Honeypots mailing list archives
RE: FreeBSD and honey pots [ Re: Snort inline for openbsd? ]
From: "Bojan Zdrnja" <Bojan.Zdrnja () LSS hr>
Date: Wed, 5 Mar 2003 18:21:41 +1300
-----Original Message----- From: Alan Neville [mailto:aneville () isiclabs com] Sent: Wednesday, 5 March 2003 11:34 a.m. To: Garrett Sinfield; honeypots () securityfocus com Cc: Loki Subject: Re: FreeBSD and honey pots [ Re: Snort inline for openbsd? ] Garrett: Once the honeypot is compromised, it is possible for the intruder to discover the offsite logging system, at which point they may disable it. Although, all logs are sent to the logging server live, so everything right up to the moment of the remote log server being disabled is recorded and uploaded.
Yep, therefore the offsite logging system should be as stealth as possible to avoid potential compromise and log deletion. I personaly most like solution with sending logs to non existing logging server, so a real, stealth logging server actually sniffs network. This can be accomplished with cuting send wires in UTP cable as well, so a server will even physically be stealth (in this case - unable to send any data). There are numerous instructions for building receive only UTP cable, check some at the following Web pages: http://www.geocities.com/samngms/sniffing_cable/ http://www.lincoln.ac.nz/its/profiles/johnsr1/UTPCable/ROUTP.html
Also, be sure to check out the following papers by Eric S. Hines; http://www.fatelabs.com/flyingspigs.pdf
Just a short notice that link above should go to flyingpigs.pdf document (notice one 's' less). Best regards, Bojan Zdrnja
Current thread:
- Re: FreeBSD and honey pots [ Re: Snort inline for openbsd? ] Garrett Sinfield (Mar 04)
- Re: FreeBSD and honey pots [ Re: Snort inline for openbsd? ] Alan Neville (Mar 04)
- RE: FreeBSD and honey pots [ Re: Snort inline for openbsd? ] Bojan Zdrnja (Mar 04)
- <Possible follow-ups>
- RE: FreeBSD and honey pots [ Re: Snort inline for openbsd? ] Garrett Sinfield (Mar 05)
- Re: FreeBSD and honey pots [ Re: Snort inline for openbsd? ] Alan Neville (Mar 04)