RE: FreeBSD and honey pots [ Re: Snort inline for openbsd? ]

["Bojan Zdrnja" <Bojan.Zdrnja () LSS hr>]

> -----Original Message-----
> From: Alan Neville [mailto:aneville () isiclabs com]
> Sent: Wednesday, 5 March 2003 11:34 a.m.
> To: Garrett Sinfield; honeypots () securityfocus com
> Cc: Loki
> Subject: Re: FreeBSD and honey pots [ Re: Snort inline for openbsd? ]
>
>
> Garrett:
> Once the honeypot is compromised, it is possible for the intruder to
> discover the offsite logging system, at which point they may disable it.
> Although, all logs are sent to the logging server live, so everything right
> up to the moment of the remote log server being disabled is recorded and
> uploaded.

Yep, therefore the offsite logging system should be as stealth as possible to
avoid potential compromise and log deletion.
I personaly most like solution with sending logs to non existing logging
server, so a real, stealth logging server actually sniffs network. This can be
accomplished with cuting send wires in UTP cable as well, so a server will even
physically be stealth (in this case - unable to send any data).
There are numerous instructions for building receive only UTP cable, check some
at the following Web pages:

http://www.geocities.com/samngms/sniffing_cable/
http://www.lincoln.ac.nz/its/profiles/johnsr1/UTPCable/ROUTP.html

> Also, be sure to check out the following papers by Eric S. Hines;
> http://www.fatelabs.com/flyingspigs.pdf

Just a short notice that link above should go to flyingpigs.pdf document
(notice one 's' less).

Best regards,

Bojan Zdrnja