MIT live lpr data

Live normal data for lpr were collected over two weeks from 77 hosts at the Massachusetts Institute of Technology (MIT) Artificial Intelligence (AI) Lab. All machines were running SunOS 4.1.4 with the included lpr.

In our original conversion of log files to *.int files, two system calls---exit and brk---were unintentionally left out. These are the traces used for experiments in our Journal of Computer security paper, and which have been available here prior to Nov 98. This set of original live normal (2/18/97 - 3/4/97) is a gzipped tarball which untars to 2766 files, some of which are empty. Each filename begins with a machine name followed by a date, which can be used to sort the data chronologically. The original SunOS mapping file is appropriate for these traces.

The reconverted files are also in a gzipped tarball; this set untars to 2703 files. The filenames used above are preceded with the original log's modification time, so that a standard sort orders the files chronologically. A separate mapping file is required for these traces. These data were used in experiments reported in the Alternative Data Models paper.

The lprcp attack script uses lpr to replace the contents of an arbitrary file with those of another. This attack exploits the fact that older versions of lpr use only 1000 different names for printer queue files, and they do not remove the old queue files before reusing them. The attack produces 1001 traces. In the first trace, lpr places a symbolic link to the victim file in the queue. The middle traces advance lpr's counter, until on the last trace, the victim file can be overwritten with the attacker's own material.

8LGM Advisory: look for [8lgm]-advisory-3.unix.lpr.19-aug-1991.

original traces (2/18/97)

reconverted traces

These data were collected from one machine running SunOS 4.1.4 at the CS department at UNM. As with MIT lpr, the original *.int files are missing two system calls. Also, we have added more traces.

The original traces (6/13/96 - 12/10/97)were collected over a period of 3 months. Each filename begins with a machine name followed by a date and PID, as for the MIT data. Standard sort will not order the data chronologically, because PIDs often rollover in the middle of a day. This tarball includes 1234 files. Use the original SunOS mapping file for these traces. These data were used in the experiments described in our Journal of Computer Security paper.

The reconverted traces include another 12 months of data. Filenames are preceded by the original log's modification time. This tarball includes 4298 files. Use the new mapping file for these traces. These data were used in experiments reported in the Alternative Data Models paper.

The lprcp attack script described above for MIT lpr was also used at UNM.

original traces (6/26/96)

reconverted traces