Of course, collecting log data for analysis from syslog is pretty low-tech when it comes to detecting and/or stopping attacks in real-time and I'd hope this wouldn't be encouraged as a general practice. If that's your aim then you should be campaigning for a /dev/audit device and the instrumenting of suitable logpoints in the kernel and various utilities. Then your stuff just opens /dev/audit, registers an event selection mask with it, and goes to sleep waiting for events.
- Jordan > At 12:37 AM 1/5/2002, Archie Cobbs wrote: > > >Interesting, I was just thinking of the same thing today. > > In that case, you'll probably like the paper I'm presenting > at BSDCon. > > >I just commited a fix to -current.. if the re approves I can MFC it too. > > Wonderful! Thank you.... > > --Brett > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
