.gatech.edu/~owen/Research/HoneyNet/Quarterly/quarterly.htm.) We also found 43 unique machines on the Georgia Tech campus that were compromised (and attempted to connect to the Honeynet).
We currently use snort and ethereal to monitor our data; multiple members of our team analyze the data using various filters.
!__3.0 Misc. Activites__
John Levine presented "Honeynets at Educational Institutions" at the Baltimore Department of Defense Conference.
!__4.0 Organizational__
LTC John Levine, ~PhD has completed his ~PhD and is moving to West Point, NY to teach at the United States Military Academy. He is replaced as the project lead by Julian Grizzard.
!__5.0 Lessons Learned__
We have found the Honeynet to be a great tool for helping to secure the campus network. Since all traffic to the Honeynet is suspicious, any packet to the Honeynet originating from within the Georgia Tech address range is from a compromised computer, a malicious user, or the campus IDS. We send reports of all computers attempting to connect to the Honeynet to the campus network managers (OIT); they can then take action to keep the network secure by correlating our data with their IDS tools in order to reduce false positives.
!__6.0 Goals__
We plan to develop a toolkit to streamline the data analysis process during the summer semester. We also have a member working on the development of a visualization monitor.
!__Publications__
*S. Krasser, G. Conti, J. Grizzard, J. Gribschaw, and H. Owen, "Real-Time and Forensic Network Data Analysis Using Animated and Coordinated Visualization," in Proc. of sixth IEEE Systems, Man and Cybernetics Information Assurance Workshop, June 2005, pp. 42-49.
!__Publications__
!!Journal Publications
*J. Levine, J. Grizzard, and H.Owen, "Detecting and Categorizing Kernel-Level Rootkits to Aid Future Detection," in IEEE Security & Privacy, January/February 2006, pp. 24-32, vol. 4, no. 1. (featured article)
*D. Barlow, V. Vassiliou, S. Krasser, H. Owen, J. Grimminger, H.-P. Huth, and J. Sokol, "Traffic engineering based on local states in Internet protocol-based radio access networks," accepted IEEE Journal of Communications and Networks.
*J. Levine, J. Grizzard, and H. Owen, "Using honeynets to protect large enterprise networks," in IEEE Security & Privacy, November/December 2004, pp. 73-75, vol. 2, no. 6.
*S. Krasser, J. Grizzard, H. Owen, and J. Levine, "The use of honeynets to increase computer network security and user awareness," in Journal of Security Education, pp. 23-37, vol. 1, no. 2/3.
!!Conference Publications
* J. Grizzard and H. Owen, "On a µ-kernel Based System Architecture Enabling Recovery from Rootkits", accepted First IEEE International Workshop on Critical Infrastructure Protection, 2005.
* J. Grizzard, C. Simpson, Jr., S. Krasser, H. Owen, and G. Riley, "Flow Based Observations from NETI@home and Honeynet Data," in Proc. of sixth IEEE Systems, Man and Cybernetics Information Assurance Workshop, June 2005, pp. 244-251.
* S. Krasser, G. Conti, J. Grizzard, J. Gribschaw, and H. Owen, "Real-Time and Forensic Network Data Analysis Using Animated and Coordinated Visualization," in Proc. of sixth IEEE Systems, Man and Cybernetics Information Assurance Workshop, June 2005, pp. 42-49.
* J. Grizzard, J. Levine, and H. Owen, "Re-establishing trust in compromised systems: Recovering from rootkits that trojan the system call table," in Proc. 9th European Symposium on Research in Computer Security, September 2004, pp. 369-384.
* D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, and H. Owen, "Honeystat: local worm detection using honeypots," in 7th International Symposium on Recent Advances in Intrusion Detection, Sophia Antipolis, France, September 2004.
* J. Grizzard, S. Krasser, H. Owen, G. Conti, and E. Dodson, "Towards an approach for automatically repairing compromised network systems," in Proc. 3rd IEEE International Symposium on Network Computing and Applications, Cambridge, Massachusetts, USA, pp. 389-392, August 2004.
* J. Grizzard, E. Dodson, G. Conti, J. Levine, and H. Owen, "Towards a trusted immutable kernel extension (TIKE) for selfhealing systems: a virtual machine approach," in Proc. 5th IEEE Information Assurance Workshop, June 2004, pp. 444-446.
* J. Levine, J. Grizzard, and H. Owen, "A methodology to detect and characterize kernel level rootkit exploits involving redirection of the system call table," in Proc. of Second IEEE International Information Assurance Workshop, April 2004, pp. 107-125.
* T. Jackson, J. Levine, J. Grizzard, and H. Owen, "An investigation of a compromised host on a honeynet begin used to increase the security of a large enterprise network," in Proc. 5th IEEE Information Assurance Workshop, March 2004, pp. 9-14.
* J. Levine, J. Grizzard, and H. Owen, "Application of a methodology to characterize rootkits retrieved from honeynets," in Proc. 5th IEEE Information Assurance Workshop, March 2004, pp. 15-21.
!__Research__
!Honeypot Forensics
Existing forensic toolkits were developed to work on production systems. As honeypots do not have the same restrictions as these systems, there must exist a framework that exploits the special characteristics of honeypots. The purpose of this research is to take advantage of the unique honeypot environment for the creation of a richer set of forensic data and development of this framework.
!__Publications__
*Ying Xia, Kevin Fairbanks, Henry Owen. "<html><a href="papers/Xia_Fairbanks_ACM_SIGOPS_SpIss_2008.pdf">A Program Behavior
Matching Architecture for Probabilistic File System Forensics.,</a>" accepted <i> ACM SIGOPS Operating Systems Review special issue on Computer Forensics.</i></html>
* Kevin D. Fairbanks, Christopher P. Lee, Ying H. Xia, Henry L. Owen III. “<html><a href ="papers/Fairbanks_IAW07.pdf">TimeKeeper: A Metadata Archiving Method for Honeypot Forensics.</a></html>” 8th Annual IEEE SMC Information Assurance Workshop. West Point, NY. 20-22 June 2007
* Xia, Y., Fairbanks, K., Owen, H. "<html><a href = "papers/blackbox.pdf">Establishing trust in black-box programs.</a>" SoutheastCon, </html>2007. IEEE, Vol., Iss., March 2007, pp. 462-465.
Note: all folders in l4linux-2.4/
*documentation/~DocBook/kernel-hacking.tmpl:
**asmlinkage int sys_mycall(int arg)
*arch/l4/kernel/ioport.c:
**asmlinkage int sys_ioperm(unsigned long from, unsigned long num, int turn_on)
**asmlinkage int sys_iopl(unsigned long unused)
*arch/l4/kernel/process.c:
**asmlinkage int sys_fork(void)
**asmlinkage int sys_clone(unsigned long clone_flags, unsigned long newsp)
**asmlinkage int sys_vfork(void)
**asmlinkage int sys_execve(char *name, char **argv, char **envp)
*arch/l4/kernel/ptrace.c:
**asmlinkage int sys_ptrace(long request, long pid, long addr, long data)
*arch/l4/kernel/signal.c:
**asmlinkage int sys_sigreturn(void)
**asmlinkage int sys_rt_sigreturn(void)
**asmlinkage int sys_rt_sigsuspend(sigset_t *unewset, size_t sigsetsize)
**asmlinkage int sys_sigsuspend(int history0, int history1, old_sigset_t mask)
**asmlinkage int sys_sigaction(int sig, const struct old_sigaction *act, struct old_sigaction *oact)
**asmlinkage int sys_sigaltstack(const stack_t *uss, stack_t *uoss)
*arch/l4/kernel/unimpl.c:
**asmlinkage int sys_vm86(void)
**asmlinkage int sys_vm86old(void)
**asmlinkage int sys_modify_ldt(void)
*arch/l4/kernel/sys_i386.c:
**asmlinkage int sys_pipe(unsigned long * fildes)
**asmlinkage long sys_mmap2(unsigned long addr, unsigned long len, unsigned long prot, unsigned long flags, unsigned long fd, unsigned long pgoff)
**asmlinkage int old_mmap(struct mmap_arg_struct *arg)
**extern asmlinkage int sys_select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
**asmlinkage int old_select(struct sel_arg_struct *arg)
**asmlinkage int sys_ipc (uint call, int first, int second, int third, void *ptr, long fifth)
**asmlinkage int sys_uname(struct old_utsname * name)
**asmlinkage int sys_olduname(struct oldold_utsname * name)
**asmlinkage int sys_pause(void)
*drivers/char/vt.c:
**asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int on);
*fs/buffer.c:
**asmlinkage long sys_sync(void)
**asmlinkage long sys_fsync(unsigned int fd)
**asmlinkage long sys_fdatasync(unsigned int fd)
**asmlinkage long sys_bdflush(int func, long data)
*fs/dcache.c:
**asmlinkage long sys_getcwd(char *buf, unsigned long size)
*fs/exec.c:
**asmlinkage long sys_uselib(const char * library)
*fs/fcntl.c:
**asmlinkage long sys_dup2(unsigned int oldfd, unsigned int newfd)
**asmlinkage long sys_dup(unsigned int fildes)
**asmlinkage long sys_fcntl(unsigned int fd, unsigned int cmd, unsigned long arg)
**asmlinkage long sys_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg)
*fs/filesystems.c:
**asmlinkage sys_nfsservctl(int cmd, void *argp, void *resp)
*fs/ioctl.c:
**asmlinkage long sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
*fs/locks.c:
**asmlinkage long sys_flock(unsigned int fd, unsigned int cmd)
*fs/namei.c:
**asmlinkage long sys_mknod(const char * filename, int mode, dev_t dev)
**asmlinkage long sys_mkdir(const char * pathname, int mode)
**asmlinkage long sys_rmdir(const char * pathname)
**asmlinkage long sys_unlink(const char * pathname)
**asmlinkage long sys_symlink(const char * oldname, const char * newname)
**asmlinkage long sys_link(const char * oldname, const char * newname)
**asmlinkage long sys_rename(const char * oldname, const char * newname)
*fs/namespace.c:
**asmlinkage long sys_umount(char * name, int flags)
**asmlinkage long sys_oldumount(char * name)
**asmlinkage long sys_mount(char * dev_name, char * dir_name, char * type, unsigned long flags, void * data)
**asmlinkage long sys_pivot_root(const char *new_root, const char *put_old)
*fs/open.c:
**asmlinkage long sys_statfs(const char * path, struct statfs * buf)
**asmlinkage long sys_fstatfs(unsigned int fd, struct statfs * buf)
**asmlinkage long sys_truncate(const char * path, unsigned long length)
**asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length)
**asmlinkage long sys_truncate64(const char * path, loff_t length)
**asmlinkage long sys_ftruncate64(unsigned int fd, loff_t length)
**asmlinkage long sys_utime(char * filename, struct utimbuf * times)
**asmlinkage long sys_access(const char * filename, int mode)
**asmlinkage long sys_chdir(const char * filename)
**asmlinkage long sys_fchdir(unsigned int fd)
**asmlinkage long sys_chroot(const char * filename)
**asmlinkage long sys_fchmod(unsigned int fd, mode_t mode)
**asmlinkage long sys_chmod(const char * filename, mode_t mode)
**asmlinkage long sys_chown(const char * filename, uid_t user, gid_t group)
**asmlinkage long sys_lchown(const char * filename, uid_t user, gid_t group)
**asmlinkage long sys_fchown(unsigned int fd, uid_t user, gid_t group)
**asmlinkage long sys_open(const char * filename, int flags, int mode)
**asmlinkage long sys_creat(const char * pathname, int mode)
**asmlinkage long sys_close(unsigned int fd)
**asmlinkage long sys_vhangup(void)
*fs/quota.c:
**asmlinkage long sys_quotactl(unsigned int cmd, const char *special, qid_t id, caddr_t addr)
*fs/read_write.c:
**asmlinkage off_t sys_lseek(unsigned int fd, off_t offset, unsigned int origin)
**asmlinkage long sys_llseek(unsigned int fd, unsigned long offset_high,
**asmlinkage ssize_t sys_read(unsigned int fd, char * buf, size_t count)
**asmlinkage ssize_t sys_write(unsigned int fd, const char * buf, size_t count)
**asmlinkage ssize_t sys_readv(unsigned long fd, const struct iovec * vector, unsigned long count)
**asmlinkage ssize_t sys_writev(unsigned long fd, const struct iovec * vector, unsigned long count)
**asmlinkage ssize_t sys_pread(unsigned int fd, char * buf, size_t count, loff_t pos)
**asmlinkage ssize_t sys_pwrite(unsigned int fd, const char * buf, size_t count, loff_t pos)
*fs/readdir.c:
**asmlinkage int old_readdir(unsigned int fd, void * dirent, unsigned int count)
**asmlinkage long sys_getdents(unsigned int fd, void * dirent, unsigned int count)
**asmlinkage long sys_getdents64(unsigned int fd, void * dirent, unsigned int count)
*fs/select.c:
**asmlinkage long sys_poll(struct pollfd * ufds, unsigned int nfds, long timeout)
*fs/stat.c:
**asmlinkage long sys_stat(char * filename, struct _old_kernel_stat * statbuf)
**asmlinkage long sys_newstat(char * filename, struct stat * statbuf)
**asmlinkage long sys_lstat(char * filename, struct _old_kernel_stat * statbuf)
**asmlinkage long sys_newlstat(char * filename, struct stat * statbuf)
**asmlinkage long sys_fstat(unsigned int fd, struct _old_kernel_stat * statbuf)
**asmlinkage long sys_newfstat(unsigned int fd, struct stat * statbuf)
**asmlinkage long sys_readlink(const char * path, char * buf, int bufsiz)
**asmlinkage long sys_stat64(char * filename, struct stat64 * statbuf, long flags)
**asmlinkage long sys_lstat64(char * filename, struct stat64 * statbuf, long flags)
**asmlinkage long sys_fstat64(unsigned long fd, struct stat64 * statbuf, long flags)
*fs/super.c:
**asmlinkage long sys_sysfs(int option, unsigned long arg1, unsigned long arg2)
**asmlinkage long sys_ustat(dev_t dev, struct ustat * ubuf)
*init/do_mounts.c:
**extern asmlinkage long sys_mount(char *dev_name, char *dir_name, char *type, unsigned long flags, void *data);
**extern asmlinkage long sys_mkdir(const char *name, int mode);
**extern asmlinkage long sys_chdir(const char *name);
**extern asmlinkage long sys_fchdir(int fd);
**extern asmlinkage long sys_chroot(const char *name);
**extern asmlinkage long sys_unlink(const char *name);
**extern asmlinkage long sys_symlink(const char *old, const char *new);
**extern asmlinkage long sys_mknod(const char *name, int mode, dev_t dev);
**extern asmlinkage long sys_umount(char *name, int flags);
**extern asmlinkage long sys_ioctl(int fd, int cmd, unsigned long arg);
*kernel/acct.c:
**asmlinkage long sys_acct(const char * filename)
*kernel/capability.c:
**asmlinkage long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
**asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data)
*kernel/exit.c:
**asmlinkage long sys_exit(int error_code)
**asmlinkage long sys_wait4(pid_t pid,unsigned int * stat_addr, int options, struct rusage * ru)
**asmlinkage long sys_waitpid(pid_t pid,unsigned int * stat_addr, int options)
*kernel/info.c:
**asmlinkage long sys_sysinfo(struct sysinfo *info)
*kernel/itimer.c:
**asmlinkage long sys_getitimer(int which, struct itimerval *value)
**asmlinkage long sys_setitimer(int which, struct itimerval *value, struct itimerval *ovalue)
*kernel/panic.c:
**asmlinkage void sys_sync(void); /* it's really int */
*kernel/printk.c:
**asmlinkage long sys_syslog(int type, char * buf, int len)
*kernel/sched.c:
**asmlinkage long sys_nice(int increment)
**asmlinkage long sys_sched_setscheduler(pid_t pid, int policy, struct sched_param *param)
**asmlinkage long sys_sched_setparam(pid_t pid, struct sched_param *param)
**asmlinkage long sys_sched_getscheduler(pid_t pid)
**asmlinkage long sys_sched_getparam(pid_t pid, struct sched_param *param)
**asmlinkage long sys_sched_yield(void)
**asmlinkage long sys_sched_get_priority_max(int policy)
**asmlinkage long sys_sched_get_priority_min(int policy)
**asmlinkage long sys_sched_rr_get_interval(pid_t pid, struct timespec *interval)
*kernel/sys.c:
**asmlinkage long sys_ni_syscall(void)
**asmlinkage long sys_setpriority(int which, int who, int niceval)
**asmlinkage long sys_getpriority(int which, int who)
**asmlinkage long sys_reboot(int magic1, int magic2, unsigned int cmd, void * arg)
**asmlinkage long sys_setregid(gid_t rgid, gid_t egid)
**asmlinkage long sys_setgid(gid_t gid)
**asmlinkage long sys_setreuid(uid_t ruid, uid_t euid)
**asmlinkage long sys_setuid(uid_t uid)
**asmlinkage long sys_setresuid(uid_t ruid, uid_t euid, uid_t suid)
**asmlinkage long sys_getresuid(uid_t *ruid, uid_t *euid, uid_t *suid)
**asmlinkage long sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
**asmlinkage long sys_getresgid(gid_t *rgid, gid_t *egid, gid_t *sgid)
**asmlinkage long sys_setfsuid(uid_t uid)
**asmlinkage long sys_setfsgid(gid_t gid)
**asmlinkage long sys_setpgid(pid_t pid, pid_t pgid)
**asmlinkage long sys_getpgid(pid_t pid)
**asmlinkage long sys_getpgrp(void)
**asmlinkage long sys_getsid(pid_t pid)
**asmlinkage long sys_setsid(void)
**asmlinkage long sys_getgroups(int gidsetsize, gid_t *grouplist)
**asmlinkage long sys_setgroups(int gidsetsize, gid_t *grouplist)
**asmlinkage long sys_newuname(struct new_utsname * name)
**asmlinkage long sys_sethostname(char *name, int len)
**asmlinkage long sys_gethostname(char *name, int len)
**asmlinkage long sys_setdomainname(char *name, int len)
**asmlinkage long sys_getrlimit(unsigned int resource, struct rlimit *rlim)
**asmlinkage long sys_old_getrlimit(unsigned int resource, struct rlimit *rlim)
**asmlinkage long sys_setrlimit(unsigned int resource, struct rlimit *rlim)
**asmlinkage long sys_getrusage(int who, struct rusage *ru)
**asmlinkage long sys_umask(int mask)
**asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5)
*kernel/sysctl.c:
**extern asmlinkage long sys_sysctl(struct _sysctl_args *args)
*kernel/time.c:
**asmlinkage long sys_time(int * tloc)
**asmlinkage long sys_stime(int * tptr)
**asmlinkage long sys_gettimeofday(struct timeval *tv, struct timezone *tz)
**asmlinkage long sys_settimeofday(struct timeval *tv, struct timezone *tz)
**asmlinkage long sys_adjtimex(struct timex *txc_p)
*kernel/timer.c:
**asmlinkage unsigned long sys_alarm(unsigned int seconds)
**asmlinkage long sys_getpid(void)
**asmlinkage long sys_getppid(void)
**asmlinkage long sys_getuid(void)
**asmlinkage long sys_geteuid(void)
**asmlinkage long sys_getgid(void)
**asmlinkage long sys_getegid(void)
**asmlinkage long sys_gettid(void)
**asmlinkage long sys_nanosleep(struct timespec *rqtp, struct timespec *rmtp)
*kernel/uid16.c:
**extern asmlinkage long sys_chown(const char *, uid_t,gid_t);
**extern asmlinkage long sys_lchown(const char *, uid_t,gid_t);
**extern asmlinkage long sys_fchown(unsigned int, uid_t,gid_t);
**extern asmlinkage long sys_setregid(gid_t, gid_t);
**extern asmlinkage long sys_setgid(gid_t);
**extern asmlinkage long sys_setreuid(uid_t, uid_t);
**extern asmlinkage long sys_setuid(uid_t);
**extern asmlinkage long sys_setresuid(uid_t, uid_t, uid_t);
**extern asmlinkage long sys_setresgid(gid_t, gid_t, gid_t);
**extern asmlinkage long sys_setfsuid(uid_t);
**extern asmlinkage long sys_setfsgid(gid_t);
**asmlinkage long sys_chown16(const char * filename, old_uid_t user, old_gid_t group)
**asmlinkage long sys_lchown16(const char * filename, old_uid_t user, old_gid_t group)
**asmlinkage long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group)
**asmlinkage long sys_setregid16(old_gid_t rgid, old_gid_t egid)
**asmlinkage long sys_setgid16(old_gid_t gid)
**asmlinkage long sys_setreuid16(old_uid_t ruid, old_uid_t euid)
**asmlinkage long sys_setuid16(old_uid_t uid)
**asmlinkage long sys_setresuid16(old_uid_t ruid, old_uid_t euid, old_uid_t suid)
**asmlinkage long sys_getresuid16(old_uid_t *ruid, old_uid_t *euid, old_uid_t *suid)
**asmlinkage long sys_setresgid16(old_gid_t rgid, old_gid_t egid, old_gid_t sgid)
**asmlinkage long sys_getresgid16(old_gid_t *rgid, old_gid_t *egid, old_gid_t *sgid)
**asmlinkage long sys_setfsuid16(old_uid_t uid)
**asmlinkage long sys_setfsgid16(old_gid_t gid)
**asmlinkage long sys_getgroups16(int gidsetsize, old_gid_t *grouplist)
**asmlinkage long sys_setgroups16(int gidsetsize, old_gid_t *grouplist)
**asmlinkage long sys_getuid16(void)
**asmlinkage long sys_geteuid16(void)
**asmlinkage long sys_getgid16(void)
**asmlinkage long sys_getegid16(void)
*mm/filemap.c:
**asmlinkage ssize_t sys_sendfile(int out_fd, int in_fd, off_t *offset, size_t count)
**asmlinkage ssize_t sys_sendfile64(int out_fd, int in_fd, loff_t *offset, size_t count)
**asmlinkage ssize_t sys_readahead(int fd, loff_t offset, size_t count)
**asmlinkage long sys_msync(unsigned long start, size_t len, int flags)
**asmlinkage long sys_madvise(unsigned long start, size_t len, int behavior)
**asmlinkage long sys_mincore(unsigned long start, size_t len, unsigned char * vec)
*mm/mlock.c:
**asmlinkage long sys_mlock(unsigned long start, size_t len)
**asmlinkage long sys_munlock(unsigned long start, size_t len)
**asmlinkage long sys_mlockall(int flags)
**asmlinkage long sys_munlockall(void)
*mm/mmap.c:
**asmlinkage unsigned long sys_brk(unsigned long brk)
**asmlinkage long sys_munmap(unsigned long addr, size_t len)
*mm/mprotect.c:
**asmlinkage long sys_mprotect(unsigned long start, size_t len, unsigned long prot)
*mm/mremap.c:
**asmlinkage unsigned long sys_mremap(unsigned long addr, unsigned long old_len, unsigned long new_len, unsigned long flags, unsigned long new_addr)
*mm/swapfile.c:
**asmlinkage long sys_swapoff(const char * specialfile)
**asmlinkage long sys_swapon(const char * specialfile, int swap_flags)
*net/socket.c:
**asmlinkage long sys_socketcall(int call, unsigned long *args)
*kernel/signal.c:
**asmlinkage long sys_ssetmask(int newmask)
**asmlinkage long sys_sgetmask(void)
**asmlinkage unsigned long sys_signal(int sig, _sighandler_t handler)
**asmlinkage long sys_kill(int pid, int sig)
**asmlinkage long sys_tkill(int pid, int sig)
**asmlinkage long sys_sigpending(old_sigset_t *set)
**asmlinkage long sys_sigprocmask(int how, old_sigset_t *set, old_sigset_t *oset)
**asmlinkage long sys_rt_sigprocmask(int how, sigset_t *set, sigset_t *oset, size_t sigsetsize)
**asmlinkage long sys_rt_sigpending(sigset_t *set, size_t sigsetsize)
**asmlinkage long sys_rt_sigtimedwait(const sigset_t *uthese, siginfo_t *uinfo, const struct timespec *uts, size_t sigsetsize)
**asmlinkage long sys_rt_sigqueueinfo(int pid, int sig, siginfo_t *uinfo)
**asmlinkage long sys_rt_sigaction(int sig, const struct sigaction *act, struct sigaction *oact, size_t sigsetsize)
*kernel/module.c:
**asmlinkage long sys_get_kernel_syms(struct kernel_sym *table)
**asmlinkage long sys_init_module(const char *name_user, struct module *mod_user)
**asmlinkage unsigned long sys_create_module(const char *name_user, size_t size)
**asmlinkage long sys_delete_module(const char *name_user)
**asmlinkage long sys_query_module(const char *name_user, int which, char *buf, size_t bufsize, size_t *ret)
*kernel/exec_domain.c:
**asmlinkage long sys_personality(u_long personality)
*fs/xattr.c:
**asmlinkage long sys_setxattr(char *path, char *name, void *value, size_t size, int flags)
**asmlinkage long sys_lsetxattr(char *path, char *name, void *value, size_t size, int flags)
**asmlinkage long sys_fsetxattr(int fd, char *name, void *value, size_t size, int flags)
**asmlinkage ssize_t sys_getxattr(char *path, char *name, void *value, size_t size)
**asmlinkage ssize_t sys_lgetxattr(char *path, char *name, void *value, size_t size)
**asmlinkage ssize_t sys_fgetxattr(int fd, char *name, void *value, size_t size)
**asmlinkage ssize_t sys_listxattr(char *path, char *list, size_t size)
**asmlinkage ssize_t sys_llistxattr(char *path, char *list, size_t size)
**asmlinkage ssize_t sys_flistxattr(int fd, char *list, size_t size)
**asmlinkage long sys_removexattr(char *path, char *name)
**asmlinkage long sys_lremovexattr(char *path, char *name)
**asmlinkage long sys_fremovexattr(int fd, char *name)
<html>
<head>
</head>
<body style="color: rgb(0, 0, 0);" alink="#ee0000"
link="#0000ee" vlink="#551a8b">
The
table below shows a listing of all the system calls in the Linux 2.4.26
kernel (gentoo modified). The system call table entries are defined in
arch/i386/kernel.
<table align="center" border="1" cellpadding="2"
cellspacing="2" width="100%">
<tbody>
<tr>
<th>Number</th>
<th>Name</th>
<th>Description</th>
</tr>
<tr>
<td>0</td>
<td>sys_ni_syscall</td>
<td>nonimplemented</td>
</tr>
<tr>
<td>1</td>
<td>sys_exit</td>
<td></td>
</tr>
<tr>
<td>2</td>
<td>sys_fork</td>
<td></td>
</tr>
<tr>
<td>3</td>
<td>sys_read</td>
<td></td>
</tr>
<tr>
<td>4</td>
<td>sys_write</td>
<td></td>
</tr>
<tr>
<td>5</td>
<td>sys_open</td>
<td></td>
</tr>
<tr>
<td>6</td>
<td>sys_close</td>
<td></td>
</tr>
<tr>
<td>7</td>
<td>sys_waitpid</td>
<td></td>
</tr>
<tr>
<td>8</td>
<td>sys_creat</td>
<td></td>
</tr>
<tr>
<td>9</td>
<td>sys_link</td>
<td></td>
</tr>
<tr>
<td>10</td>
<td>sys_unlink</td>
<td></td>
</tr>
<tr>
<td>11</td>
<td>sys_execve</td>
<td></td>
</tr>
<tr>
<td>12</td>
<td>sys_chdir</td>
<td></td>
</tr>
<tr>
<td>13</td>
<td>sys_time</td>
<td></td>
</tr>
<tr>
<td>14</td>
<td>sys_mknod</td>
<td></td>
</tr>
<tr>
<td>15</td>
<td>sys_chmod</td>
<td></td>
</tr>
<tr>
<td>16</td>
<td>sys_lchown16</td>
<td></td>
</tr>
<tr>
<td>17</td>
<td>sys_ni_syscall</td>
<td>nonimplemented</td>
</tr>
<tr>
<td>18</td>
<td>sys_stat</td>
<td></td>
</tr>
<tr>
<td>19</td>
<td>sys_lseek</td>
<td></td>
</tr>
<tr>
<td>20</td>
<td>sys_getpid</td>
<td></td>
</tr>
<tr>
<td>21</td>
<td>sys_mount</td>
<td></td>
</tr>
<tr>
<td>22</td>
<td>sys_oldumount</td>
<td></td>
</tr>
<tr>
<td>23</td>
<td>sys_setuid16</td>
<td></td>
</tr>
<tr>
<td>24</td>
<td>sys_getuid16</td>
<td></td>
</tr>
<tr>
<td>25</td>
<td>sys_stime</td>
<td></td>
</tr>
<tr>
<td>26</td>
<td>sys_ptrace</td>
<td></td>
</tr>
<tr>
<td>27</td>
<td>sys_alarm</td>
<td></td>
</tr>
<tr>
<td>28</td>
<td>sys_fstat</td>
<td></td>
</tr>
<tr>
<td>29</td>
<td>sys_pause</td>
<td></td>
</tr>
<tr>
<td>30</td>
<td>sys_utime</td>
<td></td>
</tr>
<tr>
<td>31</td>
<td>sys_ni_syscall</td>
<td>nonimplemented</td>
</tr>
<tr>
<td>32</td>
<td>sys_ni_syscall</td>
<td>nonimplemented</td>
</tr>
<tr>
<td>33</td>
<td>sys_access</td>
<td></td>
</tr>
<tr>
<td>34</td>
<td>sys_nice</td>
<td></td>
</tr>
<tr>
<td>35</td>
<td>sys_ni_syscall</td>
<td>nonimplemented</td>
</tr>
<tr>
<td>36</td>
<td>sys_sync</td>
<td></td>
</tr>
<tr>
<td>37</td>
<td>sys_kill</td>
<td></td>
</tr>
<tr>
<td>38</td>
<td>sys_rename</td>
<td></td>
</tr>
<tr>
<td>39</td>
<td>sys_mkdir</td>
<td></td>
</tr>
<tr>
<td>40</td>
<td>sys_rmdir</td>
<td></td>
</tr>
<tr>
<td>41</td>
<td>sys_dup</td>
<td></td>
</tr>
<tr>
<td>42</td>
<td>sys_pipe</td>
<td></td>
</tr>
<tr>
<td>43</td>
<td>sys_times</td>
<td></td>
</tr>
<tr>
<td>44</td>
<td>sys_ni_syscall</td>
<td>nonimplemented</td>
</tr>
<tr>
<td>45</td>
<td>sys_brk</td>
<td></td>
</tr>
<tr>
<td>46</td>
<td>sys_setgid16</td>
<td></td>
</tr>
<tr>
<td>47</td>
<td>sys_getgid16</td>
<td></td>
</tr>
<tr>
<td>48</td>
<td>sys_signal</td>
<td></td>
</tr>
<tr>
<td>49</td>
<td>sys_geteuid16</td>
<td></td>
</tr>
<tr>
<td>50</td>
<td>sys_getegid16</td>
<td></td>
</tr>
<tr>
<td>51</td>
<td>sys_acct</td>
<td></td>
</tr>
<tr>
<td>52</td>
<td>sys_umount</td>
<td></td>
</tr>
<tr>
<td>53</td>
<td>sys_ni_syscall</td>
<td>nonimplemented</td>
</tr>
<tr>
<td>54</td>
<td>sys_ioctl</td>
<td></td>
</tr>
<tr>
<td>55</td>
<td>sys_fcntl</td>
<td></td>
</tr>
<tr>
<td>56</td>
<td>sys_ni_syscall</td>
<td>nonimplemented</td>
</tr>
<tr>
<td>57</td>
<td>sys_setpgid</td>
<td></td>
</tr>
<tr>
<td>58</td>
<td>sys_ni_syscall</td>
<td>nonimplemented</td>
</tr>
<tr>
<td>59</td>
<td>sys_olduname</td>
<td></td>
</tr>
<tr>
<td>60</td>
<td>sys_umask</td>
<td></td>
</tr>
<tr>
<td>61</td>
<td>sys_chroot</td>
<td></td>
</tr>
<tr>
<td>62</td>
<td>sys_ustat</td>
<td></td>
</tr>
<tr>
<td>63</td>
<td>sys_dup2</td>
<td></td>
</tr>
<tr>
<td>64</td>
<td>sys_getppid</td>
<td></td>
</tr>
<tr>
<td>65</td>
<td>sys_getpgrp</td>
<td></td>
</tr>
<tr>
<td>66</td>
<td>sys_setsid</td>
<td></td>
</tr>
<tr>
<td>67</td>
<td>sys_sigaction</td>
<td></td>
</tr>
<tr>
<td>68</td>
<td>sys_sgetmask</td>
<td></td>
</tr>
<tr>
<td>69</td>
<td>sys_ssetmask</td>
<td></td>
</tr>
<tr>
<td>70</td>
<td>sys_setreuid16</td>
<td></td>
</tr>
<tr>
<td>71</td>
<td>sys_setregid16</td>
<td></td>
</tr>
<tr>
<td>72</td>
<td>sys_sigsuspend</td>
<td></td>
</tr>
<tr>
<td>73</td>
<td>sys_sigpending</td>
<td></td>
</tr>
<tr>
<td>74</td>
<td>sys_sethostname</td>
<td></td>
</tr>
<tr>
<td>75</td>
<td>sys_setrlimit</td>
<td></td>
</tr>
<tr>
<td>76</td>
<td>sys_old_getrlimit</td>
<td></td>
</tr>
<tr>
<td>77</td>
<td>sys_getrusage</td>
<td></td>
</tr>
<tr>
<td>78</td>
<td>sys_gettimeofday</td>
<td></td>
</tr>
<tr>
<td>79</td>
<td>sys_settimeofday</td>
<td></td>
</tr>
<tr>
<td>80</td>
<td>sys_getgroups16</td>
<td></td>
</tr>
<tr>
<td>81</td>
<td>sys_setgroups16</td>
<td></td>
</tr>
<tr>
<td>82</td>
<td>old_select</td>
<td></td>
</tr>
<tr>
<td>83</td>
<td>sys_symlink</td>
<td></td>
</tr>
<tr>
<td>84</td>
<td>sys_lstat</td>
<td></td>
</tr>
<tr>
<td>85</td>
<td>sys_readlink</td>
<td></td>
</tr>
<tr>
<td>86</td>
<td>sys_uselib</td>
<td></td>
</tr>
<tr>
<td>87</td>
<td>sys_swapon</td>
<td></td>
</tr>
<tr>
<td>88</td>
<td>sys_reboot</td>
<td></td>
</tr>
<tr>
<td>89</td>
<td>old_readdir</td>
<td></td>
</tr>
<tr>
<td>90</td>
<td>old_mmap</td>
<td></td>
</tr>
<tr>
<td>91</td>
<td>sys_munmap</td>
<td></td>
</tr>
<tr>
<td>92</td>
<td>sys_truncate</td>
<td></td>
</tr>
<tr>
<td>93</td>
<td>sys_ftruncate</td>
<td></td>
</tr>
<tr>
<td>94</td>
<td>sys_fchmod</td>
<td></td>
</tr>
<tr>
<td>95</td>
<td>sys_fchown16</td>
<td></td>
</tr>
<tr>
<td>96</td>
<td>sys_getpriority</td>
<td></td>
</tr>
<tr>
<td>97</td>
<td>sys_setpriority</td>
<td></td>
</tr>
<tr>
<td>98</td>
<td>sys_ni_syscall</td>
<td>nonimplemented</td>
</tr>
<tr>
<td>99</td>
<td>sys_statfs</td>
<td></td>
</tr>
<tr>
<td>100</td>
<td>sys_fstatfs</td>
<td></td>
</tr>
<tr>
<td>101</td>
<td>sys_ioperm</td>
<td></td>
</tr>
<tr>
<td>102</td>
<td>sys_socketcall</td>
<td></td>
</tr>
<tr>
<td>103</td>
<td>sys_syslog</td>
<td></td>
</tr>
<tr>
<td>104</td>
<td>sys_setitimer</td>
<td></td>
</tr>
<tr>
<td>105</td>
<td>sys_getitimer</td>
<td></td>
</tr>
<tr>
<td>106</td>
<td>sys_newstat</td>
<td></td>
</tr>
<tr>
<td>107</td>
<td>sys_newlstat</td>
<td></td>
</tr>
<tr>
<td>108</td>
<td>sys_newfstat</td>
<td></td>
</tr>
<tr>
<td>109</td>
<td>sys_uname</td>
<td></td>
</tr>
<tr>
<td>110</td>
<td>sys_iopl</td>
<td></td>
</tr>
<tr>
<td>111</td>
<td>sys_vhangup</td>
<td></td>
</tr>
<tr>
<td>112</td>
<td>sys_ni_syscall</td>
<td>nonimplemented</td>
</tr>
<tr>
<td>113</td>
<td>sys_vm86old</td>
<td></td>
</tr>
<tr>
<td>114</td>
<td>sys_wait4</td>
<td></td>
</tr>
<tr>
<td>115</td>
<td>sys_swapoff</td>
<td></td>
</tr>
<tr>
<td>116</td>
<td>sys_sysinfo</td>
<td></td>
</tr>
<tr>
<td>117</td>
<td>sys_ipc</td>
<td></td>
</tr>
<tr>
<td>118</td>
<td>sys_fsync</td>
<td></td>
</tr>
<tr>
<td>119</td>
<td>sys_sigreturn</td>
<td></td>
</tr>
<tr>
<td>120</td>
<td>sys_clone</td>
<td></td>
</tr>
<tr>
<td>121</td>
<td>sys_setdomainname</td>
<td></td>
</tr>
<tr>
<td>122</td>
<td>sys_newuname</td>
<td></td>
</tr>
<tr>
<td>123</td>
<td>sys_modify_ldt</td>
<td></td>
</tr>
<tr>
<td>124</td>
<td>sys_adjtimex</td>
<td></td>
</tr>
<tr>
<td>125</td>
<td>sys_mprotect</td>
<td></td>
</tr>
<tr>
<td>126</td>
<td>sys_sigprocmask</td>
<td></td>
</tr>
<tr>
<td>127</td>
<td>sys_create_module</td>
<td></td>
</tr>
<tr>
<td>128</td>
<td>sys_init_module</td>
<td></td>
</tr>
<tr>
<td>129</td>
<td>sys_delete_module</td>
<td></td>
</tr>
<tr>
<td>130</td>
<td>sys_get_kernel_syms</td>
<td></td>
</tr>
<tr>
<td>131</td>
<td>sys_quotactl</td>
<td></td>
</tr>
<tr>
<td>132</td>
<td>sys_getpgid</td>
<td></td>
</tr>
<tr>
<td>133</td>
<td>sys_fchdir</td>
<td></td>
</tr>
<tr>
<td>134</td>
<td>sys_bdflush</td>
<td></td>
</tr>
<tr>
<td>135</td>
<td>sys_sysfs</td>
<td></td>
</tr>
<tr>
<td>136</td>
<td>sys_personality</td>
<td></td>
</tr>
<tr>
<td>137</td>
<td>sys_ni_syscall</td>
<td>nonimplemented</td>
</tr>
<tr>
<td>138</td>
<td>sys_setfsuid16</td>
<td></td>
</tr>
<tr>
<td>139</td>
<td>sys_setfsgid16</td>
<td></td>
</tr>
<tr>
<td>140</td>
<td>sys_llseek</td>
<td></td>
</tr>
<tr>
<td>141</td>
<td>sys_getdents</td>
<td></td>
</tr>
<tr>
<td>142</td>
<td>sys_select</td>
<td></td>
</tr>
<tr>
<td>143</td>
<td>sys_flock</td>
<td></td>
</tr>
<tr>
<td>144</td>
<td>sys_msync</td>
<td></td>
</tr>
<tr>
<td>145</td>
<td>sys_readv</td>
<td></td>
</tr>
<tr>
<td>146</td>
<td>sys_writev</td>
<td></td>
</tr>
<tr>
<td>147</td>
<td>sys_getsid</td>
<td></td>
</tr>
<tr>
<td>148</td>
<td>sys_fdatasync</td>
<td></td>
</tr>
<tr>
<td>149</td>
<td>sys_sysctl</td>
<td></td>
</tr>
<tr>
<td>150</td>
<td>sys_mlock</td>
<td></td>
</tr>
<tr>
<td>151</td>
<td>sys_munlock</td>
<td></td>
</tr>
<tr>
<td>152</td>
<td>sys_mlockall</td>
<td></td>
</tr>
<tr>
<td>153</td>
<td>sys_munlockall</td>
<td></td>
</tr>
<tr>
<td>154</td>
<td>sys_sched_setparam</td>
<td></td>
</tr>
<tr>
<td>155</td>
<td>sys_sched_getparam</td>
<td></td>
</tr>
<tr>
<td>156</td>
<td>sys_sched_setscheduler</td>
<td></td>
</tr>
<tr>
<td>157</td>
<td>sys_sched_getscheduler</td>
<td></td>
</tr>
<tr>
<td>158</td>
<td>sys_sched_yield</td>
<td></td>
</tr>
<tr>
<td>159</td>
<td>sys_sched_get_priority_max</td>
<td></td>
</tr>
<tr>
<td>160</td>
<td>sys_sched_get_priority_min</td>
<td></td>
</tr>
<tr>
<td>161</td>
<td>sys_sched_rr_get_interval</td>
<td></td>
</tr>
<tr>
<td>162</td>
<td>sys_nanosleep</td>
<td></td>
</tr>
<tr>
<td>163</td>
<td>sys_mremap</td>
<td></td>
</tr>
<tr>
<td>164</td>
<td>sys_setresuid16</td>
<td></td>
</tr>
<tr>
<td>165</td>
<td>sys_getresuid16</td>
<td></td>
</tr>
<tr>
<td>166</td>
<td>sys_vm86</td>
<td></td>
</tr>
<tr>
<td>167</td>
<td>sys_query_module</td>
<td></td>
</tr>
<tr>
<td>168</td>
<td>sys_poll</td>
<td></td>
</tr>
<tr>
<td>169</td>
<td>sys_nfsservctl</td>
<td></td>
</tr>
<tr>
<td>170</td>
<td>sys_setresgid16</td>
<td></td>
</tr>
<tr>
<td>171</td>
<td>sys_getresgid16</td>
<td></td>
</tr>
<tr>
<td>172</td>
<td>sys_prctl</td>
<td></td>
</tr>
<tr>
<td>173</td>
<td>sys_rt_sigreturn</td>
<td></td>
</tr>
<tr>
<td>174</td>
<td>sys_rt_sigaction</td>
<td></td>
</tr>
<tr>
<td>175</td>
<td>sys_rt_sigprocmask</td>
<td></td>
</tr>
<tr>
<td>176</td>
<td>sys_rt_sigpending</td>
<td></td>
</tr>
<tr>
<td>177</td>
<td>sys_rt_sigtimedwait</td>
<td></td>
</tr>
<tr>
<td>178</td>
<td>sys_rt_sigqueueinfo</td>
<td></td>
</tr>
<tr>
<td>179</td>
<td>sys_rt_sigsuspend</td>
<td></td>
</tr>
<tr>
<td>180</td>
<td>sys_pread</td>
<td></td>
</tr>
<tr>
<td>181</td>
<td>sys_pwrite</td>
<td></td>
</tr>
<tr>
<td>182</td>
<td>sys_chown16</td>
<td></td>
</tr>
<tr>
<td>183</td>
<td>sys_getcwd</td>
<td></td>
</tr>
<tr>
<td>184</td>
<td>sys_capget</td>
<td></td>
</tr>
<tr>
<td>185</td>
<td>sys_capset</td>
<td></td>
</tr>
<tr>
<td>186</td>
<td>sys_sigaltstack</td>
<td></td>
</tr>
<tr>
<td>187</td>
<td>sys_sendfile</td>
<td></td>
</tr>
<tr>
<td>188</td>
<td>sys_ni_syscall</td>
<td>nonimplemented</td>
</tr>
<tr>
<td>189</td>
<td>sys_ni_syscall</td>
<td>nonimplemented</td>
</tr>
<tr>
<td>190</td>
<td>sys_vfork</td>
<td></td>
</tr>
<tr>
<td>191</td>
<td>sys_getrlimit</td>
<td></td>
</tr>
<tr>
<td>192</td>
<td>sys_mmap2</td>
<td></td>
</tr>
<tr>
<td>193</td>
<td>sys_truncate64</td>
<td></td>
</tr>
<tr>
<td>194</td>
<td>sys_ftruncate64</td>
<td></td>
</tr>
<tr>
<td>195</td>
<td>sys_stat64</td>
<td></td>
</tr>
<tr>
<td>196</td>
<td>sys_lstat64</td>
<td></td>
</tr>
<tr>
<td>197</td>
<td>sys_fstat64</td>
<td></td>
</tr>
<tr>
<td>198</td>
<td>sys_lchown</td>
<td></td>
</tr>
<tr>
<td>199</td>
<td>sys_getuid</td>
<td></td>
</tr>
<tr>
<td>200</td>
<td>sys_getgid</td>
<td></td>
</tr>
<tr>
<td>201</td>
<td>sys_geteuid</td>
<td></td>
</tr>
<tr>
<td>202</td>
<td>sys_getegid</td>
<td></td>
</tr>
<tr>
<td>203</td>
<td>sys_setreuid</td>
<td></td>
</tr>
<tr>
<td>204</td>
<td>sys_setregid</td>
<td></td>
</tr>
<tr>
<td>205</td>
<td>sys_getgroups</td>
<td></td>
</tr>
<tr>
<td>206</td>
<td>sys_setgroups</td>
<td></td>
</tr>
<tr>
<td>207</td>
<td>sys_fchown</td>
<td></td>
</tr>
<tr>
<td>208</td>
<td>sys_setresuid</td>
<td></td>
</tr>
<tr>
<td>209</td>
<td>sys_getresuid</td>
<td></td>
</tr>
<tr>
<td>210</td>
<td>sys_setresgid</td>
<td></td>
</tr>
<tr>
<td>211</td>
<td>sys_getresgid</td>
<td></td>
</tr>
<tr>
<td>212</td>
<td>sys_chown</td>
<td></td>
</tr>
<tr>
<td>213</td>
<td>sys_setuid</td>
<td></td>
</tr>
<tr>
<td>214</td>
<td>sys_setgid</td>
<td></td>
</tr>
<tr>
<td>215</td>
<td>sys_setfsuid</td>
<td></td>
</tr>
<tr>
<td>216</td>
<td>sys_setfsgid</td>
<td></td>
</tr>
<tr>
<td>217</td>
<td>sys_pivot_root</td>
<td></td>
</tr>
<tr>
<td>218</td>
<td>sys_mincore</td>
<td></td>
</tr>
<tr>
<td>219</td>
<td>sys_madvise</td>
<td></td>
</tr>
<tr>
<td>220</td>
<td>sys_getdents64</td>
<td></td>
</tr>
<tr>
<td>221</td>
<td>sys_fcntl64</td>
<td></td>
</tr>
<tr>
<td>222</td>
<td>sys_ni_syscall</td>
<td>nonimplemented</td>
</tr>
<tr>