Honeypots mailing list archives
RE: Storing ALL Data from honeywall CDROM Roo version
From: "Jeff Dell" <jdell () activeworx com>
Date: Sun, 13 Nov 2005 19:46:43 -0500
Hello, I'm a student doing a study allowance at a antivirus company. I want to create a virtual environment to watch the behavior of different kind of malware under windows os. I'm using VMware to deploy a honeynet with the honeywall CDROM roo-1.0.hw-189.iso There're 3 Windows systems and a fourth system wich is the honeywall. I have an automatized process on wich I infect the Windows virtual machines and let the malware play around during 15 minutes. Next, the machines turn off without saving changes and start again with another set of malware progs... anyway, the point is that I want to: 1. Store all info that the honeywall can capture to a database in a external machine. This is really not currently possible because only half of the information is in the database. look for enhancements in the future to resolve these issues. 2. Further, I want to analyze this data with the Honeynet Security Console. currently HSC does not support the new schema format. Look for this in future versions. Due to the nature of my company all the data I can extract could be of use. My question(s): If I'm understanding well, the honeywall has a database (hflow). The database wich is going to use Walleye. Has this database all the information that I want or should I gather it from the different log files? The information is in both the database and in log files. you really need both. If the answer is yes, then all I have to do is copy the data in this database to another database in the external machine, wich is going to have the Honeywall Security Console schema. So...How can I export the data to the database in the external machine (probably, the administration host)?? Once support for distributed honeynets is supported within roo, you will see more advanced distributed features within HSC. Another little question: ALL the information means the data from Snort (snort-inline), Sebek, iptables, p0f and argus. Am I right?? <http://abejaruco82.stumbleupon.com/about/>
Current thread:
- Storing ALL Data from honeywall CDROM Roo version Jaime Sotelo (Nov 13)
- RE: Storing ALL Data from honeywall CDROM Roo version Jeff Dell (Nov 13)
- Re: Storing ALL Data from honeywall CDROM Roo version Jaime Sotelo (Nov 17)
- RE: Storing ALL Data from honeywall CDROM Roo version David Watson (Nov 19)
- Re: Storing ALL Data from honeywall CDROM Roo version Jaime Sotelo (Nov 25)
- Re: Storing ALL Data from honeywall CDROM Roo version Jaime Sotelo (Nov 25)
- RE: Storing ALL Data from honeywall CDROM Roo version Jeff Dell (Nov 25)
- Re: Storing ALL Data from honeywall CDROM Roo version Jaime Sotelo (Nov 17)
- <Possible follow-ups>
- Re: Storing ALL Data from honeywall CDROM Roo version Earl Sammons (Nov 28)
- RE: Storing ALL Data from honeywall CDROM Roo version Jeff Dell (Nov 13)