Honeypots mailing list archives
Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ]
From: Benjamin Johnson <bsjohnso () midway uchicago edu>
Date: Tue, 04 Mar 2003 09:26:40 -0600
While its still in a testing phase, I have been working on getting sebek ported to FreeBSD. It currently works pretty well but I could definitely use more testers. Sebek, developed mainly by Ed Balas and Michael Clark, is a kernel module that captures ssh traffic and uses some helper applications to log the data to another machine.
Anyone who wants to try it out please let me know. Peace, Benjamin Johnson Computer Science Concentrator University of Chicago Philip Reynolds wrote:
ph33r's [ph33r () fatelabs com] 59 lines of wisdom included:The honeypot was setup with a default installation of FreeBSD 4.7, with some security measures implemented, such as patches, fake TCP/IP ports opened, and some logging applications such as syslog-ng, portsentry and the sysctl kernel logging enabled.All logs are stored off site on a remote machine, (remote log server) which has played its part in this project.If you require any more details on the honeypot, please don't hesitate to contact me. I'd be more than happy to supply you with anything you may require.I realise this is a honeypot, but perhaps just a few things tomention about Portsentry anyways.Last time I looked at portsentry, it only used "stealth scans" on Linux, which means that on other Operating Systems (like FreeBSD) it had to bind to all the ports it wished to monitor. According to a friend of mine as well, nmap with certain stealth scan options can elude portsentry fairly easily as well. Here's an article on the issue by a former student friend of mine: http://www.linux.ie/articles/portsentryandsnortcompared.php It may have a steeper learning curve, but I would actively supportrunning a NIDS such as snort, instead of portsentry.Running snort on main services machines will mean that you'll get plenty of false positives (believe me, I know!), however running it on a honeypot should (at least in theory) greatly reduce the numberof false positives.Thanks for the information on FreeBSD honeypots, I'll look forward to seeing some of the results.
Current thread:
- Snort inline for openbsd? Michael Anuzis (Mar 02)
- Re: Snort inline for openbsd? Rob McMillen (Mar 02)
- FreeBSD and honeypots [ Re: Snort inline for openbsd? ] Philip Reynolds (Mar 03)
- Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ] ph33r (Mar 04)
- Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ] Philip Reynolds (Mar 04)
- Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ] Benjamin Johnson (Mar 04)
- Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ] Alan Neville (Mar 04)
- Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ] Dave Aitel (Mar 04)
- FreeBSD and honeypots [ Re: Snort inline for openbsd? ] Philip Reynolds (Mar 03)
- Re: Snort inline for openbsd? Rob McMillen (Mar 02)