Re: Filtering Connect syscalls for af_inet only
On Thu, Feb 5, 2015 at 3:26 PM, Hassan Sultan <hsultan(a)thefroid.net> wrote:
Wouldn't x86 simply be a filter with 2 comparisons : one on a0 to
filter
only connect, and one on a3 for the sockaddr size ?
Basically, on x86 you have one rule : the one with 2 comparisons
On x64 you have 2 rules : one on the connect syscall, and one on the
socketcall syscall with 2 comparisons
The socketcall() syscall take two arguments, the first indicates the
syscall (e.g. connect()) and the second is binary blob that contains
the arguments for the socket syscall.
--
paul moore
www.paul-moore.com