Re: FreeBSD and honey pots [ Re: Snort inline for openbsd? ]

["Alan Neville" <aneville () isiclabs com>]

Garrett:
Once the honeypot is compromised, it is possible for the intruder to
discover the offsite logging system, at which point they may disable it.
Although, all logs are sent to the logging server live, so everything right
up to the moment of the remote log server being disabled is recorded and
uploaded.

An idea to think about would be to setup a secondary logging server
so, if the connection is disabled by an intruder, the second one will
kick in and log.

Also, be sure to check out the following papers by Eric S. Hines;
http://www.fatelabs.com/syslog.pdf
http://www.fatelabs.com/flyingspigs.pdf

If you require additional information, please by all means contact me.

Best Regards,
Alan Neville


----- Original Message -----
From: "Garrett Sinfield" <garrettsinfield () hotmail com>
To: <honeypots () securityfocus com>
Cc: <loki () fatelabs com>
Sent: Tuesday, March 04, 2003 1:04 PM
Subject: Re: FreeBSD and honey pots [ Re: Snort inline for openbsd? ]


> Hi, I have a honey pot setup that sounds similar to yours ph33r and I was
> just curious if it was possible for the more 'advanced' people who
penetrate
> your honeypot, to be able to figure out your connection to the remote
> logging server and terminate it. Is it possible? ( I'd like to know before
I
> try to set up remote logging ).
>
> -Garrett Sinfield
>
>
>
>
>
>
>
> _________________________________________________________________
> STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
> http://join.msn.com/?page=features/junkmail