This project tries to show a SystemTap usage scenario a bit different from the
usual: monitoring a system status to identify possible break-in attempts,
either detecting incoming portscans using a signature-like approach and via
analysis of anomalous sequences of system calls.

Portscan detection
A tapset for detecting incoming portscans is available in the tapsets/
directory; for an example of its usage see showscan.stp.

Be sure to add tapsets/ to the tapset search directory, for example with the -I

$ stap -v -I tapsets/ showscan.stp

Anomaly based intrusion detection
A proof-of-concept anomaly based intrusion detection system has been developed.

1) The IDS needs to learn sequences of system calls that it should consider
   normal. To do that, simply run, which uses the all-sequences.stp
   SystemTap script and to create a database modeling normal behaviour:

   $ ./

   Gathered data will be saved under /var/tmp/ids.db by default. This location can
   be changed editing the configuration file

   Ideally, the training phase should last at least a couple of hours, and all the
   common usage scenario should be reproduced. For example, for desktop systems,
   the training phase could consist of visiting some of the most commonly
   visited web sites, sending and receiving e-mails, watching a movie and
   playing some audio files.

   Database creation can be stopped at any time hitting CTRL+C; some
   information about the database itself can be obtained with the script

2) Once the database is ready, actual system monitoring can be started running, which uses the aformentioned all-sequences.stp and to
   identify potentially anomalous behaviour:

   $ ./