Re: Data capture on Windows and Solaris Boxes

[Ryan Barnett <RCBarnett () hushmail com>]

In-Reply-To: <EGEBKMJLKALGBPFGFBHJIEIGCFAA.brennen-ml () off-pisteconsulting com>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Good Day All,
>
>       I have been tasked with building and maintaining a Gen II style 
Honeynet
> for a client. The client is very adamant that the individual Honeypots
> resemble their current network. Therefore all of the boxes will either be
> Windows NT 4.0, Windows 2000 or Solaris 8. I have been trying to locate
> utilities to help in the data capture at the end host and have only had
> limited success. For the Windows machines I have found ComLog and the
> Eventlog to Syslog utility, but have come up empty for Solaris. I was 
hoping
> some of you would have some pointers to other utilities. My feeling is in 
a
> worst case scenario I will attempt to port some of the utilities written 
for
> Linux and *BSD to Solaris. Any pointers would be greatly appreciated.
> Thanks.
>
> Brennen Reynolds

Brennan,
For Solaris, you can use my RemoteBSM tool.  It is an updated version of 
BackLog for Solaris from Intersect Alliance.  This tool reads data from 
the standard Solaris BSM Audit subsystem, uses the praudit utility to 
convert the audit data to ASCII and then sends the data off to a remote 
logging host via UDP.  My whitepaper (and tool download) for RemoteBSM is 
available from my honypots website - 
http://honeypots.sourceforge.net/Honeypotting_With_RemoteBSM.html

Additionally, you might want to check out the new SNARE for Solaris tool 
from Intersect Alliance (http://www.intersectalliance.com.  This is the 
updated BackLog tool, which adds functionality such as Objective logging.

-Ryan