Re: Sebek detection

[Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>]

On Mon Mar 29 09:55:47 2004 Gabriel Armbrust Araujo wrote:

>       Hi,
>
>       There's been a fake phrack edition which has a paper
>
> 'Local Honeypot Identification'
> http://www.phrack.org/unoffical/p62/p62-0x07.txt
>
>       I have not tested the technics described on the text - is it
>       real or just nonsense ?

Some of the ideas presented in this (fake) phrack-article are true, some
are just nonsense: You can detect the honeywall if the outgoing traffic
is shaped via the rc.firewall-script provided by the honeynet project
(http://honeynet.org/tools/dcontrol/rc.firewall). Just write a little
perl-script and see if you get blocked after a relative small number of
outgoing connections. Detection of snort_inline works similar: Send a
malicious-looking paket from the honeypot to another host and see if it
received in unaltered form.
Detection of the altered sys-call-table works simliar as presented in
the article: Just do something like 

printk("0x%p 0x%p 0x%p\n", sct[__NR_fork], sct[__NR_read],
sct[__NR_write]);

inside a module and see if these three system-calls lie near by.

Another interesting point: At the cansecwest/core04 conference
(http://www.cansecwest.com/) Lane Spitzner will give a talk entitled
"Why Honeypots suck" Does anyone know what he will talk about? :)

  Thorsten

Attachment: _bin
Description: