PaulDotCom mailing list archives
Re: Honeypot
From: Arch Angel <arch3angel () gmail com>
Date: Thu, 23 Jun 2011 17:19:43 -0400
This is something I too have been very interested in doing, however my squid fu is quite weak :-(
Suggestions on how to do it, or a way to incorporate the logs from an Astaro box to do the same things!
- Robert (Arch3Angel) On 6/23/11 6:57 AM, Ben Jackson wrote:
On Wed, Jun 22, 2011 at 6:54 PM, Jim Halfpenny<jim.halfpenny () gmail com> wrote:On 22 June 2011 17:17, Michael Lubinski<michael.lubinski () gmail com> wrote:What methods were you using to analyze the proxy logs for out of the norm behavior?grep?Pretty much. I had a script that took logs from our corporate proxy, and extracted the URL, HTTP return code, and MIME type. From there it took the MIME type and looked to see if it was some kind of executable code, Java, or PDF, and if so, downloaded it. There were also some behavioral tests it did. From there I had to manually classify it. There was a good amount of false positives but my idea was to develop a whitelist of hosts to ignore and after a while, I think it would have given alerts on "abnormal" hosts. I no longer have the script (Wrote it at $OLD_JOB's) however, if someone gives me access to a Squid log, I can replicate it pretty easily.
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Honeypot Michael Lubinski (Jun 21)
- Re: Honeypot Matt Erasmus (Jun 22)
- Re: Honeypot Ben Jackson (Jun 22)
- Re: Honeypot Michael Lubinski (Jun 22)
- Re: Honeypot Jim Halfpenny (Jun 23)
- Re: Honeypot Ben Jackson (Jun 23)
- Re: Honeypot Arch Angel (Jun 23)
- Re: Honeypot Michael Lubinski (Jun 22)
- Re: Honeypot Tom McCredie (Jun 23)