Re: Data Capture and Data Control

[Rob McMillen <rvmcmil () cablespeed com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 13 Mar 2003 yoshi03j () mac com wrote:

> Now I have some questions; first, the script rc.firewall makes 
> interfaces br0 and eth0 no IP addresses and set 0.0.0.0, so our host os 
> doesn't have any IP address, I cannot Data Capture for ONLY our 
> honeypot. 

You can!  All you have to do is bind your sniffer to the interface facing 
your honeypot.  For example, if you are using vmware, you will probably 
have the following interfaces:  eth0 (external) br0 (bridge) and vmnet1 
(vmware interface).  If you are using snort to sniff, 

snort -vi vmnet1.  This will look at packets that are going in and out of 
your vmnet1 interface no matter whether it has an ip or not.

> Also, I have another IDS machine in a lab network, I can 
> notice some scans for our honeypot's IP address and other machine's 
> honeypot. But TCPFLOW on our Honeypot's host os doesn't capture ONLY 
> the IP address of the honeypot.

Not too sure what you are asking, but I think you are trying to say that 
you see traffic on the honeypot that belongs to external traffic.  Is this 
right?  An ascii picture might make it easier to understand.  

Rob

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Made with pgp4pine 1.76

iQA/AwUBPm/RTvnAyY+9KLjdEQJs6gCg6smY1Ncia9y/IdKqMoeR4RFgRUcAn38+
zQqPowE4Ttfe/u1UTdNv6+Gv
=YMER
-----END PGP SIGNATURE-----