Now that you have the logging functionality available, as well as routines to compare system call signatures, you need to have system call data for some process in both an "unattacked" and "attacked" state. Some of you many already have decided how to test. For those who haven't, we will use the web server provided by apache and a "real" attack used by hackers against these servers a year or so ago to do this. If you want to use this test -- read on. That said, this is not the only test possible. You are free to show us your system working on *any* process you chose. Make sure your test procedures and resutls are clearly documented in your readme.
Follow the steps below to install a vulnerable version of apache and post a test site.
1) Install a specific version of the apache web server. Dowload the source for apache 1.3.23.
2) Replace /usr/local/apache/conf/httpd.conf with httpd.conf. This limits the number of server threads to 1. If you run 'ps' you will see two instances of httpd. The pid that accepts requests is the second on(the greater of the two).
3) Download this script, the attack and these logs. Replace all instances of "130.85.112.173" in the logs with the ip address of the host running the apache server. NOTE: only use this on your local machine
4) Download the web mirror machines.tar.z(~700mb) or machines.tar.gz(~200mb). If possible, use the larger file. Expand the tar ball in /usr/local/apache/htdocs.
5) Run the script, runwget1.
6) Proceed with testing and use the attack.
1) Restart apache or just start it if it's already running.
2) You must generate your system call log of typical behavior. This can be done for the installed site by using the script you downloaded before.
3) Use the attack program in generating another system call log(your current log).
4) Finally, with your reference and current logs you can use your hamming distance comparison to evaluate the logs.
Thanks to Jeff Undercoffer for sources and descriptions.