Live normal data for lpr were collected over two weeks from
77 hosts at the Massachusetts Institute of Technology (MIT)
Artificial Intelligence (AI) Lab. All machines were running SunOS
4.1.4 with the included lpr.
In our original conversion of log files to *.int files, two system
calls---exit and brk---were unintentionally left out. These are the
for experiments in our Journal of Computer security
and which have been available
here prior to Nov 98. This set of
original live normal (2/18/97 - 3/4/97)
is a gzipped tarball which untars to 2766 files, some of which are empty.
begins with a machine name followed by a date, which can be used to
sort the data chronologically. The original SunOS
mapping file is appropriate for these traces.
The reconverted files are also in a gzipped
tarball; this set
untars to 2703 files. The filenames used above are preceded with
the original log's modification time, so that a standard sort orders
the files chronologically. A separate mapping file
is required for these traces.
These data were used in experiments
reported in the Alternative Data Models paper.
The lprcp attack script uses lpr to replace the contents
of an arbitrary file with those of another. This attack exploits the
fact that older versions of lpr use only 1000 different names for
printer queue files, and they do not remove the old queue files before
reusing them. The attack produces 1001 traces. In the first trace,
lpr places a symbolic link to the victim file in the queue. The
middle traces advance lpr's counter, until on the last trace,
the victim file can be overwritten with the attacker's own material.
8LGM Advisory: look for [8lgm]-advisory-3.unix.lpr.19-aug-1991.
original traces (2/18/97)
These data were collected from one machine
running SunOS 4.1.4 at the CS department at UNM.
As with MIT lpr, the original *.int files are missing two system
calls. Also, we have added more traces.
The original traces
(6/13/96 - 12/10/97)were collected over a period of 3 months. Each filename
begins with a machine name followed by a date and PID, as for the MIT
data. Standard sort will not order the data chronologically, because
PIDs often rollover in the middle of a day. This tarball includes 1234
files. Use the original SunOS mapping file
for these traces. These data were used in the experiments described
in our Journal of Computer Security paper.
The reconverted traces include another 12
months of data. Filenames
are preceded by the original log's modification time. This tarball
includes 4298 files. Use the new mapping file
for these traces. These data were used in experiments
reported in the
Alternative Data Models paper.
The lprcp attack script described above for MIT lpr was also used at
original traces (6/26/96)