Honeypots mailing list archives

Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ]

From: Benjamin Johnson <bsjohnso () midway uchicago edu>
Date: Tue, 04 Mar 2003 09:26:40 -0600

While its still in a testing phase, I have been working on getting sebekported to FreeBSD. It currently works pretty well but I coulddefinitely use more testers. Sebek, developed mainly by Ed Balas andMichael Clark, is a kernel module that captures ssh traffic and usessome helper applications to log the data to another machine.


Anyone who wants to try it out please let me know.

Peace,

Benjamin Johnson
Computer Science Concentrator
University of Chicago

Philip Reynolds wrote:

ph33r's [ph33r () fatelabs com] 59 lines of wisdom included:
The honeypot was setup with a default installation ofFreeBSD 4.7, with some security measures implemented, suchas patches, fake TCP/IP ports opened, and some loggingapplications such as syslog-ng, portsentry and the sysctlkernel logging enabled.
All logs are stored off site on a remote machine, (remotelog server) which has played its part in this project.
If you require any more details on the honeypot, pleasedon't hesitate to contact me. I'd be more than happy tosupply you with anything you may require.
I realise this is a honeypot, but perhaps just a few things to
mention about Portsentry anyways.
Last time I looked at portsentry, it only used "stealth scans" on
Linux, which means that on other Operating Systems (like FreeBSD) it
had to bind to all the ports it wished to monitor.

According to a friend of mine as well, nmap with certain stealth
scan options can elude portsentry fairly easily as well. Here's an
article on the issue by a former student friend of mine:

        http://www.linux.ie/articles/portsentryandsnortcompared.php

It may have a steeper learning curve, but I would actively support
running a NIDS such as snort, instead of portsentry.
Running snort on main services machines will mean that you'll get
plenty of false positives (believe me, I know!), however running it
on a honeypot should (at least in theory) greatly reduce the number
of false positives.
Thanks for the information on FreeBSD honeypots, I'll look forward
to seeing some of the results.

Current thread:

Snort inline for openbsd? Michael Anuzis (Mar 02)
- Re: Snort inline for openbsd? Rob McMillen (Mar 02)
  - FreeBSD and honeypots [ Re: Snort inline for openbsd? ] Philip Reynolds (Mar 03)
    - Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ] ph33r (Mar 04)
    - Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ] Philip Reynolds (Mar 04)
    - Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ] Benjamin Johnson (Mar 04)
    - Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ] Alan Neville (Mar 04)
    - Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ] Dave Aitel (Mar 04)