PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Honeypot

From: Arch Angel <arch3angel () gmail com>
Date: Thu, 23 Jun 2011 17:19:43 -0400
This is something I too have been very interested in doing, however my squid fu is quite weak :-(
Suggestions on how to do it, or a way to incorporate the logs from an Astaro box to do the same things! 

- Robert
(Arch3Angel)

On 6/23/11 6:57 AM, Ben Jackson wrote:

On Wed, Jun 22, 2011 at 6:54 PM, Jim Halfpenny<jim.halfpenny () gmail com>  wrote:

On 22 June 2011 17:17, Michael Lubinski<michael.lubinski () gmail com>  wrote:

What methods were you using to analyze the proxy logs for out of the norm
behavior?

grep?

Pretty much. I had a script that took logs from our corporate proxy,
and extracted the URL, HTTP return code, and MIME type. From there it
took the MIME type and looked to see if it was some kind of executable
code, Java, or PDF, and if so, downloaded it. There were also some
behavioral tests it did. From there I had to manually classify it.
There was a good amount of false positives but my idea was to develop
a whitelist of hosts to ignore and after a while, I think it would
have given alerts on "abnormal" hosts.

I no longer have the script (Wrote it at $OLD_JOB's) however, if
someone gives me access to a Squid log, I can replicate it pretty
easily.




_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: