Honeypots mailing list archives
Re: Honeynet Project Security Advisory 2004-001: Sebek
From: Ryan Barnett <RCBarnett () hushmail com>
Date: 22 Jan 2004 21:06:47 -0000
In-Reply-To: <Pine.LNX.4.44.0401221344550.25604-100000 () sumatra ucs indiana edu>
From: Edward Balas <ebalas () iu edu>
-- CUT --
Review of Best Practices:
-- CUT --
1. It is recommended that you run sbk_extract in a chroot environment protected with Systrace and, if available, your favorite flavor of stack protection. This recommendation applies to all data capture tools run on a honeynet data collection server.
While this recommendation is based on sound logic (with regards to keeping the the honeypot/net logging data secure), we may be missing a prime opportunity here. I for one would sure like to see someone successfully execute this type of libpcap exploit to compromise the sebek serverhost! What GREAT exploit intel! Let's not forget our Gen I mindset - when having an attacker discover a remote syslog server and then try to compromise it was a GOOD thing for identifying new attacks/exploits against syslogd. -RYAN
Current thread:
- Honeynet Project Security Advisory 2004-001: Sebek Edward Balas (Jan 22)
- Re: Honeynet Project Security Advisory 2004-001: Sebek John Washington (Jan 23)
- Re: Honeynet Project Security Advisory 2004-001: Sebek Edward Balas (Jan 23)
- <Possible follow-ups>
- Re: Honeynet Project Security Advisory 2004-001: Sebek Ryan Barnett (Jan 22)
- Re: Honeynet Project Security Advisory 2004-001: Sebek John Washington (Jan 23)