Re: Honeynet Project Security Advisory 2004-001: Sebek

[Ryan Barnett <RCBarnett () hushmail com>]

In-Reply-To: <Pine.LNX.4.44.0401221344550.25604-100000 () sumatra ucs indiana edu>

> From: Edward Balas <ebalas () iu edu>
-- CUT --
> Review of Best Practices:
-- CUT --
>   1.   It is recommended that you run sbk_extract in a chroot
>        environment protected with Systrace and, if available,
>        your favorite flavor of stack protection.  This
>        recommendation applies to all data capture tools run on
>        a honeynet data collection server.

While this recommendation is based on sound logic (with regards to keeping the the honeypot/net logging data secure), 
we may be missing a prime opportunity here.  I for one would sure like to see someone successfully execute this type of 
libpcap exploit to compromise the sebek serverhost!  What GREAT exploit intel!

Let's not forget our Gen I mindset - when having an attacker discover a remote syslog server and then try to compromise 
it was a GOOD thing for identifying new attacks/exploits against syslogd.  

-RYAN