PaulDotCom mailing list archives
Re: HoneyPorts (again)
From: Xavier Mertens <xavier () rootshell be>
Date: Fri, 20 Jul 2012 07:13:27 +0200
+1 -- Can't sleep, hackers will eat me! PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x42D006FD51AD7F2C On 20 Jul 2012, at 06:42, Bill Swearingen wrote:
I would like to read it -- thanks! -Bill On Thu, Jul 19, 2012 at 11:38 AM, anthony kasza <anthony.kasza () gmail com> wrote: I've got a brief write up about how I integrated John's and Paul's honeyport script into an Ubuntu based OSSEC environment. It provides a way for all OSSEC agents to blacklist an IP that connects to a single honeyport on a single OSSEC agent. The write up includes the modified honeyport script as well as custom OSSEC dissectors, rules, and configuration changes needed to set this up. If anyone is interested in reading it, let me know. -AK On Thu, Jul 12, 2012 at 1:36 PM, Chris Benedict <chrisbdaemon () gmail com> wrote:My project is mostly working, https://github.com/chrisbdaemon/BearTrap. I had to remove some of the functionality, but as a neat honeyport tool it should work alright. It just hasn't really been used much yet. -Chris Benedict On Thu, Jul 12, 2012 at 8:50 AM, Doug Burks <doug.burks () gmail com> wrote:Hi Anthony, If you're planning on using OSSEC anyway, could you just have OSSEC monitor IPTables for any DROPs? Example from http://securityonion.blogspot.com/2010/02/defense-in-depth-using-ossec-and-other.html: # Configure RHEL IPTables firewall to log any dropped packets to /var/log/messages to be monitored by OSSEC iptables -I RH-Firewall-1-INPUT 11 -j LOG --log-prefix="DROP " Thanks, Doug On Wed, Jul 11, 2012 at 6:32 PM, anthony kasza <anthony.kasza () gmail com> wrote:Hi All, On 10/16/11 12:18 PM, Chris Benedict wrote this list about a honeyport project. Does anyone know if the project took off? I'm attempting to integrate the command line scripts that John and Paul talked about at last year's DerbyCon (see slide 38) into OSSEC's active-response. -AK _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Doug Burks http://securityonion.blogspot.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- HoneyPorts (again) anthony kasza (Jul 11)
- Re: HoneyPorts (again) John Strand (Jul 12)
- Re: HoneyPorts (again) Doug Burks (Jul 12)
- Re: HoneyPorts (again) anthony kasza (Jul 12)
- Re: HoneyPorts (again) Chris Benedict (Jul 12)
- Re: HoneyPorts (again) anthony kasza (Jul 19)
- Re: HoneyPorts (again) Bill Swearingen (Jul 19)
- Re: HoneyPorts (again) Xavier Mertens (Jul 19)
- Re: HoneyPorts (again) lonestarr13 (Jul 20)
- Re: HoneyPorts (again) John Strand (Jul 20)
- Re: HoneyPorts (again) Arch Angel (Jul 31)
- Re: HoneyPorts (again) anthony kasza (Jul 31)
- Re: HoneyPorts (again) Arch Angel (Jul 31)
- <Possible follow-ups>
- Re: HoneyPorts (again) Michael Johnson (Jul 20)