![]() How many seconds into the observation period was that process created and which process created it? Q4.2 : You’ll see that a single process accepts all requests. Q4.1 : How many times does the web server accept a connection from a remote IP during the observation period? The name of the syscall to accept a connection is very intuitive. The main thing that a web server does is wait for a connection and then “accept” the connection to handle whatever request was sent. The web server answers requests sent by clients (e.g., web browsers) that run on various machines during the observation period. Q3.4 : Is this PNG file corrupted? That is, is its byte content, which is sent back as the answer to the GET request, what’s expected for a PNG file? If your answer is “no” explain. Q3.3 : Give a one-line, piped Shell command that prints the number of GET requests for this PNG file? (Your answer should look like: cat apache2.strace |. ![]() Q3.2 : How many GET requests for this PNG files are received in total? Q3.1 : After how many seconds after the beginning of the observation period is the first GET request for this PNG file received by the web server? There is suspicion that the ICS-Logo-for-dark-150x150-1.png image file served by the web server was corrupted. The web server responds to many HTTP GET requests for downloading image files in the PNG format. Q2.4 : What is the stack size, in MiB, of each newly created process? ( hint: read the man page of the syscall you identified in q2.2) Q2.3 : How many times is this syscall invoked? Does it make sense? That is, does the number of calls during the observation period correspond to the number of processes that are active during the observation period? Q2.2 : What is the name of the syscall used to create new processes? ( hint: that syscall returns the PID of the newly created process) Q2.1 : How many different processes were active during the observation period? (We will talk more about PIDs later this semester.) The web server uses multiple processes during Which is a unique number associated to the process that invoked the systemĬall on that line. The output produced by your answer should look like:Ģ902 mango Question #2: Processes Įach line of the strace output starts with a PID (Process ID), (Your answer should look like: cat apache2.strace |. Q1.4 : Give a one-line, piped Shell command that prints the occurrence counts and names of the top 5 most frequently invoked syscalls, sorted by increasing number of occurrences. Q1.3 : What are the top 5 syscalls that are invoked the most frequently by the web server? ![]() Your answer should look like: cat apache2.strace |. Q1.2 : Give a one-line, piped Shell command that prints the number of different syscalls. Q1.1 : How many different syscalls are invoked by the web server during the observation period? (that is, if a syscall is called multiple times we count it only once) Options to strace, so as to fully understand what the aboveīased on the above output, answer the questions hereafter. Strace man page) to see the list of all command-line You can use the strace -h command on Linux (or lookup the The strace output was collected from the server using the following command: strace -f -x -o /tmp/apache2.strace -v -s 1024 -T -ttt apache2 Period) and saved before the machine was retired. System administrator collected for about 6 minutes (the observation The only thing that remains is an strace output that the You are tasked with performing some forensics,īut unfortunately all log files have been Got compromised and was permanently retired. Your company hadĪ machine that ran this web server, but eventually that machine You can do everything in this assignment using these powerful and commonplace commands (help is available about these commands on-line, in man pages, on-line, and ofĮxercise #1: Apache web server forensics Ī popular web server implementation is provided by theĪpache HTTP Server Project. Increase your familiarity with the Linux command-line. Understand strace output and be exposed to well-known syscalls The pedagogic objective of this assignment is twofold: You can do so in your own Linux environment With your answers to the assignment’s questions.įor this assignment you only need to consult man You should turn in a single plain text (ASCII) or PDF file named README.txt or README.pdf Check the Syllabus for the late assignment policy for the course. (See the statement of Academic Dishonesty on the Syllabus) How to turn in?Īssignments need to be turned in via Laulima. Solution, including the solution itself, must always be your Your classmates regarding the assignments, but specific details of a May (and are encouraged to) engage in general discussions with You are expected to do your own work on all homework assignments. ![]() Homework Assignment #1 – Using strace to perform forensics on the Apache web server
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |