Honeypots mailing list archives
Re: Data capture on Windows and Solaris Boxes
From: Ryan Barnett <RCBarnett () hushmail com>
Date: 14 Mar 2003 16:05:46 -0000
In-Reply-To: <EGEBKMJLKALGBPFGFBHJIEIGCFAA.brennen-ml () off-pisteconsulting com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Good Day All, I have been tasked with building and maintaining a Gen II style
Honeynet
for a client. The client is very adamant that the individual Honeypots resemble their current network. Therefore all of the boxes will either be Windows NT 4.0, Windows 2000 or Solaris 8. I have been trying to locate utilities to help in the data capture at the end host and have only had limited success. For the Windows machines I have found ComLog and the Eventlog to Syslog utility, but have come up empty for Solaris. I was
hoping
some of you would have some pointers to other utilities. My feeling is in
a
worst case scenario I will attempt to port some of the utilities written
for
Linux and *BSD to Solaris. Any pointers would be greatly appreciated. Thanks. Brennen Reynolds
Brennan, For Solaris, you can use my RemoteBSM tool. It is an updated version of BackLog for Solaris from Intersect Alliance. This tool reads data from the standard Solaris BSM Audit subsystem, uses the praudit utility to convert the audit data to ASCII and then sends the data off to a remote logging host via UDP. My whitepaper (and tool download) for RemoteBSM is available from my honypots website - http://honeypots.sourceforge.net/Honeypotting_With_RemoteBSM.html Additionally, you might want to check out the new SNARE for Solaris tool from Intersect Alliance (http://www.intersectalliance.com. This is the updated BackLog tool, which adds functionality such as Objective logging. -Ryan
Current thread:
- Data capture on Windows and Solaris Boxes Brennen Reynolds (Mar 13)
- <Possible follow-ups>
- Re: Data capture on Windows and Solaris Boxes Ryan Barnett (Mar 14)