Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Build Status


BSMtrace is a utility that processes audit trails, or real-time audit feeds provided by audit pipes. It loads a set of finite state machines or sequences from the supplied configuration file and watches the audit streams for instances of these sequences. For more information, the example bsmtrace.conf file should be reviewed.

The underlying premise behind bsmtrace is that the user can specify sequences of events that are common after or during system compromise. These might include things like:

  • A subject having 50 failed, then one successful login over the course of a week. Something you might expect to find during an SSH brute force.

  • User "nobody" creating files outside of /usr/local/www

  • User "nobody" executing administrative utilities, or utilities like id(1) to determine which level of privilege has been acquired

  • Detect the execution of common shellcode where certain sequences don't normally appear, for example, the typical execution pattern of bind when it services a DNS request might be:

  [1] recvmsg(2)
  [2] sendmsg(2)

  [1] recvmsg(2)
  [2] sendmsg(2)


When the return address of the stack is over-written during a buffer overflow attack, the execution pattern of the process will change, resulting in the execution of system calls outside it's regular sequence:

  [1] recvmsg
      o buffer overflow is exploited, and now the execution pattern might look
        something like this:
  [2] socket
  [3] bind
  [4] listen
  [5] accept
  [6] dup2
  [7] exec
  • Users or groups of users executing utilities, looking at (or attempting) files they shouldn't be.

Because bsmtrace acquires it's information from the audit stream, we can be reasonably certain that we can trust the data. Unlike syslog, the BSM audit framework targets Commmon Criteria (CC) requirements, to help ensure that the audit trail is robust, protected and maintains high levels of integrity.

For more information on the security auditing framework see:


A complete EBNF specification (bsmtrace.ebnf) for the policy configuration engine has been included with this source code archive.


Currently, we BSMtrace is built using a basic Makefile. As more platforms are supported, this might change. Currently libpcre is required as a build dep.

On OS X you can install it using home brew

	% brew install pcre

Or on FreeBSD, you can use ports or pkg to install it. Then:

	% make

To install:

	% make install


The following organizations and individuals have contributed to the development of BSMtrace (in alphabetical order):

  • Aaron L. Meihm
  • Christian S.J. Peron
  • Kyle Evans
  • Mak Kolybabi
  • Marius Halden
  • Modirum MDPay
  • Seccuris Labs


Please report any bugs or comments to: