Honeypots mailing list archives
Re: Building an Honeypot using VMWare
From: Floydman <floydian_99 () yahoo com>
Date: Mon, 04 Nov 2002 12:28:58 -0500
At 10:58 AM 04/11/2002, Bruno MAC Castro wrote:
Hi all, (...) The main platform (intrusion and honeypot) is almost completely setup. Now, I am reaching a stage in my research where I could use some nice advices: 1. What Log tools can I use for log correlation between the Host (monitor with Windows 2k Pro) and the Guest (honeypot with Windows 2k Pro)?
Somebody mentionned neuSecure, form Guarded.net, but it is a commercial solution. I am working on something like this, and I'd like too to hear about similar products. I think this kind of tool will help fill the gap of analysing large log files
2. I also need a way to share the guest (hacked) machine logs with the host (monitor). Any ideas?
Can I suggest LogAgent? You can download it from my site http://securit.iquebec.com (download may be slow, sorry). This tool monitors ascii log files and forward them on the fly to the destination of your choice (via UNC adress convention, IP adress can be used). You may also want to take a look at ComLog if you want to make a Windows honeypot. ComLog is a command prompt logger, which lets you capture command prompt sessions. ComLog and LogAgent are also made to work together, ComLog captures, and LogAgent forwards.
3. Is there any tool that can define the hacking process step-by-step by correlating the IDS logs with the OS logs?
Again, I'd like to hear about this also.
4. It would be important to hide the VMWare process on the Guest. I need a tool (or a solution) to cover or hide the VMWare process in both systems. Ideas?
No ideas per se, but you gave me an idea about how to improve ComLog. Maybe I can make it take a list of processes to hide in the command prompt (ComLog and LogAgent are hidden in a ComLog session). But that would limit to the command prompt only, in the process manager (GUI), it would still show.
5. My host system is very well secure but I believe that nothing is 100% safe, so I also need ideas to copy or move all logs (guest and host) to another system (not sure about what kind of system it should be). Any ideas? Maybe serial port to another machine?
Again, LogAgent can be used to forward log files to a remote machine. I forgot to mention that you can also watch them on the fly on the console. I'll remember to add the option to send the output to a serial or parallel port on a future version.
Thanks. Regards Bruno
Hope this helps at least a bit. Floydman
Current thread:
- Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- Re: Building an Honeypot using VMWare Bill McCarty (Nov 04)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- RE: Building an Honeypot using VMWare Edward Balas (Nov 04)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- Re: Building an Honeypot using VMWare Michael (Nov 13)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- Re: Building an Honeypot using VMWare Bill McCarty (Nov 04)
- Re: Building an Honeypot using VMWare Floydman (Nov 04)
- <Possible follow-ups>
- RE: Building an Honeypot using VMWare Muhammad Faisal Rauf Danka (Nov 04)
- Re: Building an Honeypot using VMWare Alberto Gonzalez (Nov 05)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 05)
- Re: Building an Honeypot using VMWare Ali Saifullah Khan (Nov 12)
- RE: Building an Honeypot using VMWare Dennis Rand (Nov 05)