Rafi Sadowsky wrote this... > > Just a thought - what happens when your "bad guy" bring in > (cleverly named) statically linked programs > > hmmm true.. how about a patch for the kernel instead? :) ooh i can see that happeneing at a really fast rate of knots, but kernels with run time config that shouldne be too much of a problem, just modify slightly the execve() call and away you go... then you can track by the vnode of the process text in which case downloading statically linked suff would be easier to find. you can track the vnode as well as the arguments.. heh collecting all this data is approaching an overload... can anyone else think of an easier way? Matt -- Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia www: http://milliways.itd.uts.edu.au/~matt/ email: matt@uts.edu.au phone: +61 2 330 1390 "Don't murder a man who is about fax: +61 2 330 1999 to commit suicide." home: +61 2 416 5722 -- Machiavelli GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ UVS++++$ P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ !5>++ jx R+ G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y