Honeypots mailing list archives
Re: Know Your Enemy: GenII Honeynets
From: "Michael Anuzis" <michael_anuzis () hotmail com>
Date: Wed, 16 Apr 2003 10:04:05 -0400
Ahhhhhhh! A very well thought out idea! I agree, using a spoofed MAC address would be much more desirable than using an arbitrary port. While an arbitrary port filtered would most likely not be detected, I realized it's true a hacker could potentially pick it out of the 65k+ ports available (if they're using a UDP backdoor that is).
From the report it wasn't clear to me the MAC addr that is filtered isspoofed. That slight distinction makes a world of difference! Sorry for causing a disturbance. Sebek2 sounds like an ingenious way to get the honeypot traffic out safely!
Michael Anuzis, CCNA Network Security Consultant http://www.anuzisnetworking.com http://www.lucidic.net - The Distributed Honeypot Project
From: george chamales <george () overt org> To: "Michael Anuzis" <michael_anuzis () hotmail com> CC: honeypots () securityfocus com Subject: Re: Know Your Enemy: GenII Honeynets Date: Mon, 14 Apr 2003 15:46:59 -0500 Comments inline:If I was a hacker and ran a sniffer on my hacked host to see what was goingon and I saw *no* packets coming from myself. I would see ssh connections etc inbound but nothing outbound I would know *instantly* this wasincredibly suspicious. Perhaps even more suspicious than actually seeing theUDP packets because there would be a chance they'd get overlooked.You're mistaken about the method Sebek2 uses to hide its packets. Sebek2 certainly doesn't hide all the packets that are sent out of thehoneypot because, as you point out, that would be highly suspicious. Sebek2allows you to specify a source MAC OUI (organization unique identifier) when you load the module. The OUI is the number assigned to differentnetwork interface card manufacturers that is placed in the high three bytes of MAC addresses from that manufacturer. All of the packets that are generatedby Sebek2 leave the host with the given OUI in the source MAC address. Onthe honeypot Sebek2 only hides the packets that have that spoofed OUI. As a result, Sebek2 will only hide traffic that was generated by the module and neverhide packets generated by normal traffic. One of the benefits of this method is that multiple Linux honeypots on the network can be configured with Sebek2 and the same MAC OUI and none of them will be able to sniff the Sebek traffic on the network. Please feel free to contact Ed Balas if you have any more questions about Sebek2. He's been the primary developer on the project.Just thinking off the top of my head, the person who designed Sebek2 could have made it much more useful if instead of a predetermined mac address being ignored, a predetermined port could be specified. This way you could choose an arbitrary port to have things report on such as 30519 orsomething, and have the logging facility listen for that port, while on thehoneypot itself all other traffic such as their SSH/IRC/etc connections would still be visible.I don't think this is the best solution. It would be really easy for an attacker to run a tool that would send out udp packets from each port on the honeypot system and look for a port where traffic magically disappeared.Don't mean to criticize but I've been using this GenII model for monthsalready (and I would guess others are too). I was really excited to see thearticle and hoping for something fresh and new! Just my $0.02GenII Honeynets have been around for a while. What we've sought to do here is devote an entire paper to the methods and technology as opposed to a single section in KYE: Honeypots. Thanks for your input, george chamales http://honeynet.overt.org
_________________________________________________________________Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
Current thread:
- Re: Know Your Enemy: GenII Honeynets Michael Anuzis (Apr 15)
- Re: Know Your Enemy: GenII Honeynets george chamales (Apr 15)
- Re: Know Your Enemy: GenII Honeynets Mike Clark (Apr 15)
- <Possible follow-ups>
- Re: Know Your Enemy: GenII Honeynets Michael Anuzis (Apr 16)