Honeypots mailing list archives
Re: Data Capture and Data Control
From: Rob McMillen <rvmcmil () cablespeed com>
Date: Wed, 12 Mar 2003 19:31:06 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 13 Mar 2003 yoshi03j () mac com wrote:
Now I have some questions; first, the script rc.firewall makes interfaces br0 and eth0 no IP addresses and set 0.0.0.0, so our host os doesn't have any IP address, I cannot Data Capture for ONLY our honeypot.
You can! All you have to do is bind your sniffer to the interface facing your honeypot. For example, if you are using vmware, you will probably have the following interfaces: eth0 (external) br0 (bridge) and vmnet1 (vmware interface). If you are using snort to sniff, snort -vi vmnet1. This will look at packets that are going in and out of your vmnet1 interface no matter whether it has an ip or not.
Also, I have another IDS machine in a lab network, I can notice some scans for our honeypot's IP address and other machine's honeypot. But TCPFLOW on our Honeypot's host os doesn't capture ONLY the IP address of the honeypot.
Not too sure what you are asking, but I think you are trying to say that you see traffic on the honeypot that belongs to external traffic. Is this right? An ascii picture might make it easier to understand. Rob -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.76 iQA/AwUBPm/RTvnAyY+9KLjdEQJs6gCg6smY1Ncia9y/IdKqMoeR4RFgRUcAn38+ zQqPowE4Ttfe/u1UTdNv6+Gv =YMER -----END PGP SIGNATURE-----
Current thread:
- Data Capture and Data Control yoshi03j (Mar 12)
- Re: Data Capture and Data Control Rob McMillen (Mar 12)
- Re: Data Capture and Data Control Yoshihiro Shibuya (Mar 13)
- <Possible follow-ups>
- RE: Data Capture and Data Control Gonzalez, Albert (Mar 13)
- Re: Data Capture and Data Control Rob McMillen (Mar 12)