Re: HoneyPorts (again)

[Xavier Mertens <xavier () rootshell be>]

+1

--
Can't sleep, hackers will eat me!
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x42D006FD51AD7F2C

On 20 Jul 2012, at 06:42, Bill Swearingen wrote:

> I would like to read it -- thanks!
> -Bill
>
> On Thu, Jul 19, 2012 at 11:38 AM, anthony kasza <anthony.kasza () gmail com> wrote:
> I've got a brief write up about how I integrated John's and Paul's
> honeyport script into an Ubuntu based OSSEC environment. It provides a
> way for all OSSEC agents to blacklist an IP that connects to a single
> honeyport on a single OSSEC agent.
>
> The write up includes the modified honeyport script as well as custom
> OSSEC dissectors, rules, and configuration changes needed to set this
> up. If anyone is interested in reading it, let me know.
>
> -AK
>
> On Thu, Jul 12, 2012 at 1:36 PM, Chris Benedict <chrisbdaemon () gmail com> wrote:
> > My project is mostly working, https://github.com/chrisbdaemon/BearTrap.
> >
> > I had to remove some of the functionality, but as a neat honeyport tool it
> > should work alright.  It just hasn't really been used much yet.
> >
> > -Chris Benedict
> >
> > On Thu, Jul 12, 2012 at 8:50 AM, Doug Burks <doug.burks () gmail com> wrote:
> > > Hi Anthony,
> > >
> > > If you're planning on using OSSEC anyway, could you just have OSSEC
> > > monitor IPTables for any DROPs?
> > >
> > > Example from
> > > http://securityonion.blogspot.com/2010/02/defense-in-depth-using-ossec-and-other.html:
> > >
> > > # Configure RHEL IPTables firewall to log any dropped packets to
> > > /var/log/messages to be monitored by OSSEC
> > > iptables -I RH-Firewall-1-INPUT 11 -j LOG --log-prefix="DROP "
> > >
> > > Thanks,
> > > Doug
> > >
> > > On Wed, Jul 11, 2012 at 6:32 PM, anthony kasza <anthony.kasza () gmail com>
> > > wrote:
> > > > Hi All,
> > > >
> > > > On 10/16/11 12:18 PM, Chris Benedict wrote this list about a honeyport
> > > > project. Does anyone know if the project took off? I'm attempting to
> > > > integrate the command line scripts that John and Paul talked about at
> > > > last year's DerbyCon (see slide 38) into OSSEC's active-response.
> > > >
> > > > -AK
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom () mail pauldotcom com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > >
> > >
> > >
> > > --
> > > Doug Burks
> > > http://securityonion.blogspot.com
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com