Is it not trivial to simply change the process name, one or two lines at most in code? I'm trying to think about the logistics of running something like this and unless the process name is something like ./sshbruteforce 293849 ..
You would probably be better off will an artificial-ignorance[0] kind of approach where you frequently measure what's running on your computer in order to establish a baseline, and after that compare against the baseline to look for outliers in terms of memory/cpu usage. You will also want to use other tools to look at network and filesystem usage.
The post from 1997 assumes /var/log is not vulnerable tampering; assumes that the syslogd or access to the socket or port it's writing to is not vulnerable to compromise; and assumes that all signifcant programs write to a log.
The world is much more familiar with UNIX in 2015; I trust that today no one would rely on /var/log.
My approach would be to look at periodic memory dumps and look for anomalies there.
And not to rely on the integrity of utilities stored the system that you are analyzing.
4 comments
[ 4.6 ms ] story [ 21.1 ms ] thread0 - http://www.ranum.com/security/computer_security/papers/ai/
The world is much more familiar with UNIX in 2015; I trust that today no one would rely on /var/log.
My approach would be to look at periodic memory dumps and look for anomalies there.
And not to rely on the integrity of utilities stored the system that you are analyzing.