Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ]

["ph33r" <ph33r () fatelabs com>]

Philip:
I'm currently running a FreeBSD honeypot, which has just 
completed its second round of gathering attacks. I'm 
currently in the process of designing a web portal to make 
the honeypot information available online to the security 
community.


The honeypot was setup with a default installation of 
FreeBSD 4.7, with some security measures implemented, such 
as patches,  fake TCP/IP ports opened, and some logging 
applications such as syslog-ng, portsentry and the sysctl 
kernel logging enabled.

All logs are stored off site on a remote machine, (remote 
log server) which has played its part in this project.

If you require any more details on the honeypot, please 
don't hesitate to contact me. I'd be more than happy to 
supply you with anything you may require.

Best Regards,
Alan Neville

On Tue, 4 Mar 2003 00:24:16 +0000
 Philip Reynolds <phil () Redbrick DCU IE> wrote:
> Rob McMillen's [rvmcmil () cablespeed com] 21 lines of 
> wisdom included:
> > Michael,
> > 	The key component to snort_inline is the iptables 
> > ip_queue.  This 
> > allows a user to tell the iptables firewall to send the 
> > packet from kernel 
> > space to a userspace program for routing decision.  If 
> > the OpenBSD 
> > equivalent of iptables does this, it would be a pretty 
> > easy port.  
>
> Small bit OT, but FreeBSD's firewall IPFW, will allow 
> this via a
> ``divert'' rule. Instead of using the libipq API, you'll 
> be
> communicating via a divert socket. I'm not familiar 
> enough with PF
> to tell you if there is an equivalent, and I currently 
> have no
> access to OpenBSD.
>
> I'm also rather curious as to the development of 
> honeypots on
> FreeBSD? Honeypots seem rather Linux orientated, although 
> OpenBSD is
> becoming mentioned more and more as well.
>
> Ref: ipfw(8), divert(4)
> --
>   Philip Reynolds        
>    RFC Networks          tel: 01 8832063
> www.rfc-networks.ie      fax: 01 8832041