>>>> rule: ptrace <<<<<


Preliminary report:

***** state: init *****
            env[0]: ($attack_pid) nil
            env[1]: ($target_pid) nil
            env[2]: ($attacker_uid) nil
no event.


***** state: ptrace_attach *****
    current_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1535
    current_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1536
    current_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500
-------------------------[ event id: 0x80ac588 ]------------------
 fid |         attribute        |         value
-----+--------------------------+---------------------------------
  49 | rawsnare.ptrace_data     | (KEEP|UNKNOWN) ptr32 : (nil)
  48 | rawsnare.ptrace_addr     | (KEEP|UNKNOWN) ptr32 : (nil)
  47 | rawsnare.ptrace_pid      | (KEEP|UNKNOWN) int : 1536
  46 | rawsnare.ptrace_req      | (KEEP|UNKNOWN) vstr[18] : "(16) PTRACE_ATTACH"
  27 | rawsnare.retcode         | (KEEP|UNKNOWN) int : 0
  26 | rawsnare.procname        | (KEEP|UNKNOWN) vstr[8] : "myptrace"
  25 | rawsnare.ppid            | (KEEP|UNKNOWN) int : 1534
  24 | rawsnare.pid             | (KEEP|UNKNOWN) int : 1535
  23 | rawsnare.egid            | (KEEP|UNKNOWN) int : 500
  22 | rawsnare.euid            | (KEEP|UNKNOWN) int : 500
  21 | rawsnare.rgid            | (KEEP|UNKNOWN) int : 500
  20 | rawsnare.ruid            | (KEEP|UNKNOWN) int : 500
  19 | rawsnare.syscall         | (KEEP|UNKNOWN) vstr[15] : "(26) SYS_ptrace"
  18 | rawsnare.class           | (KEEP|UNKNOWN) int : 10
  17 | rawsnare.time            | (KEEP|MONO) timeval : (1076685771.834524) = Fri Feb 13 16:22:51 2004 (+834524 us)
   9 | udp.msg                  | (KEEP|UNKNOWN) bstr[76]
   8 | udp.dst_port             | (KEEP|UNKNOWN) int : 6262
   5 | udp.src_addr             | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net)
   4 | udp.time                 | (KEEP|MONO) timeval : (1076685771.835106) = Fri Feb 13 16:22:51 2004 (+835106 us)
-----+--------------------------+---------------------------------


***** state: exec_modprobe *****
  inherited_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1535
  inherited_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1536
  inherited_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500
-------------------------[ event id: 0x80acf40 ]------------------
 fid |         attribute        |         value
-----+--------------------------+---------------------------------
  32 | rawsnare.cmdline         | (KEEP|UNKNOWN) vstr[33] : "/sbin/modprobe -s -k -- net-pf-14"
  29 | rawsnare.path            | (KEEP|UNKNOWN) vstr[14] : "/sbin/modprobe"
  28 | rawsnare.workdir         | (KEEP|UNKNOWN) vstr[1] : "/"
  27 | rawsnare.retcode         | (KEEP|UNKNOWN) int : 0
  26 | rawsnare.procname        | (KEEP|UNKNOWN) vstr[8] : "myptrace"
  25 | rawsnare.ppid            | (KEEP|UNKNOWN) int : 1535
  24 | rawsnare.pid             | (KEEP|UNKNOWN) int : 1536
  23 | rawsnare.egid            | (KEEP|UNKNOWN) int : 0
  22 | rawsnare.euid            | (KEEP|UNKNOWN) int : 0
  21 | rawsnare.rgid            | (KEEP|UNKNOWN) int : 500
  20 | rawsnare.ruid            | (KEEP|UNKNOWN) int : 0
  19 | rawsnare.syscall         | (KEEP|UNKNOWN) vstr[15] : "(11) SYS_execve"
  18 | rawsnare.class           | (KEEP|UNKNOWN) int : 3
  17 | rawsnare.time            | (KEEP|MONO) timeval : (1076685771.864146) = Fri Feb 13 16:22:51 2004 (+864146 us)
   9 | udp.msg                  | (KEEP|UNKNOWN) bstr[1596]
   8 | udp.dst_port             | (KEEP|UNKNOWN) int : 6262
   5 | udp.src_addr             | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net)
   4 | udp.time                 | (KEEP|MONO) timeval : (1076685771.865346) = Fri Feb 13 16:22:51 2004 (+865346 us)
-----+--------------------------+---------------------------------


***** state: ptrace_syscall *****
  inherited_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1535
  inherited_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1536
  inherited_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500
-------------------------[ event id: 0x80ad290 ]------------------
 fid |         attribute        |         value
-----+--------------------------+---------------------------------
  49 | rawsnare.ptrace_data     | (KEEP|UNKNOWN) ptr32 : (nil)
  48 | rawsnare.ptrace_addr     | (KEEP|UNKNOWN) ptr32 : (nil)
  47 | rawsnare.ptrace_pid      | (KEEP|UNKNOWN) int : 1536
  46 | rawsnare.ptrace_req      | (KEEP|UNKNOWN) vstr[19] : "(24) PTRACE_SYSCALL"
  27 | rawsnare.retcode         | (KEEP|UNKNOWN) int : 0
  26 | rawsnare.procname        | (KEEP|UNKNOWN) vstr[8] : "myptrace"
  25 | rawsnare.ppid            | (KEEP|UNKNOWN) int : 1534
  24 | rawsnare.pid             | (KEEP|UNKNOWN) int : 1535
  23 | rawsnare.egid            | (KEEP|UNKNOWN) int : 500
  22 | rawsnare.euid            | (KEEP|UNKNOWN) int : 500
  21 | rawsnare.rgid            | (KEEP|UNKNOWN) int : 500
  20 | rawsnare.ruid            | (KEEP|UNKNOWN) int : 500
  19 | rawsnare.syscall         | (KEEP|UNKNOWN) vstr[15] : "(26) SYS_ptrace"
  18 | rawsnare.class           | (KEEP|UNKNOWN) int : 10
  17 | rawsnare.time            | (KEEP|MONO) timeval : (1076685771.864640) = Fri Feb 13 16:22:51 2004 (+864640 us)
   9 | udp.msg                  | (KEEP|UNKNOWN) bstr[76]
   8 | udp.dst_port             | (KEEP|UNKNOWN) int : 6262
   5 | udp.src_addr             | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net)
   4 | udp.time                 | (KEEP|MONO) timeval : (1076685771.865383) = Fri Feb 13 16:22:51 2004 (+865383 us)
-----+--------------------------+---------------------------------


***** state: ptrace_getregs *****
  inherited_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1535
  inherited_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1536
  inherited_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500
-------------------------[ event id: 0x80ad600 ]------------------
 fid |         attribute        |         value
-----+--------------------------+---------------------------------
  49 | rawsnare.ptrace_data     | (KEEP|UNKNOWN) ptr32 : 0xbffff9e0
  48 | rawsnare.ptrace_addr     | (KEEP|UNKNOWN) ptr32 : (nil)
  47 | rawsnare.ptrace_pid      | (KEEP|UNKNOWN) int : 1536
  46 | rawsnare.ptrace_req      | (KEEP|UNKNOWN) vstr[19] : "(12) PTRACE_GETREGS"
  27 | rawsnare.retcode         | (KEEP|UNKNOWN) int : 0
  26 | rawsnare.procname        | (KEEP|UNKNOWN) vstr[8] : "myptrace"
  25 | rawsnare.ppid            | (KEEP|UNKNOWN) int : 1534
  24 | rawsnare.pid             | (KEEP|UNKNOWN) int : 1535
  23 | rawsnare.egid            | (KEEP|UNKNOWN) int : 500
  22 | rawsnare.euid            | (KEEP|UNKNOWN) int : 500
  21 | rawsnare.rgid            | (KEEP|UNKNOWN) int : 500
  20 | rawsnare.ruid            | (KEEP|UNKNOWN) int : 500
  19 | rawsnare.syscall         | (KEEP|UNKNOWN) vstr[15] : "(26) SYS_ptrace"
  18 | rawsnare.class           | (KEEP|UNKNOWN) int : 10
  17 | rawsnare.time            | (KEEP|MONO) timeval : (1076685771.864969) = Fri Feb 13 16:22:51 2004 (+864969 us)
   9 | udp.msg                  | (KEEP|UNKNOWN) bstr[76]
   8 | udp.dst_port             | (KEEP|UNKNOWN) int : 6262
   5 | udp.src_addr             | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net)
   4 | udp.time                 | (KEEP|MONO) timeval : (1076685771.865589) = Fri Feb 13 16:22:51 2004 (+865589 us)
-----+--------------------------+---------------------------------


***** state: ptrace_poketext *****
  inherited_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1535
  inherited_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1536
  inherited_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500
-------------------------[ event id: 0x80ad950 ]------------------
 fid |         attribute        |         value
-----+--------------------------+---------------------------------
  49 | rawsnare.ptrace_data     | (KEEP|UNKNOWN) ptr32 : 0xdb31c031
  48 | rawsnare.ptrace_addr     | (KEEP|UNKNOWN) ptr32 : 0x4000ed4d
  47 | rawsnare.ptrace_pid      | (KEEP|UNKNOWN) int : 1536
  46 | rawsnare.ptrace_req      | (KEEP|UNKNOWN) vstr[19] : "(4) PTRACE_POKETEXT"
  27 | rawsnare.retcode         | (KEEP|UNKNOWN) int : 0
  26 | rawsnare.procname        | (KEEP|UNKNOWN) vstr[8] : "myptrace"
  25 | rawsnare.ppid            | (KEEP|UNKNOWN) int : 1534
  24 | rawsnare.pid             | (KEEP|UNKNOWN) int : 1535
  23 | rawsnare.egid            | (KEEP|UNKNOWN) int : 500
  22 | rawsnare.euid            | (KEEP|UNKNOWN) int : 500
  21 | rawsnare.rgid            | (KEEP|UNKNOWN) int : 500
  20 | rawsnare.ruid            | (KEEP|UNKNOWN) int : 500
  19 | rawsnare.syscall         | (KEEP|UNKNOWN) vstr[15] : "(26) SYS_ptrace"
  18 | rawsnare.class           | (KEEP|UNKNOWN) int : 10
  17 | rawsnare.time            | (KEEP|MONO) timeval : (1076685771.865301) = Fri Feb 13 16:22:51 2004 (+865301 us)
   9 | udp.msg                  | (KEEP|UNKNOWN) bstr[76]
   8 | udp.dst_port             | (KEEP|UNKNOWN) int : 6262
   5 | udp.src_addr             | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net)
   4 | udp.time                 | (KEEP|MONO) timeval : (1076685771.865839) = Fri Feb 13 16:22:51 2004 (+865839 us)
-----+--------------------------+---------------------------------


***** state: ptrace_detach *****
  inherited_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1535
  inherited_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1536
  inherited_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500
-------------------------[ event id: 0x80ba508 ]------------------
 fid |         attribute        |         value
-----+--------------------------+---------------------------------
  49 | rawsnare.ptrace_data     | (KEEP|UNKNOWN) ptr32 : (nil)
  48 | rawsnare.ptrace_addr     | (KEEP|UNKNOWN) ptr32 : (nil)
  47 | rawsnare.ptrace_pid      | (KEEP|UNKNOWN) int : 1536
  46 | rawsnare.ptrace_req      | (KEEP|UNKNOWN) vstr[18] : "(17) PTRACE_DETACH"
  27 | rawsnare.retcode         | (KEEP|UNKNOWN) int : 0
  26 | rawsnare.procname        | (KEEP|UNKNOWN) vstr[8] : "myptrace"
  25 | rawsnare.ppid            | (KEEP|UNKNOWN) int : 1534
  24 | rawsnare.pid             | (KEEP|UNKNOWN) int : 1535
  23 | rawsnare.egid            | (KEEP|UNKNOWN) int : 500
  22 | rawsnare.euid            | (KEEP|UNKNOWN) int : 500
  21 | rawsnare.rgid            | (KEEP|UNKNOWN) int : 500
  20 | rawsnare.ruid            | (KEEP|UNKNOWN) int : 500
  19 | rawsnare.syscall         | (KEEP|UNKNOWN) vstr[15] : "(26) SYS_ptrace"
  18 | rawsnare.class           | (KEEP|UNKNOWN) int : 10
  17 | rawsnare.time            | (KEEP|MONO) timeval : (1076685771.878433) = Fri Feb 13 16:22:51 2004 (+878433 us)
   9 | udp.msg                  | (KEEP|UNKNOWN) bstr[76]
   8 | udp.dst_port             | (KEEP|UNKNOWN) int : 6262
   5 | udp.src_addr             | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net)
   4 | udp.time                 | (KEEP|MONO) timeval : (1076685771.878956) = Fri Feb 13 16:22:51 2004 (+878956 us)
-----+--------------------------+---------------------------------




Complementary report:


***** state: audit_loop *****
  inherited_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1535
  inherited_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1536
  inherited_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500
-------------------------[ event id: 0x80bc290 ]------------------
 fid |         attribute        |         value
-----+--------------------------+---------------------------------
  44 | rawsnare.target_sid      | (KEEP|UNKNOWN) int : 0
  43 | rawsnare.target_rid      | (KEEP|UNKNOWN) int : 0
  42 | rawsnare.target_id       | (KEEP|UNKNOWN) int : 0
  27 | rawsnare.retcode         | (KEEP|UNKNOWN) int : 0
  26 | rawsnare.procname        | (KEEP|UNKNOWN) vstr[8] : "modprobe"
  25 | rawsnare.ppid            | (KEEP|UNKNOWN) int : 1534
  24 | rawsnare.pid             | (KEEP|UNKNOWN) int : 1536
  23 | rawsnare.egid            | (KEEP|UNKNOWN) int : 0
  22 | rawsnare.euid            | (KEEP|UNKNOWN) int : 0
  21 | rawsnare.rgid            | (KEEP|UNKNOWN) int : 500
  20 | rawsnare.ruid            | (KEEP|UNKNOWN) int : 0
  19 | rawsnare.syscall         | (KEEP|UNKNOWN) vstr[15] : "(23) SYS_setuid"
  18 | rawsnare.class           | (KEEP|UNKNOWN) int : 8
  17 | rawsnare.time            | (KEEP|MONO) timeval : (1076685771.878683) = Fri Feb 13 16:22:51 2004 (+878683 us)
   9 | udp.msg                  | (KEEP|UNKNOWN) bstr[72]
   8 | udp.dst_port             | (KEEP|UNKNOWN) int : 6262
   5 | udp.src_addr             | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net)
   4 | udp.time                 | (KEEP|MONO) timeval : (1076685771.886191) = Fri Feb 13 16:22:51 2004 (+886191 us)
-----+--------------------------+---------------------------------


***** state: audit_loop *****
  inherited_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1535
  inherited_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1536
  inherited_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500
-------------------------[ event id: 0x80bc588 ]------------------
 fid |         attribute        |         value
-----+--------------------------+---------------------------------
  44 | rawsnare.target_sid      | (KEEP|UNKNOWN) int : 0
  43 | rawsnare.target_rid      | (KEEP|UNKNOWN) int : 0
  42 | rawsnare.target_id       | (KEEP|UNKNOWN) int : 0
  27 | rawsnare.retcode         | (KEEP|UNKNOWN) int : 0
  26 | rawsnare.procname        | (KEEP|UNKNOWN) vstr[8] : "modprobe"
  25 | rawsnare.ppid            | (KEEP|UNKNOWN) int : 1534
  24 | rawsnare.pid             | (KEEP|UNKNOWN) int : 1536
  23 | rawsnare.egid            | (KEEP|UNKNOWN) int : 0
  22 | rawsnare.euid            | (KEEP|UNKNOWN) int : 0
  21 | rawsnare.rgid            | (KEEP|UNKNOWN) int : 500
  20 | rawsnare.ruid            | (KEEP|UNKNOWN) int : 0
  19 | rawsnare.syscall         | (KEEP|UNKNOWN) vstr[15] : "(46) SYS_setgid"
  18 | rawsnare.class           | (KEEP|UNKNOWN) int : 8
  17 | rawsnare.time            | (KEEP|MONO) timeval : (1076685771.878926) = Fri Feb 13 16:22:51 2004 (+878926 us)
   9 | udp.msg                  | (KEEP|UNKNOWN) bstr[72]
   8 | udp.dst_port             | (KEEP|UNKNOWN) int : 6262
   5 | udp.src_addr             | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net)
   4 | udp.time                 | (KEEP|MONO) timeval : (1076685771.886223) = Fri Feb 13 16:22:51 2004 (+886223 us)
-----+--------------------------+---------------------------------


***** state: audit_loop *****
  inherited_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1535
  inherited_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1536
  inherited_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500
-------------------------[ event id: 0x80bc910 ]------------------
 fid |         attribute        |         value
-----+--------------------------+---------------------------------
  39 | rawsnare.src_port        | (KEEP|UNKNOWN) int : 0
  38 | rawsnare.src_ip          | (KEEP|UNKNOWN) ipv4 : 127.0.0.1 (name=localhost.localdomain alias=localhost)
  37 | rawsnare.dst_port        | (KEEP|UNKNOWN) int : 24876
  36 | rawsnare.dst_ip          | (KEEP|UNKNOWN) ipv4 : 0.0.0.0
  35 | rawsnare.sockcall        | (KEEP|UNKNOWN) vstr[12] : "(2) SYS_BIND"
  27 | rawsnare.retcode         | (KEEP|UNKNOWN) int : 0
  26 | rawsnare.procname        | (KEEP|UNKNOWN) vstr[8] : "modprobe"
  25 | rawsnare.ppid            | (KEEP|UNKNOWN) int : 1534
  24 | rawsnare.pid             | (KEEP|UNKNOWN) int : 1536
  23 | rawsnare.egid            | (KEEP|UNKNOWN) int : 0
  22 | rawsnare.euid            | (KEEP|UNKNOWN) int : 0
  21 | rawsnare.rgid            | (KEEP|UNKNOWN) int : 0
  20 | rawsnare.ruid            | (KEEP|UNKNOWN) int : 0
  19 | rawsnare.syscall         | (KEEP|UNKNOWN) vstr[20] : "(102) SYS_socketcall"
  18 | rawsnare.class           | (KEEP|UNKNOWN) int : 4
  17 | rawsnare.time            | (KEEP|MONO) timeval : (1076685771.879218) = Fri Feb 13 16:22:51 2004 (+879218 us)
   9 | udp.msg                  | (KEEP|UNKNOWN) bstr[152]
   8 | udp.dst_port             | (KEEP|UNKNOWN) int : 6262
   5 | udp.src_addr             | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net)
   4 | udp.time                 | (KEEP|MONO) timeval : (1076685771.886247) = Fri Feb 13 16:22:51 2004 (+886247 us)
-----+--------------------------+---------------------------------


***** state: make_report *****
  inherited_env[0]: ($attack_pid) (KEEP|UNKNOWN) int : 1535
  inherited_env[1]: ($target_pid) (KEEP|UNKNOWN) int : 1536
  inherited_env[2]: ($attacker_uid) (KEEP|UNKNOWN) int : 500
-------------------------[ event id: 0x80bcc50 ]------------------
 fid |         attribute        |         value
-----+--------------------------+---------------------------------
  51 | rawsnare.kill_sig        | (KEEP|UNKNOWN) vstr[11] : "(9) SIGKILL"
  50 | rawsnare.kill_pid        | (KEEP|UNKNOWN) int : 1534
  27 | rawsnare.retcode         | (KEEP|UNKNOWN) int : 0
  26 | rawsnare.procname        | (KEEP|UNKNOWN) vstr[8] : "myptrace"
  25 | rawsnare.ppid            | (KEEP|UNKNOWN) int : 1534
  24 | rawsnare.pid             | (KEEP|UNKNOWN) int : 1535
  23 | rawsnare.egid            | (KEEP|UNKNOWN) int : 500
  22 | rawsnare.euid            | (KEEP|UNKNOWN) int : 500
  21 | rawsnare.rgid            | (KEEP|UNKNOWN) int : 500
  20 | rawsnare.ruid            | (KEEP|UNKNOWN) int : 500
  19 | rawsnare.syscall         | (KEEP|UNKNOWN) vstr[13] : "(37) SYS_kill"
  18 | rawsnare.class           | (KEEP|UNKNOWN) int : 11
  17 | rawsnare.time            | (KEEP|MONO) timeval : (1076685771.879578) = Fri Feb 13 16:22:51 2004 (+879578 us)
   9 | udp.msg                  | (KEEP|UNKNOWN) bstr[68]
   8 | udp.dst_port             | (KEEP|UNKNOWN) int : 6262
   5 | udp.src_addr             | (KEEP|UNKNOWN) ipv4 : 192.168.0.123 (name=target alias=target.acme.net)
   4 | udp.time                 | (KEEP|MONO) timeval : (1076685771.886282) = Fri Feb 13 16:22:51 2004 (+886282 us)
-----+--------------------------+---------------------------------