Honeypots mailing list archives
Re: Sebek detection
From: Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>
Date: Mon, 29 Mar 2004 18:08:44 +0200
On Mon Mar 29 09:55:47 2004 Gabriel Armbrust Araujo wrote:
Hi, There's been a fake phrack edition which has a paper 'Local Honeypot Identification' http://www.phrack.org/unoffical/p62/p62-0x07.txt I have not tested the technics described on the text - is it real or just nonsense ?
Some of the ideas presented in this (fake) phrack-article are true, some are just nonsense: You can detect the honeywall if the outgoing traffic is shaped via the rc.firewall-script provided by the honeynet project (http://honeynet.org/tools/dcontrol/rc.firewall). Just write a little perl-script and see if you get blocked after a relative small number of outgoing connections. Detection of snort_inline works similar: Send a malicious-looking paket from the honeypot to another host and see if it received in unaltered form. Detection of the altered sys-call-table works simliar as presented in the article: Just do something like printk("0x%p 0x%p 0x%p\n", sct[__NR_fork], sct[__NR_read], sct[__NR_write]); inside a module and see if these three system-calls lie near by. Another interesting point: At the cansecwest/core04 conference (http://www.cansecwest.com/) Lane Spitzner will give a talk entitled "Why Honeypots suck" Does anyone know what he will talk about? :) Thorsten
Attachment:
_bin
Description:
Current thread:
- Sebek detection gconnell (Mar 28)
- Re: Sebek detection Gabriel Armbrust Araujo (Mar 29)
- Re: Sebek detection Edward Balas (Mar 29)
- Re: Sebek detection Thorsten Holz (Mar 29)
- Re: Sebek detection Lance Spitzner (Mar 29)
- Re: Sebek detection Edward Balas (Mar 29)
- <Possible follow-ups>
- Re: Sebek detection Ty Bodell (Mar 29)
- Re: Re: Sebek detection Guilhem (Mar 29)
- Re: Sebek detection Gabriel Armbrust Araujo (Mar 29)