Re: FreeBSD and honeypots [ Re: Snort inline for openbsd? ]

[Philip Reynolds <phil () Redbrick DCU IE>]

ph33r's [ph33r () fatelabs com] 59 lines of wisdom included:
> The honeypot was setup with a default installation of 
> FreeBSD 4.7, with some security measures implemented, such 
> as patches,  fake TCP/IP ports opened, and some logging 
> applications such as syslog-ng, portsentry and the sysctl 
> kernel logging enabled.
>
> All logs are stored off site on a remote machine, (remote 
> log server) which has played its part in this project.
>
> If you require any more details on the honeypot, please 
> don't hesitate to contact me. I'd be more than happy to 
> supply you with anything you may require.

I realise this is a honeypot, but perhaps just a few things to
mention about Portsentry anyways. 

Last time I looked at portsentry, it only used "stealth scans" on
Linux, which means that on other Operating Systems (like FreeBSD) it
had to bind to all the ports it wished to monitor.

According to a friend of mine as well, nmap with certain stealth
scan options can elude portsentry fairly easily as well. Here's an
article on the issue by a former student friend of mine:

        http://www.linux.ie/articles/portsentryandsnortcompared.php

It may have a steeper learning curve, but I would actively support
running a NIDS such as snort, instead of portsentry. 

Running snort on main services machines will mean that you'll get
plenty of false positives (believe me, I know!), however running it
on a honeypot should (at least in theory) greatly reduce the number
of false positives. 

Thanks for the information on FreeBSD honeypots, I'll look forward
to seeing some of the results.

-- 
  Philip Reynolds        
   RFC Networks          tel: 01 8832063
www.rfc-networks.ie      fax: 01 8832041

Attachment: _bin
Description: