Honeypots mailing list archives
Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ]
From: Philip Reynolds <phil () Redbrick DCU IE>
Date: Tue, 4 Mar 2003 13:32:00 +0000
ph33r's [ph33r () fatelabs com] 59 lines of wisdom included:
The honeypot was setup with a default installation of FreeBSD 4.7, with some security measures implemented, such as patches, fake TCP/IP ports opened, and some logging applications such as syslog-ng, portsentry and the sysctl kernel logging enabled. All logs are stored off site on a remote machine, (remote log server) which has played its part in this project. If you require any more details on the honeypot, please don't hesitate to contact me. I'd be more than happy to supply you with anything you may require.
I realise this is a honeypot, but perhaps just a few things to mention about Portsentry anyways. Last time I looked at portsentry, it only used "stealth scans" on Linux, which means that on other Operating Systems (like FreeBSD) it had to bind to all the ports it wished to monitor. According to a friend of mine as well, nmap with certain stealth scan options can elude portsentry fairly easily as well. Here's an article on the issue by a former student friend of mine: http://www.linux.ie/articles/portsentryandsnortcompared.php It may have a steeper learning curve, but I would actively support running a NIDS such as snort, instead of portsentry. Running snort on main services machines will mean that you'll get plenty of false positives (believe me, I know!), however running it on a honeypot should (at least in theory) greatly reduce the number of false positives. Thanks for the information on FreeBSD honeypots, I'll look forward to seeing some of the results. -- Philip Reynolds RFC Networks tel: 01 8832063 www.rfc-networks.ie fax: 01 8832041
Attachment:
_bin
Description:
Current thread:
- Snort inline for openbsd? Michael Anuzis (Mar 02)
- Re: Snort inline for openbsd? Rob McMillen (Mar 02)
- FreeBSD and honeypots [ Re: Snort inline for openbsd? ] Philip Reynolds (Mar 03)
- Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ] ph33r (Mar 04)
- Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ] Philip Reynolds (Mar 04)
- Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ] Benjamin Johnson (Mar 04)
- Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ] Alan Neville (Mar 04)
- Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ] Dave Aitel (Mar 04)
- FreeBSD and honeypots [ Re: Snort inline for openbsd? ] Philip Reynolds (Mar 03)
- Re: Snort inline for openbsd? Rob McMillen (Mar 02)